Tax News Update    Email this document    Print this document  

August 18, 2023

Luxembourg enacts new reporting regime to combat VAT fraud

  • On 19 July 2023, the Luxembourg Parliament adopted a law introducing new record-keeping and reporting requirements for payment service providers (PSPs).
  • All PSPs providing payment services within the European Union (EU) will be required to keep records of and report data on certain cross-border payments as of 1 January 2024.
  • The data collected by the various Member States will then be exchanged between them and centralized in a European database: Central Electronic System of Payment information (CESOP).
  • This new reporting regime will allow national tax authorities to carry out controls in order to combat Value-Added Tax (VAT) fraud.

Executive summary

On 2 August 2023, the Law of 26 July 2023 transposing Council Directive (EU) 2020/284 of 18 February 2020, amending Directive 2006/112/EC as regards introducing certain requirements for PSPs (CESOP Law), was published in the Official Journal of the Grand-Duchy of Luxembourg.

These new rules are set to combat VAT fraud by enabling national tax authorities to carry out controls. This means that with the CESOP Law, all PSPs providing payment services in the EU will be required, starting on 1 January 2024, to record and disclose transactional data on cross-border payments that fall within the scope of the obligations defined in the CESOP Law.

The data collected by the various EU Member States will then be exchanged among the concerned Member States and centralized in the CESOP database.

This data exchange will enable tax authorities to detect possible VAT fraud by: (i) identifying sellers behind websites or marketplaces, (ii) collecting data in a harmonized standard format, and (iii) centralizing all information in the CESOP database to be reconciled at the European level.

Detailed discussion

What is the scope of the CESOP Law?

According to the CESOP Law, PSPs providing payment services within the EU will be required to report payments on a quarterly basis when all the following criteria are met:

  1. The PSP provides payment services in an EU Member State — this includes legal entities, permanent establishments and passported services.
  2. The payment is an in-scope payment type — broadly, all payments covered by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market1 are in-scope (e.g., credit transfers, direct debits, credit cards, e-money and remittances).2
  3. The payer is in the EU — typically determined by the country identifier in the payer's International Bank Account Number (IBAN), or another relevant identifier when no IBAN is involved.
  4. The payment is cross-border, from one EU Member State to another, or to a third country
  5. More than 25 cross-border payments are made to the same payee within a calendar quarter — the payments can be from any payer to the payee; where the payee has multiple accounts, the PSP must aggregate them.

In general, the CESOP report filing will have to be completed separately in each EU Member State where the PSP provides payment services.

The submission of the report should be made electronically and in a specified XML format, defined locally by each relevant tax administration. For each quarter, the CESOP reporting deadline will be one month after the end of the quarter.

The deadline for the first reporting is 30 April 2024 regarding the in-scope payments performed during the first quarter of 2024.

What challenges does the new CESOP Law entail?

The new CESOP requirements bring challenges to PSPs3, affecting most functions of the organizations, including:

  • Customer relations and information
  • Static and dynamic customer data to be collected and maintained
  • Identification and management of differences in interpretation and laws between Member States
  • Appointment of accountable persons and definition of new roles
  • Drafting new procedures and testing processes
  • Impact on IT systems (e.g., core banking platforms)
  • Definition of new reporting and exchange infrastructure
  • Awareness and training of persons
  • Oversight controls and impact on risk and compliance functions

The requirement for CESOP reports to be submitted in each EU Member State where the PSP provides payment services can quickly become a complicated and time-consuming exercise. To ensure readiness by 1 January 2024, PSPs must not delay their CESOP impact assessments and implementation projects.


For additional information with respect to this Alert, please contact the following:

Ernst & Young Tax Advisory Services S.à r.l.

Published by NTD’s Tax Technical Knowledge Services group; Carolyn Wright, legal editor



1 Amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD2).

2 See EY Luxembourg article of 27 October 2022: EU introduces new VAT reporting obligations as of 1 January 2024.

3 See EY Luxembourg brochure on CESOP: Luxembourg CESOP brochure.