Spain’s anti-fraud law tightens cash-payment limits, adds crypto reporting, and, through Verifactu (rules for billing programs so invoices cannot be secretly changed), forces billing systems to create tamper-evident invoice records with a QR code and an optional real-time send to AEAT (Agencia Tributaria, Spain’s Tax Agency). It mainly affects businesses that issue invoices with software and are outside SII (Immediate Supply of Information, the real-time VAT books). 2025 is the preparation year for vendors and companies. User obligations start in 2026 with phased dates. B2B e-invoicing under Crea y Crece (the law that makes businesses send electronic invoices to other businesses) runs in parallel and is a separate mandate.
Quick Q&A
What is Verifactu? A rule set for billing software so every invoice leaves a trace. It adds a QR on each invoice and can send records to AEAT in real time.
Who is in scope? Companies and most autónomos who issue invoices with software and are not in SII (the real-time VAT books).
Does this force e-invoicing? Not by itself. Verifactu is about how invoices are recorded. B2B e-invoicing is a separate law called Crea y Crece (it controls the format and delivery of invoices between businesses).
What dates matter? Jan 1, 2026 for companies. Jul 1, 2026 for the rest in scope. Cash caps and crypto rules already apply.
Do I need to send every invoice in real time? No. Verifactu mode is optional. If you do not use it, you must still keep the tamper-evident records and exports.
Will my customers see the QR? Yes. Each invoice must show a QR that helps verify the record.
Can I keep Excel? No, not for issuing invoices. You need a compliant billing program. Also, purely manual invoices are outside SIF - but are impractical for most businesses.
Anti-fraud law - what it is and why it matters
It is a package of measures to prevent tax evasion. It changes the General Tax Law, with the famous article 29.2.j (a clause that targets billing programs so they cannot hide sales). The details live in Royal Decree 1007/2023, which defines SIF (Sistemas Informáticos de Facturación, the billing systems covered) and Verifactu rules, and later tweaks in 2025 that set the final calendar.
In short: your billing records must be trustworthy and meet these five requirements:
Integrity - no hidden edits
Inalterability - you cannot change data without leaving a trace
Traceability - you can follow the history
Legibility - anyone can read it
Conservation - you keep records safely. It bans “double-use” tools that can hide sales.
Accessibility - you can quickly retrieve and export records
What changes for me
- Your billing software must be compliant with Verifactu or SIF rules.
- Cash payments have a strict cap of €1,000 when a professional is involved.
- Crypto has new reporting models. Some residents must also declare foreign-held crypto over €50,000.
- Penalties are tougher for software makers and for users of non-compliant systems.
What should I do now?
- Map your billing tools and check Verifactu readiness.
- Set a 2026 cut-over plan if you are not in SII.
- Create a one-page policy that sets cash and crypto.
Cash - never accept or pay over €1,000 in cash; do not split payments to dodge the cap; log every cash payment (date, amount, payer, invoice number) and keep the log with your invoices.
Crypto - list the company wallets and exchanges; for each crypto payment or sale, record date and time, transaction hash, counterparty, and EUR value at the time; each January check if Each January, check whether Model 721 applies - Spain's annual form to report crypto held abroad when holdings abroad exceed €50,000 on 31 December. Name a responsible person and review this policy every quarter.
Anti-fraud law 2025 - what actually changes this year
2025 is the adaptation year. Vendors finish Verifactu-ready releases. Companies pilot and prepare cut-over plans.
Technical specs are stable. The ministry published the technical order in late 2024, so vendors can certify and interoperate. Expect more “Verifactu-ready” builds, QR tests, and structured export checks.
Your processes may need updates. You may adjust numbering series (invoice number sequences), how to cancel or correct invoices (voids and rectificativas), and version control. Teams should learn how to read the QR, the record exports, and the incident log (a simple list of errors and fixes).
Practical to-dos for 2025
- Choose a compliant billing tool and confirm it supports QR and the “VERI*FACTU” label when you use real-time send.
- Migrate legacy numbering if you have gaps or overlapping series.
- Train staff on allowed flows for voids, rectificativas (corrective invoices), and re-issues.
- Document incident handling, backups, and audit exports.
What should I do now?
- Lock your software choice by Q4 2025.
- Rehearse QR and record exports with a few live invoices.
- Keep a one-page runbook for incidents and inspections.
Anti-fraud law - when does it come into force?
General anti-fraud measures are already live. Cash caps and other base rules have applied since July 2021.
Verifactu and SIF user obligations start in 2026.
- Jan 1, 2026: Corporate Income Tax payers (companies) must use compliant SIF or Verifactu systems.
- Jul 1, 2026: The rest in scope, such as most autónomos outside SII, must comply.
B2B e-invoicing under Crea y Crece is separate but overlaps. It starts after its final regulation. Big businesses go first if they had more than €8m turnover, then the rest about a year later. Many will feel it in 2026 or 2027.
SII interplay. If you are in SII you already submit VAT ledgers and you are out of Verifactu as a user. If you also run entities that are not in SII, the software for those must still comply.
What should I do now?
- Put the Jan and Jul 2026 dates on your finance calendar.
- If you run multiple entities, check which ones are in SII and which are not.
- Plan one migration that covers both Verifactu and B2B e-invoicing.
Looking for an easy, fast and compliant e-invoicing tool? Try renn.
Anti-fraud billing law and anti-fraud software law explained
Article 29.2.j LGT: Your billing program must stop hidden edits. Every event leaves a record. That includes the initial issue, called “alta” (first creation), and any cancellation, called “anulación” (void). You can export these records in a standard way.
What Verifactu adds. Verifactu is a mode where each invoice record can be sent to AEAT the moment you issue it. Invoices must include a QR. If you use Verifactu mode, you also add the label “VERI*FACTU”.
Records and hashes
- Each invoice creates a signed record with a unique hash (a short digital fingerprint of the data).
- Cancellations generate linked “anulación” records. The chain shows version history.
- Deleting or silently overwriting is forbidden.
Operational changes you will notice
- Fixed numbering sequences per series. No gaps without a rectificativa (a corrective invoice that explains and fixes an error).
- Mandatory QR fields and data in the record files.
- An incident log and a clear software version number.
Examples
- Allowed: cancel an invoice with an anulación record, then issue a rectificativa that fixes the error.
- Forbidden: delete the old invoice and re-create it with the same number.
What should I do now?
- Freeze your series and numbering rules and write them down.
- Add the QR to your invoice template and test scans from a phone.
- Store exports for audits and check that you can restore from backup.
Penalties under the anti-fraud law
- Makers and distributors of software. Fines can reach up to €150,000 per year and per software type if they sell systems that enable concealment or fail required specs. A €1,000 fine per program may apply when the only breach is a missing certificate where one is required.
- Users and holders. Fixed fines around €50,000 per year can apply if you possess or use a non-compliant system when certification is required, or if you alter a certified device.
- Invoice-process breaches. Separate penalties can apply for missing QR or incorrect cancellations under general billing rules.
- Cash-cap breach. The fine is 25 percent of the cash amount paid above the limit. Liability is shared, but the first party to report within three months is exonerated.
What should I do now?
- Confirm your tool’s compliance status in writing with your vendor.
- Limit admin access so nobody can alter certified components.
- Train staff on QR and cancellation rules.
Anti-fraud electronic-invoice law vs Verifactu
- Crea y Crece mandates B2B e-invoicing. It focuses on invoices exchanged between businesses to reduce late payments. Formats will use Facturae (Spain’s XML e-invoice format) or UBL (a global standard XML format for e-invoices).
- Verifactu is about system integrity. It defines how invoices are generated and recorded, not who receives them.
- You may need both. You can send a structured e-invoice to your customer and create a Verifactu record with a QR for the same invoice.
- Rollouts differ but overlap. Many firms will adopt both during 2026 and 2027. Plan one project that covers format and integrity.
What should I do now?
- If you sell to businesses, prepare for Crea y Crece.
- Ask your vendor how e-invoicing and Verifactu work together in the product.
- Test sending a Facturae file and exporting the Verifactu record for the same invoice.
Verifactu complete guide here.
Tax anti-fraud law - other measures you should know
- Cash-payment limit. There is a €1,000 cap per operation when a professional is involved. A separate €10,000 limit applies in some non-resident cases.
- Crypto reporting.
- Model 172 covers balances for exchanges or custodians resident in Spain (they report what clients hold).
- Model 173 covers operations for those firms (they report client transactions).
- Model 721 applies to residents with more than €50,000 in crypto held abroad at year end. Filing runs from January to March for the prior year.
- Wider toolkit. The law updates the concept of non-cooperative jurisdictions (tax blacklist countries), and includes other changes on corporate vehicles and surcharges.
What should I do now?
- Set an internal rule that cash over €1,000 is not accepted in professional sales.
- If you have foreign crypto, check if you cross the €50,000 threshold and plan for 721.
- Ask your accountant about any exposure to updated jurisdiction lists.
Anti-fraud regulation - what to implement in your company
- Choose compliant software. Pick a Verifactu-ready tool or AEAT’s free app for low volume. Confirm QR and record formats.
- Define your series and numbering. Freeze legacy gaps and configure series by channel, brand, or point of sale.
- Decide on Verifactu mode. Choose real-time send on or off. If off, keep periodic export and audit procedures.
- Update templates. Add the QR and the “VERI*FACTU” label when applicable. Check your invoice content matches Spain’s invoicing regulation article 6 (the standard list of required fields).
- Map edge cases. Cover rectificativas, abonos (credit notes), anticipos (advance payments), devoluciones (returns), partial refunds, and cancellations. Document allowed flows.
- Train people. Decide who can void, who can re-issue, and how you handle incidents and version control.
- Crypto and cash controls. Write simple rules for accepting cash and disclosing crypto. Add calendar reminders for 721 if it applies.
What should I do now?
- Book a one-hour training on numbering and cancellations.
- Run a pilot in one business unit before the 2026 deadline.
- Keep a compliance folder with policy, exports, and vendor certificates.
Bottom line
Spain’s anti-fraud law is already live for cash and crypto. The software part bites in 2026. Companies comply from Jan 1, 2026 and most autónomos from Jul 1, 2026. Plan a single migration that covers Verifactu integrity and B2B e-invoicing. Train your team, align processes, and get vendor certification in writing. Doing this on time protects you from fines and gives you cleaner book.
