Cash Register Security Regulation, Rksv

Original Language Title: Registrierkassensicherheitsverordnung, RKSV

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

410. Ordinance of the Federal Minister of Finance on the technical details for security facilities in the cash registers and other measures serving data security (registration and safety regulation, RKSV)

Pursuant to § § 131b (5) (1), (3) and (4) and § 132a (8) of the Federal Tax Code (BAO), BGBl. No. 194/1961, as last amended by the Federal Law BGBl. I No 118/2015, shall be arranged:

table of contents

1. Main item
General Part

§ 1.

Scope

§ 2.

Personal names

§ 3.

Abbreviations and definitions

2. Main piece
Technical requirements
Section 1
General

§ 4.

Description of the security device

Section 2
Requirements for the cash register

§ 5.

General requirements

§ 6.

Commissioning of the security facility for the cash register

§ 7.

Data collection log

§ 8.

Sum Memory

§ 9.

Signature creation by the signature creation device

§ 10.

Preparation of the machine-readable code

§ 11.

Document Creation

Section 3
Requirements for the signature creation devices

§ 12.

General requirements

§ 13.

Signature key pair and signature creation

§ 14.

Verifiability of signatures

3. Main piece
Procurement and registration of the signature-creation unit; control

§ 15.

Procurement of signature creation device

§ 16.

Signature creation device registration

§ 17.

Announcement of the decommissioning of the security facility for the cash register

§ 18.

Database of security institutions for the cash registers

§ 19.

Control and verification of data security for the cash registers

4. Main piece
Total Closed Systems

§ 20.

Technical and organisational requirements

§ 21.

Expert appraisal of complete systems

§ 22.

Notice of determination

§ 23.

Change in actual circumstances

§ 24.

Control of the identity of the software component according to § 21 (2)

5. Main piece
Final provisions

§ 25.

entry into force

1. Main item
General Part

Scope

§ 1. The Ordinance on the Safety and Security of Registration

1.

the technical characteristics necessary for the technical implementation of the security of electronic recording systems

a)

the cash register,

b)

the signature-creation unit,

c)

communication between the cash register and the signature-creation unit;

2.

the additional requirements to be met pursuant to Section 132a (8) of the Federal Tax Code BAO, BGBl. No 164/1961,

3.

details of the dismissal of notices of detention concerning total closed systems; and

4.

Access by the authorities to the data necessary for the purposes of supervisory and tax purposes.

Personal names

§ 2. All personal names used in this Regulation shall apply equally to persons of both female and male sex.

Abbreviations and definitions

§ 3. For the purposes of this Regulation, the following shall be:

1.

AES-256: Encryption methods according to the Advanced Encryption Standard (AES FIPS 197 26/11/2001) with a key length of 256 bits

2.

Barcode: Standard "Code 128", defined in ISO/IEC 15417:2007

3.

Cash turnover: turnover within the meaning of § 131b para. 1 Z 3 BAO

4.

Database of security institutions in cash registers: Database of the Federal Ministry of Finance, in which the data referred to in § 18 (2) concerning the security facilities in cash registers and controls of the security institutions shall be recorded

5.

Data collection protocol (DEP): an event log file, which is carried out in the memory of the cash register or in an external memory, and which in real time, in each case, is complete, continuously chronologically, the cash rates with occupancy contents. documented

6.

Input station: means for recording cash records, which is connected to a cash register, in particular for the signing and documentation of the cash turnover

7.

Electronic recording: complete, chronologically ordered documentation of cash transactions in electronic form

8.

Electronic (cryptographic) signature: electronic data that is attached to or logically linked to other electronic data and which serves for authentication in the sense of § 2 Z 1 of the Signature Act SigG, BGBl. I No 190/1999

9.

FinancOnline: Electronic procedure of the tax authority according to the Financial Online Regulation 2006, BGBl. II No 97/2006, as amended

10.

Closed system: electronic recording system, in which inventory management systems, accounting and cash register systems are interlinked and which is connected to more than 30 cash registers

11.

Global Location Number (GLN): from the Federal Institute of Statistics Austria under the name "Secondary ID" of the order of order

12.

Hardware security module (HSM): Signature-creation device used to create (qualified) electronic signatures and, above all, server-based solutions.

13.

Homepage of the Federal Ministry of Finance (BMF): www.bmf.gv.at

14.

Cash identification number: the registration number of a cash register which is reported via FinanzOnline, which also allows the distinction of different cash registers with the same signature creation unit

15.

Machine-readable code: input value for OCR, barcode or QR code representation

16.

Monthly counter: sum storage in the cash register, which holds the intermediate level of the sales counter at the end of the month

17.

Object Identifier (OID): globally unique identifier in accordance with ISO/IEC 9834-1 and A 2642, which is used to name an information object. In this Regulation, the OID is used to restrict the use of the signature certificate in accordance with Section 5 (1) Z 8 SigG, as amended, to the purpose of "Österreichische Finanzverwaltung registrerkassenproprietor"

18.

Optical Character Recognition (OCR): Standard OCR-A, defined in ISO 1073-1:1976

19.

Concept of the operator: a key to the identification of the entreprender known to the tax authority (tax number, UID number, GLN)

20.

QR code: two-dimensional symbol according to standard JIS X 0510/2004

21.

Cash register (also electronic cash register): generalized form of each electronic data processing system, which creates electronic records for the identification and documentation of individual cash records, in particular: Electronic cash registers of all types, server-based recording systems (including the handling of online shops), scales with cash functions and taximeter. A cash register can be connected to input stations

22.

Serial number of the signature certificate: a unique identifier of the certificate issued by the certification-service provider, contained in the certificate, to facilitate the identification of the certificate in the ZDA's directory

23.

Secure signature creation unit: configured software or hardware used to process the signature creation data and which complies with the security requirements of the SigG and the regulations issued thereto (§ 2 Z 5 SigG)

24.

Signature verification data: data such as codes or public signature keys used to verify an electronic signature (§ 2 Z 6 SigG)

25.

Signature value: electronic value of the signature as part of the signature creation process

26.

Start receipt: first receipt, which is created using a terminal identification number and ensures the complete concatenation of all receipts generated and stored under this terminal identification number

27.

Sum memory: Memory in the cash register, which represents between-or a current end-of-amounts of totaled amounts

28.

Trust List (trustworthy list in accordance with Commission Decision 2009 /767/EC on measures to facilitate the use of electronic procedures through single contact persons in accordance with Directive 2006 /123/EC on services in the Internal Market, OJ C No. 36): the list of ZDAs for qualified certificates to be held by all Member States in accordance with the obligations laid down in Article 2 of Decision 2009 /767/EC

29.

Umsatzzähler: sum storage in the cash register, which continuously adds up the cash turnover of the cash register

30.

Verification: Checking signed data for integrity and authenticity, that the data was signed and not changed after signature creation by the correct signature creation device

31.

Payment receipt (receipt): Confirmation with certain formal contents, which in paper form or in electronic form documents the essential content of the legal transaction between the business partners and is handed over at payment or electronically transmitted

32.

Certificate: an electronic certificate, with which signature verification data is assigned to a specific person and whose identity is confirmed in the sense of § 2 Z 8 SigG

33.

Certification-service-provider (ZDA): organisation issuing certificates or providing other services in connection with electronic signatures within the meaning of Directive 1999 /93/EC on a Community framework for electronic signatures, OJ L 327 No. OJ L 13 of 19.01.2000 p. 12.

2. Main piece
Technical requirements

Section 1
General

Description of the security device

§ 4. (1) The security establishment according to § 131b para. 2 BAO consists of a concatenation of the cash rates with the help of the electronic signature of the signature-creation unit.

(2) The concatenation is formed by the inclusion of elements of the last signed signature stored in the data acquisition protocol into the signature currently being created. When the first bar replacement is recorded, the terminal identification number occurs at the point of the last signed signature.

Section 2
Requirements for the cash register

General requirements

§ 5. (1) Each cash register must have a data collection protocol and a printer for the creation or a device for the electronic transmission of payment receipts.

(2) Each cash register must have a suitable interface to a security device with a signature-creation unit. Several cash registers can also be connected to a signature creation unit.

(3) Each cash register must be equipped with the freely available AES 256 encryption algorithm, in order to be able to carry out the encryption required for the machine-readable code.

(4) Each cash register must be assigned a unique terminal identification number in the enterprise.

(5) The cash register shall not contain any devices to circumvent the control of the security facility.

(6) The use of a cash register by a number of entrepreneurs is only permitted on condition that each entrepre is using a certificate assigned to him and the cash register for each entrepre shall be subject to a separate certificate. Data collection protocol can result.

Commissioning of the security facility for the cash register

§ 6. (1) The commissioning of the security facility for the cash register shall consist of the establishment of the data collection protocol (§ 7) and the filing of the terminal identification number as part of the data to be signed of the first cash turnover with Amount zero (0) (start receipt) in the data collection log.

(2) Before 1. January 2017, the commissioning of the security device in the sense of paragraph 1 can already be carried out prior to registration (§ 16). The registration has to be up to 1. Jänner 2017 will be done.

(3) If a registration is made after 31 December 2016, the entry into service shall take place within one week after the registration of the signature-creation unit (§ 16).

(4) The entreprenchman must check the creation of the signature (§ 9 para. 3) and the encryption of the sales counter (§ 9 para. 2 Z 5) prior to commissioning with the help of the starting document. Corresponds to the creation of the signature or the encryption of the sales counter does not meet the requirements of § 9, so the cash register shall be treated directly as a cash register with a failed signature creation unit within the meaning of section 17 (4). The test result must be recorded and kept in accordance with § 132 BAO with the printed starting receipt.

Data collection log

§ 7. (1) Each cash register shall have a data collection protocol, in which each individual cash turnover shall be recorded and stored. For each cash turnover, at least the occupancy data according to § 132a (3) BAO must be recorded.

(2) Training and cancellation bookings are to be recorded and stored in the data collection protocol.

(3) The data of the data collection protocol shall be secured at least quarterly on an electronic external medium. This security shall be kept in accordance with § 132 BAO.

(4) The contents of the machine-readable code (§ 10 para. 2) of the cash turnover shall be recorded in the data collection protocol of the cash register together with the associated cash records.

(5) The data collection log of a cash register must be made up of 1. January 2017 at any time to an external data carrier in export format data collection protocol according to Z 3 of the Annex can be exported.

Sum Memory

§ 8. (1) The cash records recorded in the cash register are to be continuously relocated (conversion counter). Training bookings must not affect the sales counter.

(2) At each end of the month, the intermediate levels of the sales counter are to be determined (monthly counter) and as a cash turnover of zero (0) and electronic signature of the signature creation unit (receipt of the month) in the data collection protocol of the cash register storage.

(3) With the end of each calendar year, the monthly receipt containing the meter reading at the end of the year (annual receipt) shall be printed, checked and kept in accordance with § 132 BAO. In the examination of the annual occupancy, § 6 para. 4 shall apply in a reasonable way.

Signature creation by the signature creation device

§ 9. (1) In order to ensure the protection of manipulation within the meaning of § 131b para. 2 BAO, electronic signatures must be requested and accepted by the cash register via a suitable interface to the signature-creation unit. Each individual cash turnover and monthly, annual and final receipt as well as any training and cancellation booking are to be signed electronically.

(2) The following data shall be included in the signature creation:

1.

Terminal identification number

2.

Continuous number of the cash turnover

3.

Date and time of the exhibition

4.

Amount of cash payment separately according to tax rates in accordance with § 10 of the 1994 VAT Act UStG 1994, BGBl. No 663/1994, as amended

5.

using the encryption algorithm AES 256 according to Z 8 and Z 9 of the Annex Encrypted status of the sales counter

6.

Signing certificate serial number

7.

Signature value of the previous Barum record of the data collection log (concatenation value according to Z 4 of the Annex )

(3) The processed data (para. 2) must be according to the signature format according to Z 4 and Z 5 of the Annex are automatically signed electronically by the signature-creation unit.

(4) The one of the signature creation unit in the result format of the signature creation according to Z 6 of the Annex Resigned signature is to be printed on the corresponding document in accordance with § 10 as part of the machine-readable code and in the data collection protocol with the occupancy data according to Z 11 of the Annex permanently to be stored (Section 7 (4)).

Preparation of the machine-readable code

§ 10. (1) After each signature value has been determined, the cash register for the loading and storage in the data collection protocol has a machine-readable code according to Z 12 of the Annex .

(2) The machine-readable code shall contain the following data:

1.

Terminal identification number

2.

Continuous number of the cash turnover

3.

Date and time of the exhibition

4.

Amount of cash payment separately according to tax rates

5.

using the encryption algorithm AES 256 according to Z 8 and Z 9 of the Annex Encrypted status of the sales counter

6.

Signing certificate serial number

7.

Signature value of the previous Barum record of the data collection log (concatenation value according to Z 4 of the Annex )

8.

Signature value of the relevant cash set.

(3) In the machine-readable code, training and cancellation bookings must additionally contain the term "training booking" or "cancellation booking".

Document Creation

§ 11. (1) In addition to the occupancy data of section 132a (3) BAO, the following data shall be shown on the receipt:

1.

Terminal identification number

2.

Date and time of the exhibition

3.

Amount of cash payment separately according to tax rates

4.

Contents of the machine-readable code.

(2) If a machine-readable code cannot be printed on the document as a QR-code, the data referred to in paragraph 1 shall be either:

1.

as a link dependent on the signature value of the cash turnover concerned, in machine-readable form, as a barcode or OCR for the retrieval of the data, and to identify it in the document, or

2.

as described in Z 14 of the Annex to be coded in the document.

(3) Belts for training and cancellation bookings are expressly to be designated as such.

Section 3
Requirements for the signature creation devices

General requirements

§ 12. The technical requirements for the signature-creation unit correspond to the requirements for signature-creation units for qualified signatures according to § 18 SigG in the respectively applicable version and in accordance with § 6 of the Signature Ordinance 2008-SigV 2008, BGBl. II No 3/2008, in the current version. In place of the examination provided for in the last sentence of § 6 (3) of the SigV 2008, an examination can be carried out with regard to the content requirements of the Registered Safety Ordinance, whereby the requirement of sole control and its effects shall not be the subject of this examination on the basis of the concatenation.

Signature key pair and signature creation

§ 13. With regard to applicable signature algorithms as well as keys, the regulations of the SigV 2008 on the algorithms and parameters for qualified signatures from the Appendix to the SigV 2008, points 1 to 7 " Algorithms and parameters for qualified electronic signatures.

Verifiability of signatures

§ 14. The signature value of the relevant cash set must be verifiable by means of the machine-readable code applied on the document. In particular, the data contained in Section 10 (2) must be included on the document. The pre-processing of the data contained in compressed form in the machine-readable code has according to Z 13 of the Annex shall be made.

3. Main piece
Procurement and registration of the signature-creation unit; control

Procurement of signature creation device

§ 15. (1) Entrepreneurs who are subject to the registration obligation pursuant to § 131b BAO shall have the required number of signature-creation units at a certification-service provider established in the EU-/EEA-Area or in Switzerland, the qualified To purchase signature certificates. The cost of procuring the signature-creation unit shall be borne by the contractor.

(2) In order to obtain the signature certificate, the entreprender has a concept of order known to the tax authority and assigned to the employer and as the value of the OID "Österreichische Finanzverwaltung registrerkassenproprietor" (Z 16 of the Annex ) in accordance with § 5 (1) Z 8 SigG in his signature certificate.

(3) The certification-service-provider shall supply a signature certificate for each signature-creation unit, which shall include the following information:

1.

Type and value of the operator's order of order assigned to the signature creation unit,

2.

Serial number of the signature certificate and

3.

Start and end of validity of the certificate.

The use of the certificate beyond the end of its validity is permitted, provided that the signature algorithm provided in the certificate is defined by Z 2 of the Annex is considered safe.

Signature creation device registration

§ 16. (1) The entrepre or his authorised party representative shall report the acquisition of his signature-creation units via FinanzOnline. In this case, the serial number of the signature certificate, the type of the signature creation unit and the terminal identification numbers of the cash registers to be connected to the signature-creation unit are disclosed. In addition, the operator has the freely selectable user key for the decryption (Z 8 of the Annex ) to use the encryption algorithm to announce AES 256 encrypted data in machine-readable code via FinanzOnline. If the operator is unreasonable to report on financial online due to lack of technical conditions, the notification shall be made using the official form.

(2) Only after verification, whether for each notified signature creation unit under the indicated serial number of the signature certificate and the valid order of order of the user of the ZDA in the public trust list and the signature certificate in the Directory of the ZDA are present, these data will be transferred to the database via security facilities in cash registers (§ 18).

Announcement of the decommissioning of the security facility for the cash register

§ 17. (1) The entrepre or his authorised party representative shall not only have a temporary shortfall through financial online or the tax office responsible for the collection of turnover tax, and any decommissioning of the security establishment in the Registrant

1.

the theft or other loss of the signature-creation unit or cash register,

2.

Loss of function of the signature-creation unit or cash register, or

3.

Out-of-operation of the signature-creation unit or cash register

without any unnecessary delay.

(2) For this purpose, the contractor shall provide the following information:

1.

Name of the components of the safety device concerned

2.

Reason for expel or out-of-service

3.

Start of expel or out-of-operation.

(3) All financial and non-temporary failures and decommissioning operations reported via financial online shall be recorded in the database by means of security equipment for the cash registers.

(4) In the event of each failure of the signature-creation unit, the cash records shall be recorded on another cash register which has an upright connection to a signature-creation unit. In the event that this is not possible, the entreptier has to use the machine-readable code (§ 10) instead of the signature value of the relevant cash turnover (§ 10 para. 2 Z 8) the string "Safety Equipment" as a result of the signature creation according to Z 6 of the Annex to use. The notice "Security facility failed" must also be displayed clearly visible in the document (§ 11). After the signature creation unit has been re-activated, a signed aggregate receipt with an amount of zero (0) shall be added in addition to the supporting documents which were to be provided with the notice "Security facility" during the respective case. and store it in the data collection log.

(5) In the event of any failure of a cash register, the cash turnover shall be recorded on other cash registers. Should this not be possible, the cash rates must be recorded manually and second copies of the supporting documents must be kept. After the troubleshooting, the individual sales are to be recorded on the basis of the retained secondary records and the second copies of these payment receipts are to be kept (§ 132 BAO).

(6) If a new data collection protocol has to be established after the failure of a cash register, the signature value of the last available cash turnover or, respectively, the signature value of the previous cash turnover is the signature value of the previous cash turnover (§ 10 paragraph 2 Z 7). Use the signature value of the start record in the data collection log. The end of the event or out-of-service is to be announced via FinanzOnline. If the operator is unreasonable to report on financial online due to lack of technical conditions, the notification shall be made using the official form.

(7) Is a re-operation of the signature-creation-unit (para. 4) no longer possible, the entrepre has to procure a new signature-creation unit (§ 15), to register (§ 16) and to carry out a new commissioning of the security facility within the meaning of § 6 (1) to (4). If the last cash turnover can be determined from the data collection protocol, the commissioning of the security device within the meaning of section 6 (1) to (4) is no longer applicable and the provisions on the class document of the fourth paragraph apply. In any case, barumes recorded manually during the event are to be recorded.

(8) In the event of a scheduled decommissioning of the cash register (par. 1 Z 3), the trader has to draw up a final receipt with an amount of zero (0). The final receipt shall be printed and shall be kept in accordance with § 132 BAO.

Database of security institutions for the cash registers

§ 18. (1) The Federal Minister of Finance shall carry out an internal documentation relating to the signature creation units assigned to an entreprenter by means of a database on security equipment for the cash registers.

(2) This contains the following data:

1.

Name of entrepreneurs

2.

The concept of the employer

3.

Type of safety device

4.

Signature certificate serial numbers

5.

Identification numbers of the cash registers

6.

Number of cash registers connected to the security institutions

7.

User key for decrypting the data encrypted with the AES 256 encryption algorithm

8.

Date of registration

9.

Start and end of outages or out-of-operations of the security institutions

10.

Affected components of failures or out-of-operations of safety devices

11.

Reason for the failure or the decommissioning of the security equipment

12.

Data from controls.

(3) The Federal Minister of Finance is a data protection entity within the meaning of § 4 Z 4 of the Data Protection Act 2000-DSG 2000, BGBl. I n ° 165/1999, for the database on safety equipment for the cash registers. It has to ensure its establishment and operation. The Bundesrechenzentrum Gesellschaft mit beschränkter Haftung (BRZ GmbH) is a legal service manager for the database of security institutions for the cash registers within the meaning of § 4 Z 5 and § 10 sec. 2 DSG 2000.

Control and verification of data security for the cash registers

§ 19. (1) The trader shall, at the request of the institutions of the levy authority, record a cash turnover of zero (0) and hand over the receipt made for this purpose by the cash register for control purposes. In the case of cash registers with a device for the electronic transmission of payment documents, the receipt shall be made available electronically.

(2) At the request of the institutions of the levy authority, the trader shall export and hand over the data collection protocol for a period of time specified by the institution of the levy authority to an external data medium. The carrier shall be provided by the trader.

4. Main piece
Total Closed Systems

Technical and organisational requirements

§ 20. (1) The security of manipulation in closed systems according to § 131b (4) BAO shall be ensured by means of a security facility consisting of a concatenation of the cash rates with the aid of the processed data in accordance with § 9 (2) in the signature format according to Z 4 and 5 of the Annex .

(2) This Regulation shall apply to closed systems with the exception of § § 5 (2), (12), (15) and (17) (4). § § 4 (1), 6 (4), 8 (2), 9, 16 (1) and (2), 17 (1) to (3), 17 (7) and (18), and the Annex are to be applied with the proviso that neither a signature creation unit nor a signature certificate is required and that a terminal identification number also has multiple cash registers associated with a common data collection protocol shall be allowed. Paragraph 4 shall remain unaffected by this.

(3) In the case of total closed systems, the term of order of the entrepre is to be used instead of the serial number of the signature certificate (§ 9 para. 2 Z 6 and § 10 para. 2 Z 6). The concept of the contractor must, where appropriate, be replaced by appropriate additives (e.g. B. digits) in order to enable unique signature verification data. In the database according to § 18, the signature verification data shall be collected instead of the serial number of the signature certificate. The term of order of the entrepre as well as the signature verification data must be derived from the expert opinion in accordance with § 21.

(4) The power of application within the meaning of § 131b paragraph 4 BAO are only entrepreneurs who use a closed overall system as an electronic recording system that is connected to more than 30 cash registers.

Expert appraisal of complete systems

§ 21. (1) The following verifications shall be carried out, in particular, in the context of the assessment of the total closed systems:

1.

the existence of a closed overall system;

2.

the existence of the technical and organisational requirements for the security of manipulation of the closed system.

(2) In the opinion, in particular all software components necessary for the operation of the security establishment of the closed system according to § 20 (1) are to be reported and test reports for these components should be connected. The software components are to be signed with the mathematical hash function Secure Hash Algorithm (SHA-256) with a starting value which corresponds to zero (0000 0000 0000 0000) for a later verification. From the test reports it is necessary to understand how the individual components have been tested. Tampering security and security equivalence with a signature-creation unit must be confirmed. An organigram with all hardware and software components and data storage of the closed system as well as an overview of the automatically running processing processes are to be connected to the expert report.

(3) The opinion shall also contain information on the organisational measures envisaged for the ongoing review of the security of tampering. In particular, it is to be stated which operational functions in the organizational structure of the company with which access and intervention rights which can bring about changes in the overall system are equipped, that the accesses and by means of which measures the tampering security of the closed system is continuously monitored. In addition, it should be stated how, in the event of a failure of the system, the individual recording obligation, the securing of the cash turnover and the receipt of the information are guaranteed in accordance with the law (default plan).

(4) In the opinion, it is necessary to assess whether the complete system complies with the requirements of section 20 (1) and (2) and whether the technical and organisational security measures of section 2 and 3 are complied with.

(5) Use of a number of entrepreneurs who are economically linked by a vertical distribution system or by a franchising of goods or services, or which are part of a group within the meaning of § 244 of the German Commercial Code (UGB), shall jointly form a closed Total system with a total of more than 30 cash registers and the opinion shall assess the security of manipulation of this system for these operators, this opinion may be submitted by a number of entrepreneurs to their application for the authorisation of a On the basis of a notice of determination. For all users of the total closed system, paragraph 3 shall apply mutatily. Deliveries and other services which take place outside the closed system in the holding in question are not covered by the effectiveness of the fixed-order modesty.

(6) Only court-appointed experts may be entrusted with the preparation of such opinions. The completeness of the safety-related verifications in the expert opinion shall be certified by a confirmation body according to § 19 SigG.

(7) The cost of producing the opinions shall be borne by the contractor.

Notice of determination

§ 22. (1) In the notice of determination of the tax authority pursuant to § 131b paragraph 4 BAO, the software components of the security facility on which the expert opinion is based must be identified in accordance with Section 20 (1) with the help of the software signature (§ 21 para. 2).

(2) Closed overall systems confirmed with notice of determination shall be registered in the database via security devices (§ 18).

(3) If the security of manipulation of the closed total system cannot be confirmed by the tax office, the contractor is a one-month grace period of one month for the recovery of the measures granting the security of manipulation. shall be granted an expert opinion confirming these measures. The tax office must decide on this subject on the basis of the facts in this case.

(4) If the security of manipulation of the closed total system is not confirmed by a legally binding decision of the financial office, the trader shall, within three months from the date of entry of the legal force, have the security of manipulation using a signature-creation unit (Section 131b (2) BAO), otherwise the obligations under Section 131b (2) BAO shall be deemed not to have been fulfilled by the expiry of that period.

Change in actual circumstances

§ 23. (1) Changes to the closed overall system confirmed by communication are to be reported prior to their implementation to the tax office responsible for the collection of turnover tax, under the submission of a new opinion (§ 21), if a comprehensive conversion of the closed overall system (e.g. § § 20 (1) or § 20 (4) or (5) (5) no longer exists. Such changes in the overall closed system shall be subject to a notice of determination.

(2) The notification of these intended changes shall be made via FinanzOnline.

(3) If the entrepellant is aware of facts that cast doubt on the security of manipulation of the entire closed system after the authorisation has been issued, he has to report it via FinanzOnline without any unnecessary delay.

Control of the identity of the software component according to § 21 (2)

§ 24. The institutions of the levy authority shall be entitled to check the conformity of the software component shown in the expert opinion with the software component in use in the closed system according to § 21 (2). For this purpose, the closed overall system must make available an input possibility of a starting value for the local query of the software signature value, as well as to calculate and display the software signature value of the component.

5. Main piece
Final provisions

entry into force

§ 25. (1) The Regulation shall enter into force 1. Jänner 2017 in force.

(2) By way of derogation from paragraph 1, § 1 to 3, § 5 (1), § 7 (1), § 17 (5) and § 19 (2) with 1 occur. Jänner 2016 in force.

(3) By way of derogation from para. 1 and 2, § 6, § 15, § 16, § 18, § 21 and § 22 shall enter into force on 1 July 2016.

(4) This Regulation has been adopted in accordance with Directive 98 /34/EC laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on information society services, OJ L 206, 22.7.1998, p. No. 37), as last amended by Regulation (EU) No 1025/2012 on European standardisation, amending Directives 89 /686/EEC and 93 /15/EEC and Directives 94 /9/EC, 94 /25/EC, 95 /16/EC, 97 /23/EC, 98 /34/EC, 2004 /22/EC, 2007 /23/EC, 2009 /23/EC and 2009 /105/EC, and repealing Decision 87 /95/EEC and Decision No 1673 /2006/EC, OJ L 73, 27.3.2007, p. No. 12., notified to the European Commission under the notification number 2015 /515/A.

Schelling