Verifactu: 2025-2026 complete guide

Verifactu is Spain’s new rule set for secure invoice records. It targets anyone who uses billing software and is not in SII (Immediate Supply of Information, AEAT's near‑real‑time VAT reporting). The goal is simple: stop invoice manipulation and make every record tamper‑evident. In this guide you get clear dates, who must comply, what goes on invoices now, and how Verifactu differs from B2B e‑invoicing under Crea y Crece.

Below you’ll find a quick Q&A, a plain‑English checklist to comply, and the traps that catch many small businesses. By the end you will know what to change in your software, templates, and process to be ready for 2026.

‍

Quick Q&A

What is Verifactu? Verifactu is the AEAT (Spain's Tax Agency)‑backed framework and data pipeline that your billing software must follow. It guarantees that invoice records are chained, signed, and traceable.

Who does it affect? Anyone who issues invoices using software and is not in the SII regime. Manual‑only billers are out of scope.

What changes on the invoice? A mandatory QR on full and simplified invoices. In many cases, the “VERI*FACTU” or “Factura verificable en la sede electrónica de la AEAT” phrase also appears.

When is it mandatory? Companies that pay corporate tax must comply from 1 Jan 2026. Self‑employed and the rest from 1 Jul 2026.

Is this the same as electronic invoice? No. Verifactu is about secure records and optional reporting to AEAT. Electronic invoice is B2B exchange in structured formats.

What are the penalties? Up to €50,000 per year for using non‑compliant software. Up to €150,000 per year and per product type for vendors who build or sell non‑compliant software.

‍

Plain-language glossary

• AEAT: Spain's Tax Agency. In Spanish: Agencia Estatal de Administración Tributaria.
• SIF: Sistemas Informáticos de Facturación. The billing software that meets the integrity, traceability, inalterability, accessibility, and legibility rules.
• Verifactu mode: your SIF sends invoice records to AEAT as you issue them.
• Non-Verifactu mode: your SIF keeps the same secure records locally. You still print the QR and legend.
• QR on invoices: the square code that opens an AEAT page to verify the record.
• SII: For big companies. They send each bill (invoice) to the tax office online, very fast. If your business uses SII, you don't use Verifactu.
• IS: Impuesto sobre Sociedades, Spain's corporate income tax.
• POS: point of sale - the system you use to take payments (your checkout/cash register software).
• ERP: your accounting or resource planning system where you may issue invoices.
• Hash chain: a sequence where each record's digital fingerprint includes the previous one, so tampering breaks the chain.
• Digital signature: a cryptographic stamp that proves who issued a record.
• Trusted timestamp: a reliable proof of the exact time a record was created.
• Event log: the automatic diary of every create, edit, void, or export.
• Facturae: Spain's standard e-invoice file for public bodies and businesses. Required for selling to government; sometimes used B2B in Spain.
• UBL: International e-invoice file used across Europe (PEPPOL). Best for cross-border B2B.
• Crea y Crece: Law 18/2022 that will require B2B e-invoicing in Spain.
• Parallel series: multiple invoice numbering sequences for the same activity. Used to hide sales. Not allowed.
• Responsible declaration: a signed statement by the software vendor confirming the product meets SIF rules.
• Basque Country and Navarra regimes: regional tax systems with their own invoicing rules, currently outside national Verifactu scope.

‍

Verifactu: the essentials

Verifactu = AEAT’s secure pipeline for invoice records. It was created under the Anti‑Fraud Law to end “double‑use” software and hidden edits.

Verifactu has two valid modes

Verifactu mode. Your software sends each invoice record to AEAT automatically.

Non‑Verifactu mode. Your software keeps the same tamper‑evident records locally.

Both modes require a QR on the invoice and integrity controls in the software.

On the surface, invoices change in two ways. First, all full and simplified invoices include a QR. Second, when the rules apply, invoices also include the legend “VERI*FACTU” or “Factura verificable en la sede electrónica de la AEAT”. These visible marks are the tip of a larger security system under the hood.

‍

‍

What is Verifactu? Definition and scope

Verifactu secures billing data from the moment you issue it. The system forces integrity, traceability, inalterability, accessibility, and legibility.

Who is targeted. Businesses and professionals who use billing software and are not in SII. If you create invoices with any system that qualifies as a SIF (Sistemas Informáticos de Facturación, the official term for compliant billing software), you are in scope.

Who is out of scope today. Manual‑only billers who do not use any SIF. Taxpayers in SII. Taxpayers under the Basque Country and Navarra historical regimes (they have their own tax agencies and rules).

What a compliant SIF outputs. Each invoice creates a record with a hash that links to the previous record, so any change becomes visible. The record is time‑stamped, digitally signed, and written to an event log that captures every action: create, void, export, or attempt to edit. Your system can export records in a standard format and also produce a human‑readable copy.

‍

Verifactu AEAT: how it works with the tax agency

AEAT provides the rulebook and the endpoint. In Verifactu mode, your system sends invoice records to AEAT using their rules. The QR on the invoice points to an AEAT page where the record can be checked.

Non‑Verifactu mode keeps the data local. You still need the same integrity controls and the QR on the invoice, plus the required legend when it applies. AEAT can request the secure export in an audit.

AEAT will offer a simple web form for very small businesses and self‑employed who issue few invoices. It creates Verifactu‑compatible records without full software and isn’t for most SMEs.

‍

Verifactu regulation: legal framework

The rules come from three places.‍

1. Law 11/2021 (Anti‑Fraud): bans "double‑use" software that can hide sales.

2. Royal Decree 1007/2023: sets the SIF requirements and the standard invoice record.

3. Ministerial Order HAC/1177/2024 (17 Oct 2024): explains the tech details you must implement - QR, hash chain, digital signature and time stamp, event log, how to issue and void, and the vendor’s responsible declaration/certificate.

In 2025 the government updated Royal Decree 1007/2023 and pushed most start dates to 2026. See the next section for the exact dates by group.

‍

Verifactu entry into force: dates and who’s when

The big dates are in 2025 and 2026. Developers must be ready first, then companies, then self‑employed.

Software readiness. By 29 Jul 2025, billing software vendors must have SIF adapted to the Ministerial Order. After that date, non‑compliant software cannot be sold or serviced.

Companies that pay corporate tax (IS - Impuesto sobre Sociedades): from 1 Jan 2026 they must use SIF-compliant billing software. They can choose Verifactu mode (send records to AEAT) or non‑Verifactu mode (keep records locally).

Self‑employed (autónomos) and others. From 1 Jul 2026, everyone else in scope must comply.

SII taxpayers are normally excluded because they already report invoice data in near real time.

‍

Anti‑Fraud Law: what it really changes for your software

Verifactu outlaws “double‑use” behavior. Your software cannot allow hidden deletion, post‑issue edits without trace, parallel series that bypass the ledger, or diverging exports.

Mandatory SIF features. Your system must implement the following:

• Chained hash linking each record, so the sequence is tamper‑evident.
• Digital signature and trusted timestamps to prove authorship and time.
• A complete event log of every create, edit, void, or export.
• Standard export that machines can read, plus a clear human copy.
• QR on the invoice with the verification URL to the AEAT page.

Vendor obligations. Software makers must include a signed “responsible declaration” in the app and give it to customers. They must track versions and keep updates and keys secure. Every new version must follow the rules. No option can turn off the integrity controls.

‍

‍

Difference between Verifactu and electronic invoice under Crea y Crece

Verifactu and electronic invoice solve different problems. Verifactu, led by AEAT, is a compliance framework for invoice records and optional reporting. It applies to any invoice, B2B and B2C, when you use software.

Electronic invoice under the Economy Ministry’s Crea y Crece Law is about B2B e‑invoicing. It forces businesses to exchange invoices in structured formats, such as facturae or UBL, and to track delivery and status through interoperable networks. It does not report invoice content to AEAT.

Coexistence. If you do B2B, you will likely need both systems at once. First, issue a compliant Verifactu record using a SIF. Second, send and receive the e‑invoice in the chosen structured format through a network or platform.

International angle. E‑invoicing relates to cross‑border standards and delivery networks. Verifactu is Spain‑only. It standardizes records for domestic control.

Helpful deep‑dives. If you handle B2B invoices, use our electronic invoicing tool for Spain to create facturae/UBL e‑invoices, send them via interoperable networks, and track delivery and status.

‍

Who must comply, who is excluded

In scope: anyone who uses billing software and is not in SII. If you issue with a SIF, you are under Verifactu rules, even for simplified invoices or POS tickets.

Out of scope for now. Manual‑only billers who never use a SIF. SII taxpayers. Taxpayers in the Basque Country or Navarra, who follow their own territorial regimes.

POS and cash registers. If your POS issues invoices or tickets, it must be SIF‑compliant. Bring e‑commerce, ERP, and mobile issuance into the same rules too. The goal is one secure trail for every sale point.

‍

Penalties and enforcement

Sanctions are real and quantified. Using non‑compliant software can be fined up to €50,000 per financial year for the user. Building or selling non‑compliant software can be fined up to €150,000 per year and per product type for the vendor. Failing to include the QR or the required legend, or allowing hidden edits, can also trigger penalties.

Expect audits to request the secure export. AEAT can cross‑check Verifactu records against your VAT returns and ask for record sets when something looks off. Keep your keys, time source, and export flows in order.

‍

How to comply: SMB checklist

Treat Verifactu as a process, not a sticker. It is more than printing a QR.

1. Choose software that is SIF‑compliant and ready for Verifactu mode. If you decide to run in non‑Verifactu mode, document why and how you will meet all integrity requirements locally.
2. Enable QR and legends in every template. Apply the QR and the required phrase to full and simplified invoices. Test print and PDF outputs.
3. Fix series and numbering. Audit current series. Disable drafts that can become invoices without an immutable trace. Avoid ghost series that let users bypass the main ledger.
4. Bring every issuance point into scope. ERP (your accounting or resource planning system), POS, e‑commerce, and mobile apps must all follow the same SIF rules. A weak link breaks the chain.
5. Set up key management. Configure digital signature, the trusted time source, and rotation. Define retention periods that meet legal rules.
6. Train staff on voiding and corrections. Deletions are not allowed. A void creates an anulación (cancel) record that links to the original and shows who did it and when.
7. Standardize exports. Verify that the machine‑readable export matches the standard. Keep a human copy for readability.
8. Test the full process. Issue sample invoices, scan the QR, and check the AEAT page opens as expected. If you choose Verifactu mode, confirm the send flow and error handling.
9. Document and log. Keep a short internal guide for users and admins. Log software updates, key changes, and any incident.
10. Review your POS and cash registers. If they issue tickets or simplified invoices, bring them into the SIF scope.

‍

Common traps to avoid.

• POS not included.
• Editing a final invoice instead of voiding it.
• Using more than one numbering series for the same sales.
• Missing the QR on simplified invoices.
• Not planning B2B e‑invoicing while you adapt your SIF.

‍

Helpful picks. If you do not have a tool yet, read our comparison of billing software for small businesses. It lists ease of use, price, and whether vendors commit to SIF and Verifactu features.

‍

‍

Worked example: what changes in practice

A real‑world flow helps the team understand the shift. Imagine you run a small café with a POS (point of sale) and occasional B2B catering.

Before Verifactu. You print tickets, and in a separate system you issue invoices for catering. Staff can void a ticket, re‑enter it, and the trail is messy.

After Verifactu. Your POS becomes a SIF. Every ticket or invoice produces a chained, signed record. A void creates an anulación (cancel) record with a link to the original. Your invoices show a QR and the required legend. If you go Verifactu mode, the records also reach AEAT in real time. If not, your export is ready for any audit.

Team training. Show them where the QR sits on the ticket. Explain that “delete” now means “void and link”. Do one mock audit by exporting a week of records.

‍

Verifactu vs e‑invoice: quick decision matrix

You will likely need both if you sell to businesses. Use this quick test.

• Do you sell to consumers only? You need Verifactu if you use software. E‑invoice is not required.
• Do you also sell B2B? You need Verifactu plus e‑invoicing under Crea y Crece when the network goes live for your size.
• Do you run SII? You are out of scope for Verifactu. You still need to monitor e‑invoice.

‍

Bottom line

Verifactu is not just a QR. It is a shift to tamper‑evident billing across every channel you use. Get the dates right for 2026. Pick a compliant tool. Map your ERP, POS, and e‑commerce flows so each invoice leaves a secure, auditable trail. If you sell B2B, get your e‑invoicing plan in motion in parallel. Verifactu will keep coming up in audits and supplier checks, so sorting it now saves time and tax pain later.