As the new regulations requiring the use of the National e-Invoice System (KSEF) approach, entrepreneurs are facing numerous concerns. Concerns expressed by business owners include adapting their company software to the new requirements and the security of data transferred to the government's KSeF IT system. What data is stored in KSeF and how is it protected from unauthorized access? Find out in the following article.
What types of data are sent to KSeF?
The data that will be transferred to the KSeF system includes information contained in structured invoices. Pursuant to the Goods and Services Tax Act, a structured invoice is an invoice issued through the KSeF along with a number identifying the invoice in this system (Article 2, point 32a). An invoice, in turn, is a paper or electronic document containing the data required by the Act and regulations issued pursuant thereto (Article 2, point 31).
The legislative process related to the implementation of the KSeF is still ongoing, and the assumptions regarding structured invoices have changed in recent years. This, in turn, makes access to detailed information on this solution difficult. However, legal acts and materials published by the Ministry of Finance indicate that the data on e-invoices primarily consists of data required by the Goods and Services Tax Act. This includes the following information:
- data identifying the entity issuing the invoice – such as name, address and VAT number;
- data identifying the buyer – similar to the seller’s data;
- transaction data – for example, sale and delivery dates, quantity and type of products sold, their prices and tax rates.
In addition to the data listed above, a structured invoice also provides space for optional data or data from additional entities, and allows for the addition of attachments. More information about the information contained in an e-invoice can be found in the FA(3) logical structure, which has been published in the Central Repository of Electronic Document Templates. E-invoices issued in the KSeF system will be in the form of XML files, which must comply with this logical structure.
How does the Ministry of Finance protect data in KSeF?
The requirement for businesses to issue structured invoices through the KSeF has many consequences – one of them is that e-invoices will be stored in a central repository. This raises questions about the security of data in the KSeF and the preventive measures implemented by the Ministry of Finance to counteract abuse.
A data leak from the KSeF could have serious consequences for both the entities using it and the government institutions overseeing its proper functioning. Therefore, the Ministry of Finance has designed the KSeF system to ensure the security of the data it collects. Measures used to achieve this include authentication requirements, data and communication encryption, and a permissions system.
Is my trading data safe in KSeF?
Due to the new invoicing requirements, entrepreneurs are interested not only in the date, since when structured invoices will become mandatory, but also whether the information they provide will be adequately protected against unauthorized access. The Commissioner for Human Rights also drew attention to this issue and sent an inquiry to the Ministry of Finance.
The Ministry's response indicates that assessing the security of the KSeF IT system falls within the Internal Security Agency's remit, and the Ministry has implemented an appropriate information security management system. The National e-Invoice System is subject to continuous testing to identify potential threats and ensure the highest level of data security within the KSeF.
A separate issue is data security threats, which stem from improper implementation of KSeF functionality in the software used by the company or the carelessness of employees using it. How can these threats be addressed and what steps should be taken?
In the first case, an appropriate level of data security can be ensured by deciding to use commercial solutions that facilitate integration with KSeF – an example would be the use of a non-governmental KSeF APIWhen it comes to employees, it's worth investing in training that will increase awareness of potential threats and enable them to adopt good practices related to the safe use of IT systems.
What technologies secure information in KSeF?
Data security at KSeF is also related to the technologies used. The protection of information submitted to KSeF by businesses is based on several pillars, including the use of secure authentication mechanisms (Trusted Profile, qualified signature), dedicated KSeF certificates, and cryptography using asymmetric and symmetric keys. KSeF certificates, which will be used for offline invoice issuance, utilize the XAdES-BES signature mechanism. Invoices are encrypted and decrypted during the transmission process.
The requirement for a thorough understanding of complex technologies (X.509 certificates and the use of private keys for document signing combined with asymmetric cryptography) makes integrating a company's software with the official KSeF API challenging. This leads many businesses to consider using commercial tools, including alternative KSeF APIs.
What to do in the event of a data security breach at KSeF?
When it comes to data security breaches in KSeF, two scenarios need to be distinguished – data leakage from the KSeF system and the system (e.g. ERP) used by the entrepreneur.
In the first case, it's not yet clear what the consequences of a data security breach will be – the Ministry of Finance has not shared recommendations on the procedure businesses should implement in the event of such an event. However, it is known that KSeF system administrators will be required to notify the Computer Security Incident Response Team (CSIRT GOV) of any data confidentiality breaches.
A data security breach in KSeF can also occur on the company's side. This scenario is realistic, considering that some companies may have certain data protection shortcomings. How can such a scenario be prevented—in other words, how can data security in KSeF be ensured? The simplest solution is to partner with a company that provides tools for easy and secure integration with KSeF, training employees, and systematically monitoring the security measures in place.
