NF525 Compliance for Digital Receipts: What Retailers Need to Know

Published on March 31, 2026 · 9 min read

If you operate a retail business in France or sell POS software to the French market, NF525 compliance is not optional. Since January 2018, French law has required all businesses using cash register software to employ a certified system that guarantees the integrity, security, and traceability of transaction records.

This guide explains what NF525 is, why the hash chain mechanism is central to the regulation, and how to implement compliant digital receipts without building the cryptographic infrastructure yourself.

What Is NF525?

NF525 is a certification standard published by AFNOR (the French national standardization body) and mandated by Article 88 of French Finance Law 2016. It establishes the technical requirements that cash register and POS software must meet to ensure:

Inaltterability — Transaction data cannot be modified or deleted after recording.
Security — Data is protected against tampering through cryptographic mechanisms.
Preservation — All records are stored and accessible for the legally required retention period.
Archiving — Periodic data exports are created and secured for audit purposes.

The regulation was introduced to combat VAT fraud, specifically the use of "zappers" or "phantomware" that allowed businesses to delete or alter sales records to underreport revenue.

The Hash Chain: Heart of NF525 Compliance

The most technically significant requirement of NF525 is the hash chain. Every transaction must produce a cryptographic hash that incorporates the hash of the previous transaction, creating a tamper-evident chain.

How It Works

Each receipt hash is computed from a combination of data fields:

Hash(N) = SHA-256(
    receiptNumber +
    receiptDate +
    totalAmount +
    Hash(N-1)
)

The first receipt in the chain uses a predefined seed value (typically all zeros or a configured initialization vector) as the previous hash. From that point forward, every receipt depends on the one before it.

            Why SHA-256? NF525 requires a cryptographic hash function that is resistant to collision attacks. SHA-256, part of the SHA-2 family, produces a 256-bit digest and is widely accepted as secure for this purpose. It ensures that even a single-bit change in input produces a completely different hash output.
        

Why Hash Chains Matter

The chain structure means that altering any single receipt invalidates the hash of every subsequent receipt. During an audit, a tax inspector can verify the entire chain by recomputing hashes from the beginning. If any computed hash does not match the stored hash, the break reveals exactly where tampering occurred.

This makes NF525-compliant systems fundamentally different from simple logging. It is not just about recording transactions; it is about making those records cryptographically provable.

NF525 Requirements for POS Software

Requirement	Description
Sequential numbering	Every receipt must have a sequential, unbroken number within each POS terminal or register.
Hash chain	SHA-256 hash linking each receipt to the previous one.
Digital signature	The hash chain must be signed or protected against external modification.
Grand totals	Perpetual cumulative totals (daily, monthly, annual) must be maintained.
Event logging	All system events, including receipt generation, voids, and refunds, must be logged.
Data export	Archives must be exportable in a standardized format for tax authorities.
No deletion	It must be technically impossible to delete a recorded transaction.

Common Compliance Pitfalls

Many POS developers underestimate the complexity of NF525 implementation. Here are the most frequent mistakes:

Gaps in numbering — Network failures, crashed transactions, or poor error handling can create gaps in receipt sequences, which auditors flag immediately.
Incorrect hash computation — Using the wrong fields, wrong order, or wrong encoding in the hash input produces a chain that fails verification.
Storing hashes incorrectly — The hash must be stored alongside the receipt data and be independently verifiable. Storing only the latest hash is insufficient.
Missing the first receipt seed — The initial hash in the chain must use a documented, consistent seed value. Forgetting this breaks the entire chain.
Ignoring voids and refunds — Cancelled transactions and refunds must also be part of the hash chain. They cannot be excluded or handled outside the chain.

How Doxnex Handles NF525 Compliance

Doxnex provides NF525-compliant receipt generation as a built-in feature of its document API. When you generate a receipt through Doxnex:

The system automatically assigns the next sequential receipt number for your terminal.
A SHA-256 hash is computed using the receipt data and the previous receipt's hash.
The hash is embedded in the receipt output and stored in the audit trail.
Grand totals are updated automatically.
The complete chain can be verified at any time through the audit endpoint.

You do not need to implement hash computation, manage sequences, or build audit export functionality. The API handles all cryptographic operations, and your POS system simply sends the transaction data.

curl -X POST https://api.doxnex.io/v1/receipts \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "terminalId": "POS-01",
    "items": [
      {"label": "Espresso", "quantity": 2, "unitPrice": 2.50, "vatRate": 5.5}
    ],
    "paymentMethod": "card",
    "locale": "fr"
  }'

The response includes the generated receipt with the SHA-256 hash, sequential number, and all required compliance fields already populated.

Need NF525-compliant receipts without the compliance headache?

Get started with Doxnex →

Frequently Asked Questions

What is NF525 certification?

NF525 is a French certification standard that ensures point-of-sale software meets legal requirements for recording, securing, and preserving transaction data. It was mandated by French tax authorities to prevent VAT fraud and applies to all businesses using cash register software in France.

What is a hash chain in the context of NF525?

A hash chain is a cryptographic mechanism where each receipt's digital signature includes the hash of the previous receipt. This creates an unbreakable chain where tampering with any single receipt would invalidate all subsequent hashes, making fraud detectable during an audit.

Does NF525 apply to e-commerce businesses?

NF525 primarily applies to businesses operating cash register or POS software in France. Pure e-commerce businesses that do not use POS software may not need NF525 certification, but they must still comply with French invoicing regulations. Consult a tax professional for your specific situation.

What are the penalties for NF525 non-compliance?

Businesses using non-certified POS software in France face a fine of 7,500 euros per non-compliant system. They are also given 60 days to bring their systems into compliance. Repeated violations can result in additional penalties and increased scrutiny from tax authorities.