NF525 is a certification mark issued by INFOCERT, an accredited certification body. It certifies that a point-of-sale (POS) software complies with French tax requirements regarding data integrity, security, retention, and archiving. Since the 2016 Finance Act, software vendors are required to ensure the compliance of their cash register systems. This compliance can be demonstrated through a certification issued by an accredited body, as required by the French tax administration.
There are two certification frameworks available for POS software:
- NF525, issued by INFOCERT
- Système de caisse (Cash Systems), issued by the LNE
From a legal standpoint, both certifications are equivalent: they prove that the software complies with the French fiscal requirements. However, their approaches differ significantly:
- NF525 relies on a single, clear, and detailed reference framework with stable and well-defined requirements. The publisher knows exactly what is expected.
- The LNE framework, on the other hand, is more subjective. It sets general obligations and leaves it to the software vendor to provide their own technical and functional answers to regulatory challenges. This gives more flexibility, but also more uncertainty for vendors who are not fully versed in the legal framework.
In the rest of this article, we’ll walk you through the typical process for POS software certification, regardless of the certifying body.
Preparing for Certification
Before starting the process, the software vendor should:
- Verify that their software falls within the legal scope (any system that records customer payments).
- Identify the impacted features: payment processing, receipt generation, closing procedures, audit trail, archiving…
- Set up a quality system (or at minimum, documented procedures) to demonstrate control over the product.
Early-stage support can help avoid major roadblocks during the audit.
Application File
The vendor signs a quote with the certification body (INFOCERT or LNE) and submits a feasibility file, including:
- A functional description of the software
- Complete end-user documentation
- Internal quality processes (development, testing, release management…)
Certification Audit
The initial certification audit generally lasts two days. It may be conducted remotely or on-site, depending on the certification body.
During the audit, the auditor will review the software and all related quality documentation.
Functional Analysis
The auditor directly tests the software in a real or demo environment. The following elements are typically assessed:
- Sales operations: creation, modification, cancellation
- Secure handling of sales data
- Rendering of readable outputs (receipts, invoices, credit notes…)
- Management of sales periods (daily, monthly, yearly closures)
- Audit trail implementation
- Data archiving
- User rights and access to sensitive functions
- …
The audit goes beyond a simple demo. The auditor attempts to simulate edge cases, bypass protections, and test the robustness of security mechanisms.
They will inspect both the application interface and the underlying database and file system used by the software.
Document Review
The auditor will examine documents such as:
- Quality procedures
- Quality records
- User documentation
- Product brochures
- Software design documentation
The goal here is to ensure that the vendor demonstrates full control over the software development lifecycle and its regulatory compliance.
Report and Gap Handling
At the end of the audit, the certification body issues a report listing all non-conformities identified during the assessment.
This report is reviewed by an internal validation committee, which may:
- Approve the report as-is
- Reclassify certain gaps
There are three types of gaps:
- Major non-conformity: Blocking; certification is denied
- Minor non-conformity: Non-blocking
- Observation / point of attention: Not blocking, but noted
Decision
There are two possible outcomes:
Certification
In this case, the audit was successful, with no major non-conformities.
The certification body issues a certificate valid for 3 years, with annual surveillance audits required.
Postponement
Unfortunately, one or more major non-conformities were found.
The process is not over — the vendor can address the issues and schedule a follow-up audit to validate the corrections and continue the certification.
Duration and Cost
While the audit itself lasts just two days, preparation and remediation can take much longer, depending on:
- The size of the software vendor
- The maturity of internal processes
- The complexity of the product
Estimated cost for an initial audit is between €12,000 and €15,000. A follow-up or surveillance audit generally costs the same, minus some administrative fees.
Conclusion
Whether you pursue certification through the NF525 mark (INFOCERT) or the “Système de caisse” framework (LNE), the certification of POS software is a demanding and structuring process.
It goes far beyond a functional demo — it requires deep control over the product, its documentation, and its lifecycle.
Without proper preparation, the risk of delays, back-and-forths, and unexpected costs is high.
With a structured, guided approach, certification becomes a predictable, manageable process — and a real asset for your product.