What is CESOP reporting?
CESOP is the EU’s quarterly cross-border payments register. Since 1 January 2024, every payment service provider in the EU has had to record cross-border payments and file them with member-state tax authorities — who in turn pass the records up to a central database run by the European Commission. It is a VAT-fraud tool, not a supervisory return — but for fintechs operating cross-border on a Freedom-of-Services passport it has created a uniquely heavy operational footprint. This piece walks through what the regime is, what is reported, where it gets filed, why home-state filing alone is not enough, and what the build-versus-buy decision looks like.
1. What CESOP is, in one paragraph
CESOP — the Central Electronic System Of Payment information — is an EU-wide database of cross-border payment data, established by Regulation (EU) 2022/1504 of 9 September 2022 amending Regulation (EU) 904/2010, technically managed by the European Commission. The PSP-level reporting obligation that feeds it sits in Council Directive (EU) 2020/284, transposed into national VAT codes through new Article 243b–d obligations on payment service providers. PSP records are retained for five years in CESOP; PSPs themselves must keep three years’ worth on their own systems.
2. Why CESOP exists
The regime is a VAT-fraud tool. Cross-border e-commerce inside the EU has historically been hard for tax authorities to follow, because the seller often sits in a different member state from the buyer and from the bank that processes the payment. Carousel fraud, undeclared online sales, and abuse of small-value B2C exemptions all exploit that gap. By collecting payee-side payment data centrally and giving Eurofisc liaison officials cross-EU search, CESOP gives tax authorities a continuous trail of who is actually being paid by EU consumers, regardless of where the seller has registered.
Notably, CESOP is payee-only. The payer’s identity is not collected. The point is to find sellers, not to surveil consumers.
3. Who must report
The Article 243d obligation hits four categories of payment service providers under PSD2:
- Credit institutions (CRR-banks)
- Electronic money institutions (EMIs)
- Payment institutions (PIs), including AISPs and PISPs that handle funds
- Post office giro institutions
The reporting trigger is the 25 cross-border payments per payee per quarter threshold. Once that threshold is hit for a single payee in a single quarter, every cross-border payment to that payee in that quarter becomes reportable — not just the ones above 25.
“Cross-border” means the payer and payee are in different member states (intra-EU), or the payer is in the EU and the payee outside it. Domestic same-state payments are out of scope.
4. What data is reported
The CESOP XML schema (CESOP-XSD-v4.04 at the time of writing) carries, per cross-border payment:
- Payee identification — name, IBAN/account identifier, BIC, address, VAT number where known
- Payment amount and currency
- Date and reference
- Payment-method code
- Member-state-of-payee designation, derived from IBAN/BIC routing logic
- Indication of refunds linked to the original payment
The schema is one file. The destinations are not.
5. The Freedom-of-Services problem
This is where most cross-border fintechs lose three months they did not budget for.
If you are an EMI authorised in (say) Spain and you operate across the EU on a Freedom-of-Services passport, you have no physical office in France, Italy, Germany, the Netherlands, or any of the other twenty-three member states. CESOP nonetheless requires you to file in each member state where one of the payment legs you process is located:
- If you are the payer’s PSP, you file in the member state of the payer.
- If you are the payee’s PSP, you file in the member state of the payee.
- If both legs are in the EU and you sit on both sides, you file in both.
This is the structural cost. It is not the XML or the engineering — those are commodity at this point. It is the procedural overhead of opening up to twenty-seven tax registrations and running twenty-seven quarterly filings against them.
6. Reporting cadence and deadlines
| Quarter | Period covered | Filing deadline |
|---|---|---|
| Q1 | Jan – Mar | End of April |
| Q2 | Apr – Jun | End of July |
| Q3 | Jul – Sep | End of October |
| Q4 | Oct – Dec | End of January |
Late-filing penalties are set nationally and vary widely — some member states issue per-payee fines that escalate quickly. The regime has been live since 1 January 2024; the first wave of audits is underway as supervisors compare reported data across home- and host-state filings.
7. From PSP to Commission — the data flow
Mechanically, CESOP is a two-step pipe:
- Each PSP submits its quarterly XML to each member state’s tax authority portal, in line with that state’s local registration regime.
- Each member state’s tax authority forwards the records to the central CESOP database at the Commission, where they are deduplicated, indexed, and made searchable for Eurofisc liaison officials across all 27 member states.
The PSP never talks to the Commission directly. The Commission never talks to the PSP. Everything flows via the member-state tax authorities — and that is the layer that creates the registration burden.
8. Build, buy, or hybrid
Three real options for an EMI / PI that crosses the threshold:
- Build in-house. Schema generation is straightforward; the real cost is the 27 portal integrations and tax registrations. Realistic only if you already have an in-country presence in most member states or are a large bank with a tax team.
- Buy a managed service. The big-four reporting platforms (e.g. Deloitte’s end-to-end CESOP solution, plus a handful of specialist vendors) consolidate schema build and portal submissions. Pricing is volume- and coverage-dependent; total annual cost runs into six figures once you cover ten or more member states actively.
- Hybrid. Generate the XML in-house against your payments warehouse; outsource only the country-by-country portal submissions and the local fiscal-representative function.
The “right” answer is volume-driven. Below five active member states the hybrid model usually wins; above ten, full outsourcing becomes the only realistic operating model for a small team.
9. FAQ
If I send the information to my local tax authorities, will they forward it to the other countries?
Unfortunately not. That was the initial expectation when the regime was first discussed, but the latest reporting guidelines confirm that each PSP is recommended (and in practice required) to submit directly to each member state where the payment legs are located. Home-state filing is not a substitute for host-state filing.
What counts as a “cross-border” payment?
A payment is cross-border when the payer and the payee are in different member states (intra-EU), or when the payer is in the EU and the payee is outside it. Domestic same-state payments are out of scope.
Does the 25-transaction threshold reset per quarter?
Yes. It is a per-payee, per-quarter test. A payee that crossed 25 in Q1 but receives only 10 from you in Q2 falls out of scope for Q2.
What about refunds and reversals?
Refunds linked to a reportable original payment are themselves reportable, with a flag connecting the two. Stand-alone reversals follow the same rule as a payment.
Do I report the payer’s data?
No. CESOP captures payee data only — the merchant or recipient. The rationale is VAT-fraud detection on the seller side, not transaction-level surveillance of consumers.
Is e-money in scope?
Yes. EMIs are explicitly listed in Article 243b. The trigger is the same 25-payments-per-payee-per-quarter test.
What is the relationship between CESOP and Eurofisc?
CESOP is the database; Eurofisc is the network of national liaison officials who use it. CESOP records are accessible only to Eurofisc-designated personnel within member-state tax authorities, not to the public or to other regulators.
10. What to do, today
If you operate cross-border on a Freedom-of-Services passport:
- Identify the member states where your payment legs actually touch (volume by destination).
- Open tax registrations in those member states in parallel — this is the long pole.
- Pick a build / buy / hybrid model on the basis of country-coverage, not on engineering complexity.
- Run a Q1 dry submission so audits do not catch you in your first live quarter.
If you are still on the threshold, you can architect transaction routing to keep specific countries below 25 per quarter — legitimately, not as evasion. The rule is mechanical, and an honest distribution can avoid it for the smallest member states without changing your business.
Related: How to launch Dutch IBANs · What is the Banking Information Reference Portal?
