fiskaly.

French POS Compliance: The Self-Attestation checklist for software publishers

Charlotte Strogach, Senior Marketing Manager DACH
Charlotte StrogachSenior Marketing Manager DACH
5 min read
REGULATORY UPDATE

Since February 2026, Law No. 2026-103 (Art. 125) reinstates self-attestation as a valid compliance path for POS software under Article 286 CGI. This replaces the previous legal requirements during which certification through a third-party was the only method of proof acceptable. 

What changed - and what did not

The law changed how you prove compliance, not what you must comply with. The four ISCA technical requirements still apply in full to every POS system sold in France, regardless of the path you choose.

I — Inalterability: Transaction data cannot be modified after recording

S — Security: System must resist fraud and unauthorised access

C — Conservation: Data retained in its original, authentic form

A — Archiving: Long-term accessible archive for tax audit purposes

Step 1: Check your eligibility first

This is a hard rule. If you don't qualify for self-attestation, the checklist below doesn't apply to you.

You can self-attest if:

  • You control the source code
  • You distribute to third-party customers (merchants, integrators)
  • You are a POS software publisher / ISV
  • You sell or license your software to others

Third-party certification is mandatory if:

  • You built the POS exclusively for your own account 
  • Software is internal-use only, not distributed externally
  • You are the software editor and the end-merchant

This is referenced in the tax administration BOI §375: A company building a POS system exclusively for its own retail stores cannot self-attest under any circumstances. Third-party certification via LNE or InfoCert is mandatory in that case. 

Your self-attestation checklist

If you're eligible, here is precisely what you must do. An attestation that is incomplete or incorrectly issued is invalid during a tax audit.

  1. Confirm your system meets all ISCA criteria. Before issuing anything, you must be able to technically demonstrate that your POS fulfils Inalterability, Security, Conservation, and Archiving. This means documented architecture, audit trails, and version history — not just a declaration. If your system relies on fiskaly SIGN FR, your technical baseline is already aligned with LNE and NF525 standards to sign, journal and archive your fiscal records. . 
  2. Issue Volet 1 — the Publisher Section. Complete and sign Volet 1 using the official DGFiP template (BOI-LETTRE-000242). This document must contain: software name and version, your ISCA compliance statement, functional scope, and explicit exclusions (what your software does not cover). You bear full legal responsibility for the accuracy of this declaration. 
  3. Deliver Volet 1 to every customer. Attestation must be provided proactively — at the point of purchase, download, or deployment. Do not wait for merchants to ask. An attestation not delivered is treated as no attestation at all during an audit.
  4. Collect signed Volet 2 from each merchant. Volet 2 is completed and signed by your customer (the merchant). It contains their company details, acquisition date, and usage confirmation. An attestation without a signed Volet 2 is invalid. Store these securely and make them retrievable on demand. 
  5. Maintain audit-ready documentation. Keep complete technical documentation: architecture specs, quality processes, version history, and evidence of ISCA compliance. Tax authorities can request this at any time. "Audit-ready" means accessible within hours, not weeks. Fiskaly provides all its customers with its own Quality Documentation Package. 
  6. Manage versions. Re-attest when ISCA parameters change. Like third-party certification,your attestation is tied to a specific software version. Any changes in your system impacting ISCA principles must bring a new major version and with it a new attestation. . A minor version change,may be covered by an optional forward-looking clause in Volet 1 — use this to reduce re-attestation overhead. Document clearly which versions are covered by which attestation. Make sure your customers are using versions of your system aligned with their attestation.

The attestation document — Volet 1 & Volet 2:

Both parts are mandatory. One without the other is legally invalid.

VOLET 1 — Publisher section (completed and signed by you, the publisher):

  • Software name and covered version(s)
  • ISCA compliance statement
  • Functional scope — what is covered
  • Explicit exclusions — what is not covered
  • Optional: forward clause for minor versions

VOLET 2 — Customer section (completed and signed by your customer, the merchant):

  • Merchant company details (SIRET, name, address)
  • Acquisition / activation date
  • Usage confirmation
  • Signature with date

Sanctions for non-compliance:

  • €7,500 fine per non-compliant system — failure to produce a valid attestation during a tax audit
  • Up to €45,000 fine + 3 years imprisonment — issuing a false attestation

Entering the French market from abroad?

Article 286 CGI applies to any POS software used by merchants registered for VAT in France — regardless of where the publisher is incorporated. If you are selling or deploying POS software to French merchants, you are subject to these rules.

For example:

  • In Germany, KassenSichV familiarity helps, but NF525/ISCA requirements are different. You cannot rely on your German certification for France.
  • Same for Spain: Verifactu / TicketBAI compliance does not transfer. France is a separate compliance jurisdiction.
  • Any market: If you distribute to French merchants, you must either self-attest (if eligible) or pursue LNE/InfoCert certification — no exceptions.

fiskaly already supports fiscalization across France, Germany, Austria, Spain, Italy, Sweden and Portugal. A single integration can cover multiple countries.

fiskaly SIGN FR: your technical compliance foundation

fiskaly does not issue your attestation — that is your legal responsibility. But we provide the technical infrastructure that makes your attestation defensible and your documentation complete.

  • Compliance-ready by design: SIGN FR is built against both LNE and NF525 standards. All ISCA criteria are addressed at the API level.
  • Documentation package: Self-attestation customers receive a complete Compliance Documentation Package. The same technical specs used in LNE audits.
  • Technical guarantee: Our API architecture provides a technical guarantee layer — cryptographic signing, chaining, secure archiving, and inalterable logs.
  • Future-proof path: If a large client requires third-party certification, we can accompany you through LNE or InfoCert. No need to switch platforms.

Contact: pierre.gessay@fiskaly.com | workspace.fiskaly.com

References & official sources
  1. Article 286, I, 3° bis CGI — Legal basis for POS compliance obligations in France
  2. Law No. 2026-103, Article 125 — Finance Act 2026 reinstating self-attestation
  3. BOI-TVA-DECLA-30-10-30-20260325 — Official DGFiP tax administration guidance on ISCA compliance requirements
  4. BOI-LETTRE-000242-20260325 — Official attestation template (Volet 1 & Volet 2)
  5. BOI §375 — Mandatory third-party certification for internal-use POS systems

Need a strong partner?

  • Understanding complex requirements can be tricky. fiskaly helps businesses and software providers to simplify compliance through easily integrated cloud-based solutions and expert technical support.
  • Over 1,600 customers trust our fiscalization solutions.

Optional

Optional