Sign up for tax alert emails    GTNU homepage    Tax newsroom    Email document    Print document    Download document

August 18, 2023

Luxembourg enacts new reporting regime to combat VAT fraud

  • On 19 July 2023, the Luxembourg Parliament adopted a law introducing new record-keeping and reporting requirements for payment service providers (PSPs).
  • All PSPs providing payment services within the European Union (EU) will be required to keep records of and report data on certain cross-border payments as of 1 January 2024.
  • The data collected by the various Member States will then be exchanged between them and centralized in a European database: Central Electronic System of Payment information (CESOP).
  • This new reporting regime will allow national tax authorities to carry out controls in order to combat Value-Added Tax (VAT) fraud.

Executive summary

On 2 August 2023, the Law of 26 July 2023 transposing Council Directive (EU) 2020/284 of 18 February 2020, amending Directive 2006/112/EC as regards introducing certain requirements for PSPs (CESOP Law), was published in the Official Journal of the Grand-Duchy of Luxembourg.

These new rules are set to combat VAT fraud by enabling national tax authorities to carry out controls. This means that with the CESOP Law, all PSPs providing payment services in the EU will be required, starting on 1 January 2024, to record and disclose transactional data on cross-border payments that fall within the scope of the obligations defined in the CESOP Law.

The data collected by the various EU Member States will then be exchanged among the concerned Member States and centralized in the CESOP database.

This data exchange will enable tax authorities to detect possible VAT fraud by: (i) identifying sellers behind websites or marketplaces, (ii) collecting data in a harmonized standard format, and (iii) centralizing all information in the CESOP database to be reconciled at the European level.

Detailed discussion

What is the scope of the CESOP Law?

According to the CESOP Law, PSPs providing payment services within the EU will be required to report payments on a quarterly basis when all the following criteria are met:

  1. The PSP provides payment services in an EU Member State — this includes legal entities, permanent establishments and passported services.
  2. The payment is an in-scope payment type — broadly, all payments covered by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market1 are in-scope (e.g., credit transfers, direct debits, credit cards, e-money and remittances).2
  3. The payer is in the EU — typically determined by the country identifier in the payer's International Bank Account Number (IBAN), or another relevant identifier when no IBAN is involved.
  4. The payment is cross-border, from one EU Member State to another, or to a third country
  5. More than 25 cross-border payments are made to the same payee within a calendar quarter — the payments can be from any payer to the payee; where the payee has multiple accounts, the PSP must aggregate them.

In general, the CESOP report filing will have to be completed separately in each EU Member State where the PSP provides payment services.

The submission of the report should be made electronically and in a specified XML format, defined locally by each relevant tax administration. For each quarter, the CESOP reporting deadline will be one month after the end of the quarter.

The deadline for the first reporting is 30 April 2024 regarding the in-scope payments performed during the first quarter of 2024.

What challenges does the new CESOP Law entail?

The new CESOP requirements bring challenges to PSPs3, affecting most functions of the organizations, including:

  • Customer relations and information
  • Static and dynamic customer data to be collected and maintained
  • Identification and management of differences in interpretation and laws between Member States
  • Appointment of accountable persons and definition of new roles
  • Drafting new procedures and testing processes
  • Impact on IT systems (e.g., core banking platforms)
  • Definition of new reporting and exchange infrastructure
  • Awareness and training of persons
  • Oversight controls and impact on risk and compliance functions

The requirement for CESOP reports to be submitted in each EU Member State where the PSP provides payment services can quickly become a complicated and time-consuming exercise. To ensure readiness by 1 January 2024, PSPs must not delay their CESOP impact assessments and implementation projects.


For additional information with respect to this Alert, please contact the following:

Ernst & Young Tax Advisory Services S.à r.l.

Published by NTD’s Tax Technical Knowledge Services group; Carolyn Wright, legal editor



1 Amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD2).

2 See EY Luxembourg article of 27 October 2022: EU introduces new VAT reporting obligations as of 1 January 2024.

3 See EY Luxembourg brochure on CESOP: Luxembourg CESOP brochure.


The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting or tax advice or opinion provided by Ernst & Young LLP to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader's specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her Ernst & Young LLP or other tax professional prior to taking any action based upon this information. Ernst & Young LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.


Copyright © 2024, Ernst & Young LLP.


All rights reserved. No part of this document may be reproduced, retransmitted or otherwise redistributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP.


Any U.S. tax advice contained herein was not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.


"EY" refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.


Privacy  |  Cookies  |  BCR  |  Legal  |  Global Code of Conduct Opt out of all email from EY Global Limited.


Cookie Settings

This site uses cookies to provide you with a personalized browsing experience and allows us to understand more about you. More information on the cookies we use can be found here. By clicking 'Yes, I accept' you agree and consent to our use of cookies. More information on what these cookies are and how we use them, including how you can manage them, is outlined in our Privacy Notice. Please note that your decision to decline the use of cookies is limited to this site only, and not in relation to other EY sites or Please refer to the privacy notice/policy on these sites for more information.

Yes, I accept         Find out more