In 2021, Spain passed the Ley Antifraude (Anti-Fraud Law 11/2021), setting the stage for one of Europe's most rigorous electronic invoicing frameworks. At its core sits VERI*FACTU — a system that requires all invoicing software used in Spain to generate tamper-proof records, create cryptographic hash chains, embed QR codes on every invoice, and optionally submit invoice data to AEAT (Agencia Estatal de Administración Tributaria) in real time. Corporate taxpayers have been required to comply since January 1, 2026, while freelancers (autónomos) must comply by July 1, 2026. SII-registered taxpayers (large companies already reporting via Suministro Inmediato de Información) are exempt from VeriFactu.
Unlike other EU e-invoicing mandates that focus on invoice format and exchange networks, Verifactu goes further — it regulates the software itself. Every invoicing system sold or used in Spain must be certified, ensuring it cannot be used to alter, delete, or hide invoicing records. This makes Spain's approach fundamentally different from Peppol-based mandates in Belgium or the PPF/PDP model in France.
Jan 2026
Corporate mandate live
3.2M
Spanish businesses
AEAT
Tax authority
SHA-256
Hash algorithm
What Is Verifactu
VERI*FACTU is the core component of Spain's Reglamento de Requisitos de los Sistemas Informáticos de Facturación — the regulation governing invoicing software requirements. Established under Royal Decree 1007/2023, it creates a legal framework that classifies all invoicing systems operating in Spain into two categories and mandates specific technical capabilities for each.
Origins & Legislative Timeline
The Anti-Fraud Law was born from a specific problem: Spain's tax gap. AEAT estimated that software-enabled invoice manipulation — including dual-use software that maintained separate "official" and "real" books — was responsible for billions in lost tax revenue annually. Verifactu's philosophy is simple: if the software cannot be manipulated, the invoices it produces are inherently trustworthy.
Two System Categories Under Verifactu
Spain's regulation defines two types of compliant invoicing systems. Both must meet cryptographic and record integrity requirements, but they differ in one crucial way:
VERI*FACTU Systems
Submit invoice records to AEAT in real time (or near-real-time). Each invoice record is transmitted automatically to the tax authority as it's generated. This is the preferred model and carries the "VERI*FACTU" designation on invoices.
Non-VERI*FACTU Compliant Systems
Meet all technical requirements (hash chains, tamper-proof records, QR codes) but do not submit data in real time. Records are stored locally and must be available for AEAT audit on demand. These systems face stricter audit scrutiny.
Importantly, businesses can choose either category — but those opting for VERI*FACTU systems gain the benefit of the "Verifactu" label on their invoices, signalling to trading partners and tax authorities that their data is automatically reported. AEAT has strongly encouraged real-time submission, and industry consensus suggests it will become the de facto standard within the first year of the mandate.
Technical Architecture
Verifactu's technical design is centred on three pillars: immutable record creation, cryptographic chaining, and structured data submission. Understanding the architecture is essential for any software vendor or business planning compliance.
Immutable Invoice Records
Every invoice, credit note, and correction generated by the system must be stored as an immutable record. The software must prevent deletion, backdating, or modification of any previously issued invoice. Each record contains the full invoice data, a sequential number, a timestamp, and the hash of the previous record — forming an unbreakable chain.
Real-Time XML Submission
VERI*FACTU systems transmit invoice registration records to AEAT's SII (Suministro Inmediato de Información) platform via structured XML. Each submission includes the invoice's identification data, tax breakdown, counterparty details, and the SHA-256 hash. AEAT returns an acknowledgement with a response code confirming receipt.
Software Certification
Vendors must submit a responsible declaration (declaración responsable) to AEAT confirming their software meets all RD 1007/2023 requirements. This includes hash generation, QR code capability, tamper-proof storage, and — for VERI*FACTU systems — real-time submission capability. AEAT maintains a registry of certified software.
Audit Trail & Event Log
The software must maintain a detailed event log recording every action taken within the invoicing system: invoice creation, modifications to draft invoices, finalisation, cancellation, and submission to AEAT. This log is itself protected by the hash chain and must be available for inspection during AEAT audits.
The SII Integration
Spain already operates the Suministro Inmediato de Información (SII) system, which since 2017 has required large companies (those with annual turnover above €6 million) to submit invoice data to AEAT within four days. Verifactu extends and evolves this infrastructure. Crucially, SII-registered taxpayers are exempt from VeriFactu— since they already report invoice data to AEAT in near real time. For all other businesses, Verifactu introduces a certification obligation on the invoicing software itself, distinct from SII's reporting obligation on the business.
Businesses already on SII do not need to implement VeriFactu — their existing real-time reporting satisfies AEAT's requirements. For the approximately 3.2 million smaller businesses not on SII, Verifactu represents a significant new compliance requirement — one that required corporate taxpayers to upgrade by January 2026, with freelancers following by July 2026.
QR Code & Hash Chain
Two of Verifactu's most distinctive technical features are the mandatory QR code on every invoice and the SHA-256 hash chain that links all invoice records into a tamper-evident sequence. Together, they form the backbone of Spain's anti-fraud architecture.
Mandatory QR Code on Every Invoice
Every invoice generated by a Verifactu-compliant system must include a QR code. This code encodes a URL pointing to AEAT's verification service, along with the invoice's key identification data: the issuer's NIF (tax ID), invoice number, date, total amount, and a hash fingerprint. Anyone scanning the QR code — a customer, auditor, or tax inspector — can instantly verify whether the invoice was properly registered with AEAT.
SHA-256 Cryptographic Hash Chain
Each invoice record includes a SHA-256 hash computed from the invoice's key data fields (NIF, invoice number, date, type, gross amount, and tax amounts) concatenated with the hash of the previous invoice record. This creates an unbreakable chain — altering any single invoice would invalidate the hash of every subsequent record, making tampering immediately detectable by AEAT during audit or real-time submission.
First Invoice: The Genesis Record
The first invoice in a hash chain uses a predefined initial value (specified by AEAT) as its 'previous hash' input. This genesis record anchors the entire chain. Software vendors must ensure that this initial record is correctly generated during system setup — an incorrect genesis hash will cascade errors through the entire chain, causing all subsequent submissions to be rejected.
Verification URL Structure
The QR code encodes a URL in the format: https://prewww2.aeat.es/wlpl/TIKE-CONT/ValidarQR?nif=[NIF]&numserie=[INVOICE_NUM]&fecha=[DATE]&importe=[AMOUNT]. This allows any stakeholder to verify the invoice against AEAT's records in seconds. For VERI*FACTU systems that submit in real time, verification is instant; for non-VERI*FACTU systems, verification reflects the last audit submission.
Hash Chain Mechanics: A Worked Example
Consider a business issuing three invoices on the same day. Invoice 001 computes its hash from its own data fields plus the AEAT-defined genesis value, producing hash a3f8...c21b. Invoice 002 takes its own data and concatenates it with a3f8...c21b before hashing, producing 7e2d...f093. Invoice 003 uses 7e2d...f093 as its previous hash input. If anyone retroactively modifies Invoice 001, its hash changes — which means Invoice 002's hash also changes — which cascades to Invoice 003. AEAT can detect this discrepancy instantly by re-computing the chain from the genesis record.
Why This Matters for Businesses
The QR code and hash chain combination means that invoices issued in Spain carry built-in authenticity guarantees. For buyers, it means any invoice can be verified in seconds. For sellers, it means the integrity of their invoicing history is mathematically provable. And for AEAT, it means the tax authority has an unprecedented ability to detect fraud without conducting intrusive on-premise audits — the data either matches the chain, or it doesn't.
This design also distinguishes Verifactu from other European systems. France's PPF/PDP model and Belgium's Peppol mandate focus on invoice delivery and format; Verifactu focuses on invoice integrity at the point of creation. Spain is betting that controlling the software eliminates fraud at its source, rather than trying to catch manipulated invoices after they've entered the system.
Compliance Requirements
Verifactu compliance has two dimensions: requirements for software vendors who build invoicing tools, and requirements for businesses that use those tools. Corporate taxpayers have been required to comply since January 2026, with freelancers following by July 2026.
For Software Vendors
For Businesses
Penalties for Non-Compliance
Spain's penalty regime under the Anti-Fraud Law is severe. Software vendors that produce, distribute, or market non-compliant invoicing software face fines of up to €150,000 per fiscal year. Businesses that use non-certified software or systems that allow invoice manipulation can be fined €50,000 per tax year. Individual invoices lacking the mandatory QR code or with broken hash chains constitute separate infractions. AEAT has indicated that enforcement will be phased — with an initial focus on software vendors before expanding to end-user businesses — but the penalties apply from Day 1.
How Verifactu Differs from Other EU Systems
Understanding where Spain's approach sits relative to other European e-invoicing frameworks helps businesses with multi-country operations plan their compliance strategy.
Belgium (Peppol)
Belgium mandates a specific exchange network (Peppol) and format (BIS 3.0). Verifactu is network-agnostic — it regulates the software, not the delivery channel. A Spanish business can deliver invoices via email, portal, or EDI, as long as the invoicing software is certified and the QR code is present.
France (PPF/PDP)
France's model requires invoices to flow through certified platforms (Plateformes de Dématérialisation Partenaires) and includes e-reporting of transaction data. Verifactu shares the real-time reporting concept but implements it at the software level rather than the platform level. France's approach creates a marketplace of platforms; Spain's creates a certification regime for software.
Germany (XRechnung)
Germany's 2027 e-invoicing mandate focuses on structured format requirements (XRechnung, ZUGFeRD) and will eventually mandate electronic exchange. Germany does not (yet) regulate invoicing software itself. Spain's approach is more invasive — it controls what the software can do, not just what format it outputs.
Implementation Guide
With the corporate mandate already in effect since January 2026 and freelancers required to comply by July 2026, businesses operating in Spain need a clear roadmap for Verifactu compliance. Whether you're an SME encountering these requirements for the first time or a freelancer preparing for the July deadline, this step-by-step guide covers what to do — and when. (Note: SII-registered large enterprises are exempt from VeriFactu.)
Identify every piece of software used to generate invoices across your business — including ERP modules, standalone billing tools, POS systems, and spreadsheet-based processes. For each, determine whether the vendor has announced Verifactu compliance plans. If your vendor hasn't published a compliance roadmap by mid-2026, begin evaluating alternatives immediately.
Check AEAT's certified software registry to verify that your vendor has submitted their declaración responsable. Request written confirmation from your vendor specifying which Verifactu category their software falls under (VERI*FACTU or non-VERI*FACTU) and the expected certification date. Do not accept verbal assurances — documentation is critical for your own compliance defence.
Decide whether to implement a VERI*FACTU system (with real-time AEAT submission) or a non-VERI*FACTU compliant system (local storage with audit availability). AEAT strongly favours real-time submission, and the 'VERI*FACTU' label on invoices signals transparency to trading partners. For most businesses, the real-time option is worth the additional setup effort.
If implementing a VERI*FACTU system, your software must connect to AEAT's XML submission endpoint. Work with your software vendor or integration partner to configure API credentials, test connectivity in AEAT's sandbox environment, and validate that SHA-256 hash generation, QR code encoding, and XML schema compliance all pass AEAT's automated validation checks.
Generate a sequence of test invoices and verify the hash chain. Confirm that each invoice's hash correctly incorporates the previous record's hash. Attempt to modify a past invoice and verify that the system either prevents the modification or correctly flags the chain as broken. This is the single most critical test — a broken hash chain will trigger AEAT audit flags.
Verify that every invoice — including credit notes and corrections — generates a QR code containing the correct AEAT verification URL. Scan each QR code to confirm it resolves to AEAT's verification page with the correct invoice data. Test edge cases: invoices with special characters in the NIF, very high amounts, and correction invoices referencing original records.
The biggest workflow change is that finalised invoices can no longer be edited or deleted. Finance teams must learn the correction invoice workflow: issuing a new correction record that references the original, rather than modifying the original directly. Train AR/AP staff on the QR verification process and how to handle trading partner queries about the new invoice format.
Before your applicable deadline (January 2026 for corporates, July 2026 for freelancers), run your new Verifactu-compliant system in parallel with your existing invoicing process for at least 2–3 months. Compare outputs, verify hash chains, test AEAT submissions, and identify any discrepancies. This parallel period is your safety net — use it to catch issues before the mandate makes compliance mandatory.
Set up dashboards to track AEAT submission success rates, hash chain integrity status, QR code generation failures, and invoice rejection reasons. Configure alerts for any hash chain break, submission timeout, or validation error. Early detection of systematic issues prevents cascading compliance failures across thousands of invoices.
Maintain records of your software vendor's certification, your system configuration, hash chain genesis records, and AEAT acknowledgements. In the event of an audit, AEAT will expect you to demonstrate not just that your software is certified, but that you have actively verified its compliance. Documentation is your first line of defence.
Timeline Recommendation
The corporate taxpayer mandate is already live (since January 2026). Freelancers still have until July 1, 2026. If you're a freelancer who hasn't yet complied, InvoStaq recommends completing Steps 1–3 immediately, Steps 4–6 by May 2026, and beginning parallel operations (Step 8) no later than early June 2026. Waiting until the last weeks risks encountering vendor capacity constraints, ERP consultant backlogs, and insufficient testing time — the exact pattern seen in Belgium's January 2026 Peppol mandate, where last-minute adopters experienced significantly higher rejection rates.
Spain's Verifactu system is more than a regulatory checkbox — it represents a fundamental shift in how invoicing integrity is enforced. By certifying the software itself, Spain ensures that fraud prevention starts at the moment of invoice creation, not after the fact. The hash chain and QR code mechanisms provide mathematical guarantees that no other European system currently matches. For businesses, the message is clear: invest in certified software, test thoroughly, and treat the applicable deadlines — January 2026 for corporates, July 2026 for freelancers — as immovable. The penalties for non-compliance are steep, but the benefits — faster verification, higher trust, and reduced audit risk — are even greater.
Get Verifactu-Ready
InvoStaq's certified invoicing platform handles SHA-256 hash chains, QR code generation, and real-time AEAT submissions out of the box. Get compliant with Spain's Verifactu mandate in weeks, not months.