VeriFactu in Spain: Technical requirements and operational readiness

VeriFactu is Spain’s anti-fraud invoicing framework requiring businesses to use certified invoicing software that generates structured, traceable invoice records.

For finance and IT teams, this is not just a reporting change. It affects how invoices are created, stored, corrected, and transmitted. Existing ERP, POS, ecommerce, and billing systems may need updates, integrations, or a certified compliance layer to meet the Spanish Tax Agency (AEAT) requirements.

Businesses must understand what AEAT-certified software requires, what data must appear on compliant invoices, how invoice records are linked through hash chaining, and how submissions are handled in practice.

For organisations already preparing for SII and VeriFactu compliance in real-time invoicing, the objective is to avoid fragmented processes and build a scalable compliance model.

Let’s look into the technical requirements behind VeriFactu, how certification works, what operational readiness looks like, and how businesses can prepare without disrupting existing invoicing operations.

Key takeaways

• VeriFactu is a system-level compliance requirement. Businesses must use AEAT-certified invoicing software that generates traceable, tamper-evident invoice records.
• SII and VeriFactu solve different problems. SII governs near real-time VAT reporting, while VeriFactu governs how invoices are created, stored, and controlled within compliant systems.
• Compliance depends on software architecture, not manual controls. Hash chaining, QR codes, structured records, and audit trails must be built into the invoicing process itself.
• Most businesses can adapt existing systems rather than replace them. ERP, POS, and billing platforms can often be connected to a certified compliance layer or middleware that supports VeriFactu requirements.

What is VeriFactu?

VeriFactu is Spain’s certified invoicing framework introduced as part of the country’s anti-fraud measures. Its purpose is to ensure that invoice records cannot be altered after issuance without detection.

Unlike traditional invoicing controls, VeriFactu focuses on system behaviour. Invoice records must be generated in a structured way, linked sequentially through a hash chain, and stored with traceability and integrity controls built into the software itself.

This is the key distinction between VeriFactu and SII. SII is a value-added tax (VAT) reporting obligation. Businesses submit VAT ledger data to AEAT within defined reporting windows.

VeriFactu is different. It governs how invoice data is generated, recorded, and controlled before reporting takes place.

Understanding the difference between SII and VeriFactu is critical because many businesses will need to comply with both frameworks simultaneously. In practice, this means businesses must:

• Maintain traceable invoice records
• Prevent silent edits or deletions
• Generate compliant invoice outputs
• Support audit-ready evidence trails

For finance and IT teams, VeriFactu moves compliance upstream into invoicing systems themselves.

Who must use VeriFactu-certified software?

VeriFactu applies broadly across businesses and self-employed individuals operating in Spain that issue invoices using software. The obligation is linked to the invoicing system itself, not just the business size. In scope are:

• Spanish companies subject to corporate income tax
• Individuals issuing invoices through software
• Foreign businesses with Spanish VAT registrations issuing local invoices

The key factor is software-based invoicing. If invoices are generated through ERP systems, POS platforms, ecommerce tools, billing software, or custom applications, those systems are expected to comply with AEAT certification requirements.

Importantly, VeriFactu does not certify individual invoices. It certifies the software environment that generates and manages them. This means businesses cannot rely on manual controls layered on top of noncompliant systems. The invoicing software itself must:

• Generate compliant records
• Maintain traceability
• Prevent undetected modification
• Support audit-ready evidence

For many organisations, this means adapting existing systems rather than replacing them entirely.

Businesses evaluating how to prepare for VeriFactu without rebuilding billing systems are increasingly assessing middleware and compliance-layer approaches alongside ERP upgrades.

AEAT software certification: What it means

Under VeriFactu, any software used to generate invoices must comply with AEAT certification requirements. This applies whether the software is:

• An ERP invoicing module
• A POS system
• Ecommerce billing software
• A custom invoicing application
• Middleware generating invoice records

The objective is to ensure that invoice records are created in a controlled, traceable way that prevents undetected alteration.

In practice, AEAT certification requires systems to support:

• Hash chaining between invoice records
• Tamper-evident storage and traceability
• QR code generation on invoices
• Structured invoice data formats aligned with AEAT requirements

This changes the compliance model significantly. Businesses are no longer judged only on the accuracy of reported VAT data. They’re also judged on whether the invoicing system itself behaves correctly.

This introduces direct operational and legal risk. Using non-certified invoicing software after the applicable deadline may expose businesses to administrative penalties and potential issues around invoice validity and audit defensibility.

For many organisations, the challenge is not replacing systems entirely but adapting existing environments to support these controls.

Businesses already assessing SII and VeriFactu compliance in real-time invoicing are increasingly implementing certified compliance layers alongside existing ERP and billing platforms rather than rebuilding invoicing operations from scratch.

This is why middleware and integration architecture have become central to VeriFactu readiness.

Technical requirements: What certified invoices must include

Under VeriFactu, compliance is built into the invoice record itself. Each invoice must contain specific technical elements that allow AEAT to verify integrity, traceability, and sequencing. These requirements are designed to make deletions, silent edits, and record manipulation detectable.

The first requirement is a unique invoice identifier, often referred to as the NIU (Número de Identificación Único). This identifier distinguishes each invoice record and links it within the wider reporting chain.

The second requirement is the hash chain. Each invoice contains a cryptographic hash linked to the previous invoice record. This creates a continuous sequence where changes or missing records become visible immediately. If a record is deleted or altered, the chain breaks. This is one of the most important technical controls in VeriFactu. Invoices must also include:

• A timestamp generated by the invoicing software
• Supplier and customer identification
• VAT rate and VAT amount
• Structured invoice data aligned with AEAT specifications

In addition, invoices must contain a QR code linked to AEAT verification mechanisms. This QR code allows customers and auditors to validate invoice authenticity and traceability through AEAT systems.

Invoice records are no longer standalone documents. They become linked compliance records generated inside a controlled system. This is why businesses preparing for VeriFactu need to assess not only invoice appearance, but also how invoice data is generated, linked, stored, and exported across ERP, POS, and billing environments.

Submission modes: Real-time vs. batched

VeriFactu supports two operational submission models.

The first is real-time submission. In this model, invoice records are transmitted to AEAT immediately or near immediately after invoice issuance. This provides continuous visibility into invoicing activity and reduces backlog risk because records are processed as transactions occur. Real-time submission is generally better suited to:

• High-volume invoicing environments
• Ecommerce and POS operations
• Businesses already operating continuous reporting models under SII

The second model is batched submission. Here, invoice records are queued and transmitted periodically within the limits defined by AEAT. This approach can reduce operational pressure for lower-volume businesses or organisations with less mature integration architecture.

However, batching does not remove compliance obligations. Records must still:

• Be generated sequentially
• Maintain the hash chain without gaps
• Preserve traceability and integrity

This is the critical point. Whether invoices are transmitted immediately or in batches, the integrity chain must remain continuous. Missing records, altered sequences, or delayed processing that breaks traceability create compliance risk regardless of submission mode.

For finance and IT teams, the decision is operational rather than purely technical. The chosen model affects:

• System architecture
• Queue handling
• Monitoring requirements
• Error recovery workflows
• Reconciliation processes

This is why submission strategy should be defined early in the implementation process.

Operational readiness checklist

Preparing for VeriFactu is not just a software upgrade. It’s a readiness exercise across systems, integrations, controls, and operational workflows. Finance and IT teams should validate the following areas before implementation:

• Confirm that your current invoicing software vendor has obtained, or is actively pursuing, AEAT certification.
• Assess whether your ERP, POS, ecommerce, or billing systems support hash chaining and QR code generation natively.
• Identify integration points where a certified compliance layer or middleware may be required to bridge gaps in existing systems.
• Test AEAT API connectivity in a sandbox or preproduction environment before live submission begins.
• Train finance and operations teams on compliant correction workflows, including rectifications and cancellation handling.
• Establish structured logging and audit trails covering invoice generation, transmission, acknowledgements, and corrections.
• Document a phased rollout plan aligned with the implementation timeline applicable to your business category.

For many organisations, the practical approach is adapting existing systems rather than replacing them entirely. Businesses preparing for VeriFactu without rebuilding billing systems are increasingly using integration-layer and middleware models to meet AEAT requirements while maintaining operational continuity.

A readiness assessment should focus on where traceability, sequencing, and system integrity break today — before those gaps become compliance failures.

From technical compliance to operational control

VeriFactu is not just another reporting requirement. It changes how invoice data is generated, validated, controlled, and evidenced across the business — increasing the need for intelligent automation, traceability, and continuous compliance controls.

For finance teams, compliance can no longer depend on manual review after invoices are issued. For IT teams, invoicing systems must support integrity, traceability, and audit readiness by design.

Organisations that adapt successfully will not necessarily replace their ERP or billing systems. Instead, they will introduce the compliance controls, integrations, and monitoring capabilities needed to support VeriFactu requirements at scale. That includes:

• Structured invoice generation
• Continuous hash-chain integrity
• QR code compliance
• Real-time or queued submission workflows
• Audit-ready logging and traceability
• AI-assisted validation to help identify formatting, data, and submission issues earlier in the compliance process

How Avalara can help

Avalara can help businesses prepare for VeriFactu with an AI-powered tax and compliance platform, providing a scalable compliance layer that integrates with existing ERP, POS, ecommerce, and billing systems. Rather than requiring a full rebuild of existing infrastructure, Avalara helps businesses:

• Generate compliant invoice records
• Maintain traceable hash chains
• Apply QR code and formatting requirements automatically
• Support real-time or batched submission workflows
• Maintain structured audit trails and reporting evidence

Avalara also supports operational monitoring through AI-assisted validation, real-time error handling, and continuous compliance controls that help reduce manual intervention, improve visibility into invoice workflows, and strengthen readiness for audit review.

For organisations already managing SII obligations, Avalara helps align invoicing integrity and reporting workflows within a single operational framework — helping reduce duplication and improve consistency across systems.

As e-invoicing mandates expand across Europe, businesses need compliance infrastructure that can adapt to evolving requirements without repeated system redesigns. Avalara combines regularly updated regulatory content, automation, and scalable integrations to help organisations support ongoing compliance readiness across changing regulatory environments.

The result is a more controlled and intelligent invoicing environment, reduced operational risk, and a compliance model designed to scale as regulatory requirements evolve.

Speak with Avalara about preparing your invoicing systems for VeriFactu while maintaining operational continuity and reducing disruption to the business.

FAQ

Does my ERP need to be replaced to comply with VeriFactu?

Not necessarily. Many businesses can keep their existing ERP or billing systems and introduce a certified middleware or compliance layer that handles hash chaining, QR code generation, traceability, and AEAT submission requirements.

What happens if I use non-certified invoicing software after the deadline?

Using non-certified software may expose the business to administrative penalties and increase audit risk. AEAT requirements focus on the integrity and traceability of the invoicing system itself, not just the invoice output.

Is VeriFactu the same as e-invoicing?

No. VeriFactu focuses on invoice integrity, traceability, and anti-fraud controls within invoicing software. E-invoicing focuses on how invoices are exchanged between parties. A business may need to comply with both.

Can a business comply with both SII and VeriFactu using the same system?

Yes. Many organisations are implementing a unified compliance architecture where the same invoicing and reporting workflows support both SII reporting and VeriFactu integrity requirements.