Warm-Up — EU Power Play Series, Post 4
We have been building through this series one regulation at a time. In Post 1, we covered the EU Carbon Border Adjustment Mechanism (CBAM) — the carbon levy that now applies to steel, aluminium, cement, and fertiliser shipments into Europe. In Post 2, we broke down EMEA e-invoicing — the shift away from PDF invoices and what structured billing means for businesses operating across the region. In Post 3, we went through all three pillars of ViDA — the EU’s VAT reform package rolling out to 2030 — and explained how your sales reporting obligations are being rebuilt at the transaction level.
In Post 4, we add the piece that ties the whole surveillance picture together: CESOP. While ViDA tracks what you declare as sales, CESOP tracks what your bank confirms you actually received. If those two numbers tell different stories, an investigation starts automatically.
Picture the final over of a high-stakes T20 match. Your team has set a total on the scoreboard. The score is declared, locked in, on record. But high above the stadium there is a second scoreboard — one you cannot see from the pitch and cannot touch — that independently counts every run crossing the boundary rope in real time. When the match ends, officials compare both scoreboards. If the numbers diverge, the result is reviewed without any appeal process. The data decides.
That is exactly how the European Union has structured cross-border tax enforcement since 1 January 2024. The system is called CESOP: the Central Electronic System of Payment Information. Your VAT declarations — your OSS or IOSS filings — are the scoreboard you control. CESOP is the second scoreboard, built automatically from data your own banks and payment platforms submit to EU tax authorities without your involvement. If the two do not align, an audit is the consequence.
For any Indian business selling products or services to EU customers — through a website, a marketplace, or a direct business relationship — CESOP is already running. This post explains what it is, what triggers it, what data actually flows, and the practical steps to make sure both scoreboards always tell the same story.
What Is CESOP? The System Behind the Scenes
CESOP is not a new tax. It does not increase your VAT rate or add a new payment obligation on top of what you already owe. It is a data collection and cross-referencing system, built by the European Commission, live since 1 January 2024, with a single purpose: close the EU VAT Gap.
The EU VAT Gap in 2023 — the difference between the VAT EU governments should have collected and the VAT that actually arrived in their accounts. This figure comes from the European Commission’s own December 2025 report. CBAM, ViDA, and CESOP all exist because of this number, and the political will behind closing it is not going away.
For years, cross-border e-commerce operated in a low-visibility environment. A business based outside the EU — in India, the UAE, or anywhere else — could sell to customers across multiple European countries, collect payments, and remain largely invisible to European tax authorities because those authorities could only see what sellers voluntarily declared. CESOP eliminates that blind spot by moving the reporting obligation away from the seller and onto the financial institutions handling the money.
Your banks and payment platforms are now legally required to report your cross-border payment data directly to EU tax authorities every quarter. Those authorities compare what the platforms say you received against what you said you sold. The comparison is automated, it runs across all 27 EU member states, and it happens every quarter without anyone needing to make a decision to investigate you specifically.
Which Payment Platforms Are Covered?
CESOP applies to all Payment Service Providers (PSPs) regulated under the EU’s Payment Services Directive, known as PSD2. In plain terms, if your EU customers pay you through any of the following, that platform is in scope:
- Banks — any bank account held by your EU customer at a bank operating in the EU. When they send you money, their bank is the reporting PSP.
- Card processors — the infrastructure behind Visa and Mastercard payments. When an EU customer pays by card, the card processor reports the transaction.
- E-money platforms — PayPal, Stripe, Revolut, Wise, and similar platforms that are PSD2-authorised to hold and transfer money. If they process payments from EU customers to your business, they are in scope.
- Merchant acquirers — the payment institutions that sit between your online checkout and the banking system, processing card transactions on your behalf.
If you accept payments from EU customers through any digital channel, treat your payment provider as in scope for CESOP. The question is not whether your PSP reports — it is whether your transaction volume crosses the threshold that makes your data reportable to the authorities.
The 25-Payment Threshold: When Your Data Enters the System
CESOP does not sweep up every single payment between every business and every EU customer. It uses a qualifying threshold to separate regular commercial activity from occasional personal transfers. That threshold is simple: if your business receives more than 25 cross-border payments in a single calendar quarter from EU customers, your PSP is legally required to report your payment data for that quarter.
Once the threshold is crossed, reporting covers all your EU payments in that quarter — not just the ones above number 25. The 26th payment does not trigger reporting of only itself. It triggers full reporting of all 26.
The threshold counts across the entire EU, not per country. Eight payments from Germany, nine from France, and nine from the Netherlands in a single quarter equals 26 total cross-border EU payments. You have crossed the threshold. There is no minimum invoice value — a €10 order counts exactly the same as a €10,000 order when determining whether the threshold is crossed.
What Counts as a Cross-Border Payment?
A payment is cross-border under CESOP when the customer’s money originates from an EU member state and arrives with you — either in a different EU country or outside the EU entirely. As an Indian business, every payment you receive from an EU customer is a cross-border payment by definition.
The system determines location using bank identifiers — the country code in the customer’s IBAN or their bank’s BIC — not the delivery address on the order. A customer with a French IBAN who ships to a UK address still creates a French cross-border payment in CESOP’s records. The system follows the money, not the parcel.
What Data Gets Reported About Your Business
Once the threshold is crossed, the information your PSP submits is detailed and transaction-level — not a quarterly summary total. Here is exactly what gets reported:
| Data Point | What It Means for You |
|---|---|
| Business name and address | The name and address on file with your PSP. Keeping your PSP account details accurate and current matters more than you might think. |
| VAT or Tax ID number | Your unique identifier in the system. Every piece of CESOP data from every PSP you use gets linked to this single number. It is your permanent jersey number in the EU tax database. |
| IBAN or account identifier | The account receiving the payments. If you use multiple accounts or multiple PSPs, each is tracked separately and then aggregated under your Tax ID. |
| Date, amount, and currency of each payment | Every individual transaction — the exact date it was processed, the full gross amount the customer sent, and the currency. Not a monthly total. Every payment, individually. |
| Physical presence in the EU | Whether your business has a registered office, warehouse, or branch in any EU member state. This affects which VAT rules apply to your transactions. |
| Refund details | If a payment was a refund back to the customer, it is flagged separately with a reference link to the original transaction it relates to. |
One clarification worth noting: CESOP does not report your customers’ personal information. The system is built to identify the payee — the business receiving the money — not the individual consumer sending it. Only the customer’s estimated country of origin, determined from their bank identifier, is captured.
How the Data Flows: From Your Bank to Brussels
Understanding how the data moves helps you understand how quickly a gap between your filings and your payment records becomes visible to authorities — and why waiting until an inquiry arrives is the wrong strategy.
Step 1: Your PSP Collects and Submits
Every quarter, your bank or payment platform compiles all cross-border payment data for merchants who have crossed the 25-payment threshold. This data is packaged into a standardised electronic file and submitted to the national tax authority in each EU member state where that PSP operates. This happens automatically as part of the PSP’s regulatory obligation. It requires no action from you and you receive no notification that it has happened.
Step 2: National Authorities Forward to the Central Database
Each national tax authority validates the data and passes it to the central CESOP database, managed by the European Commission. All 27 EU member states feed into this one system, which means a tax authority in any member state can access payment data related to your business — not just the countries where you are registered for VAT.
Step 3: The Automated Cross-Check Runs
Inside the CESOP database, your payment data is cross-referenced against the sales you declared through OSS, IOSS, or local VAT filings — as covered in the ViDA post. The EU’s Eurofisc network of anti-fraud specialists across all 27 member states then has access to flagged discrepancies. If your declared revenue and your payment data align, nothing happens. If they diverge materially, an alert is generated for the relevant national authority.
The Quarterly Filing Calendar
| Quarter | Period Covered | PSP Filing Deadline |
|---|---|---|
| Q1 | January — March | 30 April |
| Q2 | April — June | 31 July |
| Q3 | July — September | 31 October |
| Q4 | October — December | 31 January (following year) |
Your PSP files by the last day of the month after each quarter closes. By the time Q1 ends on 31 March, you have until 30 April before your payment data is officially in the system. Use that window to run your own internal check — find and fix any gaps before the data is submitted, not after.
How a Mismatch Triggers an Audit
Here is the mechanism that matters most for your business. On one side of the tax authority’s comparison: your OSS or IOSS return showing the EU revenue you declared. On the other side: the total payments your PSPs reported arriving in your accounts from EU customers in the same period. If those two numbers match — accounting for refunds and timing — the system moves on. If they do not, a flag is raised automatically.
Your OSS return for Q1 declares €80,000 in EU sales. Your payment providers report €110,000 in gross payments received from EU customers in that same quarter. The €30,000 gap is now visible to tax authorities in every EU member state where you have customers. Unless you can document exactly where that difference comes from — with evidence — you are facing a formal audit, back-tax demands, interest charges, and financial penalties. The data mismatch alone is sufficient to open the inquiry. No additional suspicion is required.
The critical point is that this cross-check runs without any human deciding to investigate your business. The flag appears because the numbers diverge. If your numbers are clean and consistent, the system simply moves on. The automation works in your favour when your records are correct — and against you when they are not.
Why Honest Businesses Still Get Flagged: The Traps to Know
Most businesses that end up with a CESOP mismatch are not hiding revenue. They are recording it differently from how the bank counts it. These structural differences, compounded across hundreds of transactions, produce gaps that look identical to fraud in an automated cross-check. Knowing where these traps are is the only way to avoid them.
Receiving Net Payouts When CESOP Counts Gross
This is the most common trap, and the one most businesses discover too late. CESOP captures the full gross amount your EU customer sent — every euro that left their account. Most payment platforms deduct their processing fee before transferring funds to you.
If a customer pays €200 for your product and Stripe deducts a €6 fee, you receive €194. If your accounts record that as a €194 sale, but CESOP records it as a €200 payment, you have a €6 discrepancy on that single transaction. Multiply that across 400 transactions in a quarter and the gap is over €2,400. EU authorities see a business that consistently receives more money than it declares — which is exactly what intentional underreporting looks like in the data.
The fix is straightforward: record the gross invoice value (€200) as your revenue and record the platform fee (€6) separately as a business cost. Your declared revenue then matches the payment data CESOP holds.
Currency Rate Differences
If your EU customers pay in euros but your accounts are maintained in rupees or dollars, the exchange rate your bank applies at the moment of the transaction will differ from the rate you use when converting your books at month-end. Small per-transaction differences compound across a high volume of orders into a meaningful aggregate gap — one neither you nor the tax authority caused deliberately, but that CESOP flags as unexplained. The currency volatility dynamics covered in the Inflation Sprint post affect your CESOP reconciliation as directly as they affect your margins.
Booking on the Wrong Date
CESOP uses the date a payment transaction occurred — the date your customer’s bank processed the transfer. Your accounting software may book income on the date the funds settled into your account, which is typically one to three business days later. A payment initiated on 31 March (Q1) that settles on 2 April (Q2) appears in CESOP’s Q1 data but in your Q2 books. Across a busy quarter-end, dozens of such payments create a timing mismatch that looks, in an automated cross-check, like missing revenue.
Forgetting a Payment Account
Your Tax ID is what CESOP uses to link all your payment data together, regardless of which platform it arrives through. If EU customer payments arrive via Stripe, PayPal, and a standard bank account, all three PSPs report to CESOP independently. The database aggregates everything under your single business identifier. If you reconcile your OSS return using only your Stripe data and overlook the PayPal account that received €4,000 in Q1, the gap appears even though every payment was entirely legitimate.
List every payment channel through which an EU customer can send you money — every bank account, every platform, every marketplace payout account. Every channel on that list is potentially being reported to CESOP. If a channel is not on your list, it is a blind spot in your reconciliation but not in the system’s records.
CESOP and ViDA: Two Systems, One Story You Must Tell Consistently
CESOP and ViDA were built as a pair. ViDA — covered in full in Post 3 — governs what you declare about your sales through mechanisms like OSS and IOSS. CESOP governs what your banks report about your receipts. EU authorities hold both and compare them every quarter.
| System | What It Captures | Who Provides the Data | Live Since |
|---|---|---|---|
| ViDA / OSS / IOSS | What you declare you sold — invoices, VAT collected, revenue by country | You, the business | OSS live 2021; full DRR from 2030 |
| CESOP | What your banks confirm you received — gross payments, transaction by transaction | Your banks and payment platforms | 1 January 2024 |
This also connects directly to the EMEA e-invoicing infrastructure covered in Post 2. If your invoicing system generates amounts based on net values after fees, or applies a different date or currency conversion methodology than your bank uses, the mismatch between your ViDA data and your CESOP data is built in from the start. The two systems need to count the same transaction the same way.
A Real Business Example: Where the Gap Appears and How to Close It
Consider an Indian business selling handcrafted home furnishings through its own website to retail customers across Germany, France, Spain, and the Netherlands. EU revenue runs at roughly €18,000 per month. All payments come through Stripe.
In Q1, the business processes 220 orders from EU customers — well above the 25-payment threshold. Stripe reports all 220 transactions to the relevant EU authority. The gross total reported to CESOP: €54,000, which includes Stripe’s processing fees before each payout was made.
The business owner files an OSS return for Q1 using the net payout figures from the Stripe dashboard — the money that actually landed in the business account after fees. That figure: €52,434. The gap between what CESOP sees and what the OSS return declares: €1,566 in a single quarter.
Annualised, this bookkeeping approach creates a recurring €6,264 annual discrepancy. Over three years of operation, the cumulative unexplained gap exceeds €18,000. Tax authorities in Germany and France, where most of the orders originated, receive an automatic flag on the mismatch.
The business did nothing dishonest. Every euro of revenue was legitimate. But the accounting recorded net receipts instead of gross sales, and the numbers told two different stories. A single change — recording Stripe fees as a business cost rather than deducting them from revenue — closes the gap entirely. Both scoreboards align. The flag disappears.
How Long You Must Keep Your Records
CESOP sets specific retention obligations. Your PSP is required to keep payment records for three calendar years from the end of the year in which the payment occurred. EU tax authorities, however, hold the reported data for five years. This creates an important gap: a tax authority can query a period for which your PSP no longer holds the underlying records it reported from.
If you rely on your bank or payment platform to produce historical transaction evidence when an inquiry arrives several years later, there is a real risk those records no longer exist on the PSP’s side. You need your own copies, maintained independently.
Download and save the complete raw transaction export from every PSP at the end of each quarter. Store it in a folder labelled by PSP name, quarter, and year. Keep these files for a minimum of five years. If an authority queries a historical quarter, your own archived export is the evidence that answers the inquiry.
Questions Every Business Owner Asks About CESOP
I do not have an EU VAT number. Does CESOP still apply to me?
The reporting obligation sits with your PSP, not with you. Whether or not you hold an EU VAT registration, your payment provider reports your data if you cross the threshold. The absence of a VAT number in your CESOP record can actually attract more scrutiny rather than less — it signals a business receiving commercial revenue from EU customers without being registered to collect VAT. CESOP data is frequently what prompts authorities to require retrospective VAT registration and back-payment of tax that was never collected.
My customers are other businesses, not consumers. Does CESOP still apply?
Yes. CESOP applies to cross-border payments regardless of whether the customer is a business or an individual. The threshold is a count of payment transactions, not a classification of customer type. B2B sellers above the 25-payment threshold are in scope exactly the same as B2C sellers.
What happens if I issue refunds to EU customers?
Refunds are reported as separate transactions, linked back to the original payment. Your PSP reports the refund as an outbound payment from your account. As long as your own records show the original sale and the corresponding refund with documentation, the reconciliation is clean. The refunds that create problems are informal credits settled outside your invoicing system — those appear in the CESOP data without a matching invoice record to explain them.
I sell through Amazon or a marketplace, not my own website. Am I covered?
The marketplace itself may be in scope as a PSP depending on how it processes payments. Your individual payment data may reach CESOP through the marketplace’s payment infrastructure, through your own bank account receiving marketplace payouts, or both — depending on the platform. Separately, marketplaces are subject to their own EU reporting obligations under DAC7, which is the subject of the next post in this series. Check with each marketplace whether it reports CESOP data on your behalf or whether its payouts to you are the event that triggers reporting.
Running Your Own Monthly Cross-Check: The Six-Step Process
The most effective way to stay clean under CESOP is to run your own version of the cross-check every month, before your PSP files its quarterly data. This does not require specialist knowledge. It requires a consistent process and roughly thirty minutes of focused work each month.
- Download the full transaction export from every PSP you use for EU sales. Every bank account, every payment platform, every marketplace payout account. All of them, every month without exception.
- Filter for EU-originating transactions. Use the payer’s country code from their IBAN or BIC — not the delivery address on the order. If your platform does not display this clearly, contact your PSP and ask them to confirm which transactions qualify as cross-border EU payments in their CESOP reporting.
- Use the transaction date, not the settlement date. The date the customer’s transfer was initiated is the date CESOP uses. Make your records use the same anchor point so there is no quarter-end timing gap.
- Add back platform fees to every transaction. If Stripe paid you €194 on a €200 sale, your record for that transaction needs to show €200 as the amount, with the €6 fee captured as a separate cost. This is the gross value CESOP holds.
- Total your gross EU receipts for the month. This is the number that must align with the revenue you will declare in your next OSS or IOSS filing for the same period.
- Compare the total against your declared revenue. If they match within a small and documented tolerance for refunds and currency rounding, you are clean. If there is a gap you cannot explain, investigate it now — before the quarter closes and your PSP files.
The discipline of doing this monthly connects directly to the progressive overload principle. The first month takes time because you are building the process. By month three it runs in under an hour. By month six it is automatic. When the check has been running cleanly for a year, you approach every quarter deadline with confidence rather than uncertainty.
Your CESOP Compliance Checklist
If you have not yet reviewed your business against CESOP, start here. Work through this list once, build the process, and then maintain it every quarter.
- List every payment channel that receives EU customer money. Bank accounts, Stripe, PayPal, Revolut, marketplace payout accounts — every one. If it receives money from EU customers, it is potentially in scope.
- Check your EU payment volume from Q1 2024 onward. CESOP has been live since January 2024. If you crossed the threshold in any quarter since then, your data has already been reported. Your reconciliation needs to cover that historical period.
- Confirm your Tax ID or VAT number is correctly registered with every PSP. This is the identifier that links all your CESOP data together. An incorrect ID with one PSP creates a data fragment that does not connect to your other records or your VAT filings.
- Switch to recording gross revenue. Revenue is recorded at the full amount the customer paid. Platform fees are recorded separately as costs. This single change eliminates the most common source of CESOP mismatches.
- Standardise your transaction date methodology. Use the payment initiation date — the date the transfer was processed — not the date the money appeared in your account.
- Run a monthly reconciliation, not just a quarterly one. Monthly checks give you time to find and fix gaps before they become part of the officially filed data.
- Archive your PSP transaction exports every quarter, for five years minimum. Organised by PSP name, quarter, and year. These are your evidence if any historical quarter is ever queried.
- Make sure your invoicing system and your payment data use the same numbers. The e-invoicing infrastructure built in Post 2 should produce invoice records that reconcile with your CESOP payment data at the individual transaction level.
The Final Whistle: Both Scoreboards Are Live
The era of cross-border selling in a low-visibility environment is over. With ViDA capturing your sales declarations and CESOP capturing your payment receipts independently, EU tax authorities now hold two separate, automatically compared pictures of your business — one from you, one from your bank. Both update every quarter. The comparison runs without anyone needing to take a decision.
This does not need to be intimidating. If your revenue records and your payment data tell the same story — same gross amounts, same dates, same transactions — CESOP adds nothing to your compliance burden. It simply confirms what your own books already show. The businesses that face audits are the ones where the two stories diverge, often not through any dishonesty but because nobody checked whether both scoreboards were counting the same way.
Run the monthly cross-check. Archive the exports. Record gross revenue. Keep both scoreboards in sync. That is the complete playbook — and it is simpler to execute than most business owners expect once the process is built.
Sources and Technical Reference
- European Commission — Central Electronic System of Payment Information (CESOP) Official Hub
- Council Directive (EU) 2020/284 of 18 February 2020 — Amending Directive 2006/112/EC as regards Introducing Certain Requirements for Payment Service Providers
- Council Regulation (EU) 2020/283 of 18 February 2020 — Amending Regulation (EU) 904/2010 as regards Measures to Strengthen Administrative Cooperation to Combat VAT Fraud
- Commission Implementing Regulation (EU) 2022/1504 — Detailed Rules for the Application of Council Regulation (EU) 904/2010 regarding CESOP
- European Commission — CESOP Reporting Guidelines v1.1 (November 2023)
- European Commission — VAT Gap Report Hub (2025 edition, 2023 data; €128 billion figure)
- PwC Ireland — CESOP PSP Reporting Directive Insight
- Grant Thornton Ireland — CESOP Tax Alert
- RegReportingDesk — CESOP Reporting Explained (March 2026)
Disclaimer: This post is for general educational purposes only and provides a broad overview of CESOP and related EU regulatory requirements. Application may vary across EU member states depending on local transposition of the underlying directives. Information reflects publicly available guidance as of April 2026. Tax laws and implementing regulations change. Always consult a qualified indirect tax professional before making compliance or structuring decisions based on this content. The Tax Athlete and its authors accept no liability for actions taken or not taken on the basis of this post.