NF525 point-of-sale software: your obligations in 2026

Since 2018, any VAT-registered merchant in France who collects payments through point-of-sale software must be able to prove compliance. Here, point by point, is what the NF525 requirements actually impose in 2026 — and what the French tax authority inspects.

Compliance for NF525 point-of-sale software is not a marketing option: it is a tax obligation, enforceable during an inspection, that falls on the merchant and not on the software vendor. Before choosing or renewing your payment-collection solution, you need to understand precisely what the law requires, what it checks, and how to prove it.

The legal framework: Article 286-I-3 bis of the French Tax Code

The obligation stems from Article 286-I-3 bis of the French General Tax Code (CGI), introduced by the 2016 Finance Act and in force since 1 January 2018.

The text targets any VAT-registered business that records its customers' payments through point-of-sale software or a cash register system. This covers restaurants, bars, retail shops, salons, pharmacies, and bakeries — in practice, any activity that collects payments, especially from individuals (B2C).

Conversely, a purely B2B company that invoices without collecting payment through a register is, in principle, outside the scope. The nuance matters: it is the use of a cash register system to record payments that triggers the obligation, not the mere act of issuing invoices.

The NF525 standard (published by Infocert / AFNOR) is the market reference that materializes this compliance, but the law speaks of "requirements": it is meeting them that is enforceable, not the NF label itself. This baseline of requirements is also referred to as the NF525 standard.

The 4 ISCA pillars

The regulation imposes four cumulative conditions, summarized by the acronym ISCA: Inalterability, Security, Conservation, Archiving.

Inalterability

Once a sale is recorded, no data can be modified or deleted without leaving a trace. An error is corrected only through a new operation (cancellation, credit note, logged correction), never by rewriting history. This is the heart of the mechanism: preventing fraud via "permissive software" that erases revenue.

Security

Payment data must be secured over time, typically through cryptographic chaining: each record incorporates a fingerprint (a signature or hash, often SHA-256) computed from the previous one. Breaking a link becomes detectable, because the entire downstream chain is invalidated.

Conservation

Data must be retained and closed by period: daily (Z), monthly, and annual closings, with running totals and a perpetual grand total that never resets to zero. These closings freeze the counters and feed the audit trail.

Archiving

The system must produce exportable, dated, and secured archives that allow later inspection over the legal retention period. These archives must remain readable and verifiable independently of the software that generated them.

The tax journal and the event chain

At the center of the mechanism sits the event journal, often called the permanent tax journal (JFP). It records, in a chronological, exhaustive, and unalterable way, every significant operation: session openings, sales, cancellations, refunds, Z closings, drawer openings, and so on.

This journal, combined with the closings and the perpetual grand total, makes it possible to reconstruct the entire activity and detect any break in sequence. It is the centerpiece the authorities will examine. Not to be confused with the accounting entries file (FEC), which belongs to accounting and answers distinct requirements: the JFP is the fiscal fingerprint of the register, while the FEC is the standardized export of the accounts.

Certificate or vendor attestation: what is changing

Historically, the merchant could prove compliance in two ways:

  • a certificate issued by an accredited body (for example LNE or Infocert/AFNOR), resulting from an independent audit of the software;
  • an individual attestation from the vendor, a document in which the supplier itself vouched for the compliance of its solution.

The Finance Act has tightened this framework: the option of relying on a simple vendor attestation has been removed, leaving only the path of a certificate issued by an accredited body. Concretely, in 2026 the expected proof moves closer to an independent certificate: a vendor self-declaration no longer offers the same legal security. So ask your supplier what supporting document they provide, its issuer, and its validity date — and keep that document, because it is you, the operator, who must present it.

What the authorities inspect

The inspection can be unannounced: a tax-authority agent may appear at your establishment without notice to verify that you hold the compliance document for each cash register software in use.

In the absence of supporting proof, the fine is €7,500 per non-compliant software or system, together with an obligation to rectify within 60 days, under penalty of a further fine. Beyond this documentary check, a standard tax audit may examine:

  • the continuity and integrity of the event journal (no gap in sequence);
  • the consistency between Z closings, the perpetual grand total, and declared revenue;
  • the impossibility of modifying a past sale without a trace;
  • the availability of exportable archives over the inspected period.

Choosing compliant point-of-sale software

In practice, a compliant register must therefore natively: lock sales after validation, cryptographically chain records, manage the Z/M/A closing cycle with a perpetual grand total, log every event in an unalterable journal, and produce exportable archives — all backed by a certificate you can present at any time.

eyeot's POS module is built around these requirements: receipt chaining, event journal, closings and grand total, and multi-rate VAT handling. For food-service businesses, it works together with the Restaurant module (floor plan, table tabs, bills), and the closings feed the Finance module for accounting follow-up. The goal: a coherent chain from payment collection through to the accounting entries, with no re-entry.

Discover eyeot

eyeot is a French ERP that brings together POS, sales management, stock, and finance in a single platform, with particular attention to payment-collection compliance. If you want to evaluate it under real conditions, the free individual account gives you access to the platform, with no credit card and no time limit, to frame your compliance work. A good opportunity to turn a regulatory obligation into a steering foundation for your business.

On the same topic

POS / Cash registerRestaurantAccounting & financeNF525Permanent Fiscal Journal (JFP)VATFEC
All articles

Try eyeot for free

eyeot is a French all-in-one ERP for small and mid-sized businesses, hosted in France and GDPR-compliant. Free for individuals (1 user, every module); simple team packs for companies.

Create my free accountSee pricing