Tax Agency: Frequently Asked Questions (FAQ) - Certification of computer systems: responsible declaration

In art. 29.2.j) of the LGT (introduced by Law 11/2021, of July 9, colloquially known as the "Anti-Fraud Law"), the possibility is mentioned that the computer systems and programs that support the accounting, billing or management processes of entrepreneurs must be certified in the manner determined by regulation.

Taking advantage of this possibility, and with regard to billing systems, in article 13.1 of the Regulation of Requirements for Billing Systems ( RRSIF ), approved by RD 1007/2023, of December 5, which includes Section 3 called "Certification of computer systems", indicates that it will be the responsibility of the person or entity producing the computer system to certify, by means of a responsible declaration, that the computer system complies with the provisions of article 29.2.j) of Law 58/2003, General Tax Law, as well as with the provisions of the aforementioned Regulation ( RRSIF ) and in the specifications that, in its development, are approved by ministerial order.

As regards its format and without prejudice to the greater detail that appears in the OM of development, article 13.2 of the RRSIF establishes that it must be in writing and visible in the computer system itself in each of its versions, as well as for the client and the marketer at the time of acquisition of the product.

Regulations/Doctrine:

Article 29.2.j) of Law 58/2003, of December 17, General Tax Law.
Article 13.1 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.

No. To certify a product, certification processes carried out by other people, entities or independent organizations – and, therefore, outside the producer – that are dedicated to this type of tasks are not required. Rather, it is a “self-certification” by the producer of the product SIF made as a Responsible Declaration and incorporated into the product.

As for prior registration, it is not provided for in the regulations. In order to comply with the regulations in this regard, no prior registration of the product SIF by anyone (neither producer, nor marketer, nor user) is foreseen.

Regulations/Doctrine:

Article 13.1 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.

Certification through Responsible Declaration corresponds, as established in the RRSIF to the producer (manufacturer or developer) of said SIF .

As regards marketers (other than manufacturers or producers of SIF ), in order to avoid incurring the liability referred to in article 201.bis of the LGT , they must ensure that the SIF products they market are duly certified by their manufacturers.

Regulations/Doctrine:

Article 13.1 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.

Yes. The Certification of a SIF product is mandatory and is the way in which its producer certifies that said SIF product complies with the requirements demanded in the regulations in this regard. In this way, the user can use this product with complete peace of mind.

Regulations/Doctrine:

Article 13.1 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.

Yes. Each version, no matter how small the variation, is a product that is different from the previous ones, with a particular operation, so it is necessary that the producer of said version of SIF expressly certifies that said version complies with the required requirements, issuing and incorporating into the product the corresponding Responsible Declaration.

Regulations/Doctrine:

Article 13.2 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15.4 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Certification by means of a Responsible Declaration of the SIF must be provided by its producer in a legible format and be accessible within the SIF itself that is made available to users, that is, as part of the product itself. In addition, it must be available to the customer and the marketer at the time of purchase of the product.

Therefore, the Certification must be accessible in two different locations:

Internal to the SIF itself that is made available to users, that is, within the product itself, forming part of it. Therefore, a SIF must contain the Certification corresponding to its current version, which will be quickly, easily and intuitively accessible from any access point or terminal connected to said SIF through which the SIF can be billed or managed. In this regard, it is recommended that, if possible, it be located in a specific option within a menu, such as “Help” (if it exists), next to other similar options that usually exist, such as “About”.
External to the SIF itself, so that it can be accessed directly and independently of the product so that the marketer and the user or potential user of the SIF can see it at any time (for example, before or at the time of purchase) and thus ensure that it complies with current regulations without having to install and operate the product to access it from within it.

In this last case of location external to SIF , the specific certification that corresponds to the product may be provided in paper or electronic format, either on physical media, such as a CD, or being accessible through the Internet, but always in a widely used and free format, such as plain text, PDF or similar. See in another FAQ the recommendations given on the management of Responsible Declarations regarding their storage and “external” storage, location and access.

Regulations/Doctrine:

Article 13.2 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15.3 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Yes, both the manufacturer and the marketer must keep these certifications made through a Responsible Declaration. The producer, for all versions that it has produced and made available to users from the moment in which the regulations so require. The marketer, for all those that it has marketed, that is, for all those that have been produced and made available to users during the time in which it has marketed them, always from the moment in which the regulations so require. Both the user client and the tax administration may request them.

In this regard, it is recommended that all certifications be publicly accessible and easily located via the Internet, even if the version of the product they certify is no longer available for purchase, download or use (typically due to obsolescence, lack of support or similar). This, in addition to meeting the requirements in this regard, would facilitate both its management by producers and marketers, as well as its consultation by users and the tax administration, making the process simpler, faster and more transparent for everyone.

Regulations/Doctrine:

Articles 13.2 and 13.3 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Articles 15.2.b) and 15.3 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

No. The Certification that must be included in the SIF itself will be the one corresponding to the version currently used, and it is not necessary to maintain the certifications of previous versions in the SIF itself. However, as already explained in another FAQ, producers and marketers of such products must keep all Certifications of all versions of their SIF made available to users from the moment in which the regulations so require. Likewise, users of these Systems, when they replace or update versions, must retain the certificates of the systems that are replaced or updated from the time the obligations of the SIF regulations come into effect. This conservation can be in paper or electronic format, either on physical media, such as a CD, or accessible via the Internet.

Regulations/Doctrine:

Articles 13.2 and 13.3 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15.3 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Producers of billing systems and software ( SIF ), in addition to certifying that the computer system complies with article 29.2.j) of the LGT with the content of the RRSIF , approved by RD 1007/2023, and with the specifications dictated by means of OM of the Ministry of Finance in development of the above, must include:

data relating to the computer system, which allows us to identify it and know its type, composition and functionalities, as well as to know the characteristics of its installation.
the identification and location data of the producer of the aforementioned computer system, and the date and place where the corresponding certification is signed by means of a responsible declaration.

The details of this mandatory data can be seen in article 15 of the OM . Additionally, and to assist in the preparation of said Certification, various examples will be provided at the AEAT e-Headquarters, so that they can serve as a model to follow when preparing it.

Regulations/Doctrine:

Article 13.4 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15.1 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements that must be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30

Yes. In fact, the more precise information is provided about the product, the better for everyone, since the producer will be more transparent, which can generate greater confidence in users (customers of the producer), and the tax authorities will have more complete knowledge, which can help avoid or reduce information requests in this regard. In this sense, article 15.2 of the OM recommends adding some on a voluntary basis.

Regulations/Doctrine:

Article 13.4 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

For Certification carried out through a Responsible Declaration, an electronic signature from the Producer of the program or system is not required. When Article 13.4 refers to including the date and place where the producer signs it, it does not refer specifically to an electronic signature, but to the date and place where the Certification is prepared and signed by the producer. In other words, it is the date and place where the product is certified through the Responsible Declaration that is incorporated into it.

Regulations/Doctrine:

Article 13.4 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15.1.m) of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Any action by a software producer on the programs and systems SIF produced by another, constitutes an alteration or modification of the original program. For example, the implementation of custom developments to personalize the product and adapt it better to the user is one of them. Therefore, modifications, adaptations or extensions –hardware, software or a combination of both– of a billing computer system produced by a third producer other than the producer of the original SIF are not covered by the certification of the producer of the original SIF , so, additionally, it is necessary that they incorporate their own certification carried out by said third producer.

In this regard, for example, if the extension is carried out by the user of SIF with its own means (own personnel and/or specialized personnel contracted or subcontracted for this purpose dependent on the user), the person responsible for the extension will be the user of SIF , who as the producer of the same must certify it by signing the corresponding Responsible Declaration and complying with all the requirements demanded for it. However, if the user of SIF contracts that extension, as a product, to a third person or producing entity, who will be responsible for carrying it out and delivering it to the user, it will be said third producer who must certify it in compliance with all the requirements demanded for it. That is, in the latter case the user is acquiring a new billing product (or component) from a third-party producer.

Regulations/Doctrine:

Articles 13.1 and 13.2 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15.4 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

A Certificate must be signed and provided for each different producer and product, considering as a product both a SIF and an extension of a SIF , in both cases for each of their versions. That is, there will be as many certificates as there are different producers, just as if they all only provided one product, each with a single version.

However, in the event that the certifications (through a Responsible Declaration) of subsequent extensions contain all the data to be included, referred to in the RSSIF , and cover the data referring to the computer system, typology, composition and functionalities, as well as knowing the characteristics of the last installation of the same, including the previous system and successive extensions, it will be sufficient to have the Certification of the last installation that contains said references.

Regulations/Doctrine:

Articles 13.1 and 13.2 of the regulation establishing the requirements that must be adopted by computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Article 15.4 of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Letter a) refers to the name that the producer has given to his own product and will typically be the generic name as it is known for its distribution or marketing. In the registry designs listed in Annex I of OM it is called “ComputerSystemName” and a brief description is included, along with its format.

For its part, letter b) refers to a code that must also be established by the producer of the SIF to uniquely and abbreviatedly identify said product for the AEAT , and which must also be filled out in the billing records, always complying with the format given in the corresponding record designs that appear in Annex I of the OM . In this annex it is called “IdSistemaInformatico” and a brief description is included.

This code cannot be repeated in another SIF different from the same producer (although it could be the case that two different producers use the same code to refer to their respective SIF : For example, a producer with NIF A9999999A, could establish the code “S1” for one of his SIF , and a producer with NIF B8888888B, could also establish the code “S1” for one of his SIF ).

See the examples given in this regard in the AEAT e-Headquarters.

Regulations/Doctrine:

Articles 15.1.a), 15.1.b) and Annex I of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in Article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

As long as the format specified in Annex I of OM is respected (for which only two positions are allowed, each of which must be a capital letter (–except Ñ– or a numerical digit), the manufacturer or producer can put whatever they consider appropriate, but once established they must be maintained from then on and must not be repeated between the different SIF that they produce.

For example, for the 3 names in the example, which should be expressly and completely stated in the corresponding Certificates, you could establish in the billing records, respectively, the 3 codes: XB, XS and XE. Or any others: X1, X2 and X3; F1, F2 and F3…

See the examples given in this regard in the AEAT e-Headquarters.

Regulations/Doctrine:

Articles 15.1.b) and Annex I of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in Article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

All versions of the components that make up the SIF must be indicated, with the exact name (numbers, letters, special characters, etc.) given by the producer, in the format indicated in Annex I of the OM . You can start with the software and continue with the hardware.

See the examples given in this regard in the AEAT e-Headquarters.

Regulations/Doctrine:

Articles 15.1.c) and Annex I of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in Article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

In that case, given that said SIF can only function, always and exclusively, as a VERI*FACTU system (that is, it does not allow the possibility of not automatically sending all billing records to the AEAT ), you must indicate an “S” both in the Certification (letter e) and in the corresponding field (“TipoUsoPosibleSolo VERI*FACTU ”) within the billing records generated.

Regulations/Doctrine:

Articles 15.1.e) and Annex I of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in Article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Any SIF that is not designed and produced to operate, always and exclusively , as a VERI*FACTU system, regardless of whether the user later uses it as a VERI*FACTU system or not, must indicate an “N” both in the Certification (letter e) and in the corresponding field (“TipoUsoPosibleSolo VERI*FACTU ”) within the generated billing records.

Regulations/Doctrine:

Articles 15.1.e) and Annex I of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in Article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Since this is an extension of the utilities of SIF , but which does not affect or alter the mandatory requirements regulated in the Regulation and the Ministerial Order, this second manufacturer would not be obliged to certify the product, so it is not appropriate to complete what is established in the cited article of the Regulation.

On the contrary, if the extension/modification is some functionality that implements mandatory security and control requirements demanded by the regulation for the SIF , especially those related to the generation and signing/recording or sending of billing records (RF), which would include - by containing them as data that are part of the RF - the calculation of the footprint and traceability, certification will be mandatory. In the latter case, if the extension does not affect the submission of billing records, you must indicate an “N” in the Certification (letter 1.e), otherwise you must indicate an “S” in the same.

Regulations/Doctrine:

Articles 15.1.e) of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Since this is an extension of a SIF made by a third producer other than the original that produced the SIF and the object of said extension is limited and does not affect the original capacities of use of the SIF exclusively by a single taxpayer or by several taxpayers for the maintenance of their respective invoices, you must indicate an “N” in the DR (letter 1.f).

Regulations/Doctrine:

Article 7.a) of the regulation that establishes the requirements that must be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of billing record formats ( RRSIF ), approved by Royal Decree 1007/2023, of December 5.
Articles 15.1.f) of the Ministerial Order developing the technical, functional and content specifications referred to in the regulation establishing the requirements to be adopted by the computer or electronic systems and programs that support the billing processes of entrepreneurs and professionals, and the standardization of formats of billing records, approved by Royal Decree 1007/2023, of December 5, and in article 6.5 of the regulation governing billing obligations, approved by Royal Decree 1619/2012, of November 30.

Regulation RSSIF and the Ministerial Order for its development do not say anything about this type of specific measures related to the possible databases used, which may have very different characteristics and ways of managing their security, but rather focus on the minimum measures that the SIF must comply with in order to implement the required requirements. With them, it must be possible to ensure that the invoiced reality cannot be altered; it is considered that the system must detect the attempt to make changes and prevent them. In any case, nothing prevents the manufacturer and its SIF from taking further measures and, in fact, any additional measures that the manufacturer and the SIF adopt, tending to guarantee or strengthen these required requirements, are always welcome. In any case, the restrictions must not imply a reduction in the benefits for the user in carrying out any type of lawful tasks such as the aforementioned copies.

It will be one of the models that will be published on the Electronic Office.

In a case like the one described in the question, it is necessary to define what each component involves and what its functionality is within the whole. If it has an impact on compliance with the Regulation by the Billing Computer System, it is logical that there are as many Certifications as components that affect compliance with Regulation RSIF . All of them must be available to the system user.

After the transitional periods contained in the Fourth Additional Provision of RD 1007/2023, producers or manufacturers must provide their customers with SIF programs adapted to the standard. However, if a customer does not want to adapt their previously purchased systems, the manufacturer or producer is exempt from all liability, with the customer responding in accordance with the terms of article 201.bis LGT as amended by Law 11/2021, of July 9.

A manufacturer must generally support billing systems that comply with the standard, since the rest of the systems will no longer legal after the end of the transitional periods. The above is without prejudice to the support required to adapt such systems.

The diligence with which every producer, manufacturer, developer or implementer must comply with current regulations, to which they have committed themselves by issuing the corresponding Certification (through their responsible declaration), obliges them to adopt all measures that are technically available so that the security of SIF (preserving billing records) is not breached.

It should be noted that if the software operates in VERI*FACTU mode (with immediate voluntary submission of records), it is less likely that the user will be able to carry out any alteration of the records or any other irregular action (whether voluntary or involuntary) "a posteriori", since the billing records will be recorded in the AEAT , which prevents changes from being made to them.

Yes, the certification obligation applies to all SIF .

Law 11/2021, of July 9, has introduced the new article 29.2.j) of the General Tax Law, which establishes that any accounting, invoicing or management program of entrepreneurs must respect the requirements to guarantee the integrity, conservation, accessibility, legibility, traceability and inalterability of the records, without interpolations, omissions or alterations for which the proper annotation is not left in the systems themselves. This generic obligation, in the case of Billing Systems, based on its importance from the point of view of tax compliance, has materialized in certain obligations regulated by Royal Decree 1007/2023, of December 5, which approves the RRSIF . This Regulation on the requirements for computer billing systems is what requires, since its provisions come into force, that all computer billing programs and systems (SIF) corresponding to businesses and operations within the subjective and objective scope of the standard must be Certified.

Therefore, the certification obligation referred to in article 13 of RRSIF does not cover all software manufacturers, nor all programs, but exclusively manufacturers of Billing Computer Systems and in relation to said systems.

No, generic hardware (computer) on which billing software is installed does not need to be certified. Most often, the program or system itself must be certified, that is, the code installed on the hardware.

Obviously, all software has to run on hardware. However, the mention of hardware contained in the article only refers to those cases in which the hardware of the SIF system is part of a "whole" that is offered (marketed) as a complete product (software and hardware) to support billing, or when it is some specific hardware that performs or intervenes in a relevant way in the fulfillment of some requirement demanded of the SIF .

The company that carries out the programming of the code or integrates parts of other software, whether open source or not, must make the responsible declaration, incorporate the mandatory data and indicate which components it uses. In the event that you use open source, you will be responsible for its operation, including the security systems required to preserve the integrity, conservation, accessibility, readability, traceability and inalterability of the records.

Each system in operation must have a Certification issued through a responsible declaration from its producer (article 13.1 RRSIF ). If the software has been developed by the company itself, it will be the company that must certify it, complying with the provisions of the aforementioned article 13 and its implementing regulations.

Any operation on billing records, whether VERI*FACTU or not, must be recorded through a billing record, so access from SIF to modifications directly on the database of records already issued should not be a permitted operation.

If the SIF operates in VERI*FACTU mode (with immediate voluntary submission of the records), it is less likely that the user will be able to carry out any access or other improper actions "a posteriori", since the original billing records will already be in the AEAT , which prevents changes from being made to them. In this sense, access to the databases of billing records already sent to the Electronic Office does not pose the same risks as if the system were for storing the records locally, and the security systems do not have to be equally rigorous.

It should be noted that if the software operates in VERI*FACTU mode (with immediate voluntary submission of records), it is less likely that the user will be able to carry out any alteration of records or other irregular action "a posteriori" (whether voluntarily or by mistake), since the billing records will be registered with the AEAT, which prevents changes from being made to them.

In a case like the one described, the responsibility does not fall on the manufacturer, but rather on the user, to the extent that they have not adapted their systems to current regulations.

The SIF marketed can be “ONLY VERI*FACTU ” (that is, they only allow their use as VERI*FACTU ) or “dual” (which allow them to be used, at your discretion, as VERI*FACTU and as a system for issuing non-verifiable invoices) and it is the client (user of the SIF ) who chooses the operating mode. There cannot be a SIF that only functions as a system for issuing non-verifiable invoices, because the Regulation requires that all SIF have the capacity to be VERI*FACTU (even if the user does not choose that operating mode).

The responsibility in this aspect of the producer of "dual" systems is to ensure compliance with the regulations (Law, Regulation and OM ), so that the integrity, conservation, accessibility, legibility, traceability and inalterability of the records are guaranteed.

Frequently asked questions (FAQ)

Certification of computer systems: responsible declaration

How is it certified that a Billing Computer System complies with the regulations governing these systems?

Should a SIF product obtain any external certification? Should SIF be registered prior to marketing?

Who should carry out the Certification of a SIF product, the producer or the marketer of the same?

Is it mandatory for every SIF product to have its corresponding Certification?

Should the producer of SIF certify each product version it makes available to users?

How and where should the Producer Certification be provided?

Should the producer retain certification for all versions of its SIF products that it has made available to users over time? And the marketer?

Is it mandatory that the Certifications for ALL versions that the product has gone through be available in the SIF itself?

What data must the producer of SIF include in the Certifications?

Can the Certification be completed by adding additional data and explanations to those required?

Should the Certification made through the Producer's Responsible Declaration be signed electronically?

If the Billing Computer System used has undergone several different extensions, by the same producer or by producers other than the one that manufactured the SIF used, how many Certificates should there be?

What should be included in the Certification regarding the name and identification code data of product SIF referred to in articles 15.1.a) and 15.1.b) of the OM Project?

I am a producer of SIF and I have three products available for sale, whose names are: Invoice x Basic, Factu X Standard and Factu X Enterprise. What code should be placed in the Certification and which one in the billing record to comply with articles 15.1.b) and Annex I of the OM ?

As a producer of SIF , I offer a product SIF which, in addition to software, also includes its own hardware, with its corresponding firmware version. In this case, what should I put in the Certification regarding the full version referred to in article 15.c) of the OM ?

I am a producer of a SIF that has been designed and produced in such a way that it can only function, always and exclusively, as a VERI*FACTU system. What should I put in the Certification in relation to article 15.1.e) of the OM ?

I am the producer of an extension of a SIF produced by another company, which consists of the creation of new screens with personalized statistical tables of the billing. What should I put in the Certification in relation to article 15.1.e) of the OM ?

I am the producer of an extension of a SIF produced by another company, which consists of the creation of new screens with customized statistical tables for billing. What should I put in the Certification in relation to article 15.1.f) of the OM ?

As a billing software manufacturer where data is managed by a commercial database management system, should I block access to the database to prevent the client from modifying invoices? And if it is restricted, how will the client be able to manage and back up the database?

Is there any example model of Certification through responsible declaration published?

How would the Certification through responsible declaration be composed if a billing system with several components is used, each developed and implemented by a different company?

As a company that manufactures computerized billing systems, who is responsible for compliance with the regulation in the event that a client does not want to update the billing system that was purchased from our company to comply with the requirements of the regulation?

Who is responsible if a customer breaches the security measures of a billing system certified by a manufacturer, developer or implementer?

Is the producer of a SIF that only works in VERI*FACTU mode required to provide the Software Certification?

Regarding certification by responsible declaration of computer systems, is the declaration required for all software manufacturers or only for those that manufacture billing software?

The content of the Certification in the OM mentions that the hardware and software components that make up the computer system must be included in it. Does hardware need to be certified? When should hardware components be included?

If open source billing software is used, who makes the responsible declaration?

If a company has billing software based on its own development and only for its own use (not marketed), must it also have Certification?

If a billing software is of the “on-premise” type in which the client owns the data since they have it on their servers. Should we limit access through the database to the client to prevent its modification? If so, in any case? Are we or are we not VERI*FACTU ?

If a company uses a non-adapted computer program for which maintenance is no longer offered and therefore the program version is not updated, what responsibility does the manufacturer of that program have?

To what extent does the software manufacturer's liability extend if it also chooses to offer a system for issuing non-verifiable invoices? Because if only the VERI*FACTU system is implemented, the manufactured systems are required to send the billing records to the AEAT immediately.