Skip to content
{HS} Hacktiv' Studio
← Resources

21 November 2025

NF525Certification

Complete NF525 Guide: Everything You Need to Know to Pass Certification

Understanding NF525: legal obligations, data to trace, immutability mechanisms, documentation, audit process, and risks. The definitive guide written by an expert.

Complete NF525 Guide: Everything You Need to Know to Pass Certification
Contents

⚠️ Update — 20 February 2026: The mandatory NF525 certification requirement has been permanently removed by law. We have returned to the regulatory state prior to February 2025. Certification remains a recognised quality benchmark, however, and penalties may still apply in the absence of certification or a non-permissiveness declaration issued by the software publisher.

What Is NF525?

NF525 certifies that your point-of-sale software complies with French legal requirements for the immutability , security , conservation , and archiving of payment data.

It provides the tax authority with assurance that:

  • your data cannot be altered
  • sensitive actions are fully traced
  • exports are reliable
  • period-end closures and historical records are consistent

Who Is Affected?

NF525 applies to all software publishers whose product:

  • records payments
  • manages transactions
  • produces supporting documents (receipts, invoices, notes)
  • or allows the recording of operations that impact revenue accounting

Examples of software in scope:

  • POS / cash register software
  • ERP systems with a payment module
  • SaaS solutions with a sales and payment workflow
  • Business tools with integrated monetary flows

Determining whether a given software is subject to the NF525 obligation is more complex than the law might suggest. In practice, commercial management software that lacks a dedicated point-of-sale module but enables B2C transactions has been considered in scope.

The NF525 Scope: A Commonly Misunderstood Concept

The scope is defined functionally, not commercially.

It covers all features that can influence revenue figures:

  • Ticketing
  • Sales / payment recording
  • Cancellations
  • Corrections
  • Discounts and reductions
  • Reports and period-end closures
  • Accounting or fiscal exports
  • Operations log
  • Archiving
  • Data restitution

The Four Technical Pillars of NF525

NF525 rests on four pillars set out in the Finance Law. The Official Tax Bulletin (BOI-TVA-DECLA-30-10-30) defines four conditions that a cash register system must meet to be declared compliant.

1. Immutability

No validated data can be altered without leaving a trace. This applies to:

  • Amounts
  • Quantities
  • Tax amounts
  • Payment data
  • Discounts
  • VAT rates
  • Dates

Any modification must create a new record — never overwrite an existing one.

2. Security

The software must guarantee the integrity of each record through:

  • Hashing
  • Electronic signature
  • Chaining
  • Cryptographic fingerprints
  • Checksums
  • A documented proprietary method

3. Conservation

The software must retain all necessary data in full:

  • Complete historical records
  • Event journal
  • Sequential numbering
  • Full operation details

4. Archiving

Archiving must allow:

  • Human-readable restitution
  • Complete data extraction
  • Sealing of archived data

Exports must remain usable throughout the full legal retention period (6 years plus the current fiscal year).

NF525 Specificities

The JET: NF525’s Audit Trail

The event journal must contain all sensitive events, including at minimum:

  • Sale creation
  • Payment recording
  • Modification
  • Cancellation
  • Reopening and corrections
  • Discounts
  • VAT changes
  • Period-end closures
  • Exports
  • High-risk actions (deletion must be impossible)

This is often the first point where publishers fail.

Chaining: The Backbone

The three questions an auditor will ask:

  1. How do you guarantee integrity?
  2. How do you detect tampering?
  3. How do you prevent silent data rewriting?

The most common approaches:

  • Blockchain-style chaining (previous record’s hash embedded in the next)
  • Batch chaining (per day, per session)
  • Signature + fingerprint
  • HMAC
  • Dual journal: raw + secured

The auditor will verify that:

  • the mechanism is documented,
  • the code is consistent with your explanation,
  • integrity is genuinely verifiable.

Critical Flows Verified During the Audit

Sales

The sales data recorded must be exhaustive. On-the-fly recalculations at print time are prohibited. The software must be able to reproduce supporting documents with their original values. Duplicates must be a complete and faithful copy of the original document.

Cancellations

Must comply with accounting standards. A cancelled sale is offset by a negative entry.

Deletions

Deletion of any sales data is prohibited. The software must prevent it and detect any attempt.

Exports

  • Accounting export
  • Fiscal export
  • FEC (if invoicing)
  • Fiscal archive

Period-End Closures

The software must manage daily, monthly, and annual closures that prevent invoicing on closed periods and generate cumulative, summarised sales data for the closed period.

  • Automatic / manual closure
  • Total consistency
  • Timestamping

Summary

The auditor will verify the following points:

  • Identification of supporting documents
  • Continuous sequential numbering of supporting documents
  • Exhaustive recording of sales data
  • Security through electronic signature and data chaining
  • Traceability of all modifications
  • Governance of technical events
  • Human-readable restitution
  • Period-end closure management
  • Archive export
  • Detection of data tampering attempts

Hacktiv’ Studio supports you

100% of the publishers we have supported obtained their certificate at the first official audit. On average, the compliance process takes 3 months.

CONTACT US

// let's talk

A certification or integration project?

Hacktiv' Studio guides you from the initial audit through obtaining your NF525 certification or integrating electronic invoicing.

Contact us →