We have the certificate: ISO/IEC 27001:2022, certified by DNV and Cyberwise. But that’s not the most interesting part of this story.
Because this isn’t about us. It’s about what this means for the companies that work with us, and for those who still have to decide which access point to choose.
What can you read on this page?
What is ISO/IEC 27001:2022?
ISO/IEC 27001 is the international standard for information security, published by the International Organization for Standardization. It describes how an organization systematically identifies, manages, and continuously improves its information security risks. This includes access control, encryption, incident management, and business continuity planning.
The 2022 edition is the most recent version of the standard. Compared to the previous version from 2013, it places greater emphasis on cybersecurity, cloud environments, and supply chain security.
Becoming certified requires a thorough audit by an external, accredited body. Nymus was certified by DNV, one of the most renowned certification bodies in the world, and by Cyberwise for the Belgian context.
Why will ISO certification be mandatory for Peppol Access Points starting in 2027?
Peppol is the international network through which businesses and government agencies exchange e-invoices. Access to this network is provided via so-called Access Points, which are providers certified by OpenPeppol to send and receive invoices.
OpenPeppol, the organization behind the Peppol network, has decided that every Peppol Access Point must be ISO/IEC 27001-certified by July 1, 2027. Access Points that fail to meet this requirement will lose their certification and will no longer be able to process Peppol invoices.
That’s no small change. It means that companies currently using a non-certified provider must have found an alternative by that date or be certain that their current provider will obtain certification.
Why has Nymus already obtained certification?
For Nymus, ISO certification was not a response to a regulatory requirement, but a deliberate choice made as part of its growth strategy.
First, Nymus primarily works with larger companies. These companies often have strict supplier evaluation processes in place and expect their key partners to demonstrate a certain level of information security. ISO/IEC 27001 is the recognized standard for this purpose.
Second, Nymus wants to expand its operations abroad, such as to the Netherlands. In the Netherlands, government agencies already require ISO certification as a prerequisite for recognition as a Peppol Access Point. Without certification, access to that market is not possible.
Earning the certification was not an end in itself, but rather a confirmation of how Nymus was already operating and a prerequisite for the next step.
What will change for existing Nymus customers?
For existing customers, nothing will change from an operational standpoint. The security processes implemented to obtain certification were largely already in place or aligned with existing procedures.
What customers do have is external validation. They can demonstrate both internally and externally that their e-invoicing partner complies with internationally recognized security standards. For companies that are ISO-certified themselves or use formal supplier evaluations, this is a tangible benefit.
What if your current access point isn't ISO-certified yet?
Not every access point is certified today. And not every access point will pass certification. For some players, the investment in time, resources, and processes is too great.
The July 1, 2027 deadline may seem far off, but switching to a different access point isn’t something you can do in a day. You’ll be dealing with ERP integrations, mappings, onboarding processes, and testing phases. That process can easily take several months.
The least you can do right now is ask your current provider what their plan is. Are they already certified? If not, when do they expect to be? And what if they don’t meet that deadline?
If the answer is vague, that in itself is information.
If a provider fails to notify you in a timely manner about the loss of its Access Point status, you won’t have enough time to respond. This puts you at risk of having your billing processes come to a standstill when you’re least prepared for it.
What should you consider when choosing a Peppol Access Point?
ISO certification is one criterion, but not the only one. When evaluating an access point, there are four key areas to consider.
The first consideration is security and compliance. Is the provider certified, or is it actively working toward certification? Who conducts the audit? How does the provider communicate security incidents to its customers?
The second point is continuity. What is the guaranteed uptime? Is there a formal SLA? Who will respond in the event of an outage, and how quickly?
The third factor is technical capability. Can the provider handle your ERP environment? Not every provider is equipped to handle complex situations involving multiple entities, multiple systems, or legacy infrastructure. Ask for references in your industry or with a similar technical stack.
The fourth factor is forward-thinking. Does the provider have a concrete roadmap? Does it keep abreast of relevant developments, such as the European ViDA Directive, e-reporting, and the expansion of the Peppol network? Or does it merely respond to what is already required?
The 2027 deadline is closer than it seems
For Nymus, ISO/IEC 27001:2022 certification is not the end goal. It confirms that we are on the right track—for our clients, for our growth strategy, and for a market that is becoming increasingly complex in terms of regulations.
If you’d like to know what the 2027 deadline means for your specific situation, or how to conduct a fair evaluation of your current provider, we’d be happy to help.
Ready for the future of e-invoicing?
HIGHLIGHTED ARTICLES
