Data-driven developments in the prevention of VAT fraud:EPPO, DAC7 and CESOP

Combating VAT fraud, VAT avoidance and closing the VAT gap[1] is an important ongoing theme of the EU and its member states. Due to the ever-increasing globalization and digitalization of the economy, the EU is required to constantly develop new strategies and tools. The most recent developments in this context have been driven by electronic data collection and exchange: the European Public Prosecutor’s Office, ‘DAC7’, ‘CESOP’. In this blog, I briefly describe what these developments entail.

[1] The difference between expected VAT revenue and actual VAT revenue received from EU member states.

European Public Prosecutor’s Office

The European Public Prosecutor’s Office (EPPO)[1] has been operational since June 1, 2021. The EPPO focuses on the detection and prosecution of crimes involving EU funds[2], such as cross-border VAT fraud[3]. EPPO came out swinging and the first successes are already described in detail on the EPPO website and in the EPPO annual report 2022.

EPPO & Data

As a ‘flagship operation’, Operation Admiral is mentioned: a large-scale investigation by EPPO in cooperation with national law enforcement agencies from 14 member states into VAT fraud involving electronic devices, in 22 member states and at least 10 third countries. The estimated damage: € 2.2 billion. The investigation has already led to the first indictments. EPPO stresses that the digital exchange of data between all authorities involved was absolutely key in this investigation. At a local level, the administrative VAT data seemed to be in order. It was only through international cooperation in sharing, comparing and analyzing data that the fraud – according to EPPO the largest ever – was discovered, and this in just 18 months.

With this, EPPO clearly proves its added value and the importance of close (closer) cooperation in the area of criminal law between member states in the fight against VAT fraud. We expect that an increasing number of Dutch VAT entrepreneurs will also have to deal with EPPO. On the one hand because of Operation Admiral’s leads in the Netherlands, and on the other hand because EPPO’s annual report for 2022 shows that, according to a Europol estimate, VAT fraud costs the EU € 50 billion annually – billions of reasons therefore for EPPO to continue. Therefore there is a real chance that Dutch VAT entrepreneurs will also end up in a large-scale European criminal (VAT) investigation.



Globalization and digitization play a major role in the sale of products and services. For example, more and more companies have their own webshop from which they sell products and services to customers in their own country and far beyond. Also, for years more and more products and services have been offered by sellers from all over the world to customers everywhere through online platforms (think Amazon, Vinted, Airbnb and, or closer to home Bol, Werkspot etc.). EU tax authorities have limited insight into this digital trade and into which sellers conduct activities via a webshop or online platform and to whom. This increases the risk that sellers do not (fully) report their income via digital means in their tax returns. Tax avoidance and fraud also lead to distortion of competition with offline businesses and disruption of the internal market. DAC7 and CESOP aim to address such tax fraud and evasion of profit taxes, income taxes and VAT through new reporting requirements.


As of January 1, 2023, an EU-wide reporting requirement applies to both EU and non-EU platform operators, requiring them to provide annual information (such as revenue) on EU users on their platform (‘sellers’) to the Tax Authorities. The obligation is based on the Zevende Richtlijn betreffende de administratieve samenwerking op het gebied van belastingen van 22 maart 2021 (Seventh Directive on Administrative Cooperation for Taxation of March 22, 2021), or DAC7. In the Netherlands, this obligation is implemented through the Wet op de internationale bijstandsverlening bij de heffing van belastingen (WIB)[4] and article 53bis of the Algemene wet inzake rijksbelastingen (AWR).[5]

Although DAC7 fundamentally focuses on profit and income taxes, it is certainly also relevant in the fight against VAT avoidance and fraud. Because, it also requires reporting information on total turnover per vendor per quarter and the number of related activities. This allows tax authorities to detect irregularities in VAT returns and declarations even more easily; also because a third party – the platform operator –provides the information to the tax authorities. This makes it harder for rogue sellers to remain under the radar. The usefulness for combating VAT fraud is further enhanced by the obligation to automatically exchange information in cross-border situations and CESOP (see below).

On January 31st of the calendar year following the reporting period, platform operators residing in the Netherlands must report the information to the Dutch Tax Authorities. Wednesday, January 31, 2024 therefore is the deadline for the first report.


On January 1st of this year, the EU PSP-CESOP Directive 2020/284 came into force. This introduced a new requirement for payment service providers (PSPs)[6] based in the EU/EEA to submit data on certain cross-border payments[7] to a new centralized EU system: the Central Electronic System for Payment Information, or CESOP.

PSPs must monitor the cross-border payments processed and when more than 25 payments to the same merchant are processed in a calendar quarter, the details[8] of these payments must be reported to the local Tax Administration[9]. The Tax Administration then provides the data to the European CESOP platform.

The reporting period covers one quarter, and the declaration deadline is one month. Q1 2024 therefore is the first reporting period, so the deadline for this is April 30, 2024. EU member states must submit the data to the CESOP platform by the 10th day of the following month, starting May 10, 2024.

Monitoring and enforcement

Both DAC7 and CESOP create new and modified monitoring and enforcement powers:

  • In addition to the reporting obligations for platform operators, DAC7 also introduces the possibility and authority to conduct “joint audits.” A joint audit is a joint administrative investigation by the tax administrations of two or more EU member states which relates to one or more persons of common or complementary interest to those member states. Joint audits are an additional audit tool. Prior to DAC7, it was already possible under certain conditions for EU Member States to be directly involved in an administrative investigation which occurred in another EU Member State (e.g., participation in an interrogation) and to conduct simultaneous audits with other EU Member States.[10]
  • CESOP is specifically designed to detect and combat non-compliance with VAT rules and VAT fraud in cross-border B2C e-commerce situations. Designated Eurofisc liaison officers from Member States access the system and analyze the payment data collected. The findings are then shared with Member States’ tax administrations to the extent that may be relevant to the fight against VAT fraud.

In case a platform operator or payment service provider intentionally or through gross negligence fails to report the declaration (on time), incompletely or incorrectly, an administrative fine of up to € 1,030,000[11] may be imposed (within 5 years). In more serious cases of violation of this information duty, criminal prosecution can also occur under Sections 68 and 69 AWR. When these regulations were implemented, it was not specified which cases qualify for criminal prosecution. Perhaps we will find out more about this in the coming year.


EPPO, DAC7 and CESOP are all part of a broader trend in which taxpayers are required to report more and more data to the tax authorities and will play a major role in the fight against VAT fraud, VAT evasion and closing the VAT gap: EPPO from a criminal law perspective, and DAC7 and CESOP in the context of the digital economy. At the same time, EPPO’s broadcasting again reveals the sensitivity to fraud of the current VAT system. An issue which neither DAC7 nor CESOP is going to solve. For this to happen, a real change in the VAT system is necessary.

[1] Europese Openbaar Ministerie, or EOM, in Dutch.

[2] Offenses such as: fraud with EU funds (tax, subsidies, customs, etc.) where the actual or imminent damage is at least € 10,000; money laundering, corruption and misappropriation of EU funds; participation in a criminal organization; related offenses.

[3] With damages exceeding € 10 million.

[4] Section 4c of the WIB jo. article 11 WIB.

[5] For domestic situations.

[6] Payment providers referred to in Article 1(a) to (d) of EU Directive 2015/2366 on payment services in the internal market (PSD2) fall within the scope of CESOP if these providers provide payment services as listed in Parts 3 to 6 of Annex I of PSD2.

[7] Payment transactions referred to under article 4 paragraph 5 PSD2 and credit transfers within the meaning of article 4 paragraph 22 PSD2.

[8] Also see:

[9] Payment service providers may be subject to the CESOP reporting requirement in multiple countries. In fact, there is no One Stop Shop for CESOP (yet).

[10] Based on the Directive on Administrative Cooperation 2011/16/EU.

[11] Article 11 (3), (5) and (6) of the International Assistance Act in conjunction with Article 23 (4) of the Criminal Code.

Stuur een reactie naar de auteur