Skip to main content

Complete Checklist: What an Invoice and a SIF Must Contain Under RD 1007/2023 and Order HAC/1177/2024

· 9 min read
InvoSeal
InvoSeal
Facturación electrónica y cumplimiento normativo

With the RRSIF (Regulation on Requirements for Invoicing Information Systems) coming into force in 2027, every invoicing program used in Spain must meet a list of technical requirements that go far beyond what most freelancers and SMEs are used to. It is no longer enough for an invoice to have the issuer's details, the concept and the amount: the system that generates it must now guarantee the integrity, traceability and immutability of every record, and the invoice itself must include new elements such as the tax QR code. This article collects all requirements in a checklist format so you can verify whether your current software complies — or know exactly what to ask your provider.

The two levels of requirements

RD 1007/2023 operates at two levels that should not be confused:

Level 1: the Invoicing Information System (SIF). These are the requirements that the invoicing program must meet as software: how it generates records, how it protects them, how it chains them and how it preserves them. Regulated mainly in Articles 7, 8, 10, 11 and 12 of RD 1007/2023 and developed in Order HAC/1177/2024.

Level 2: the invoice as a document. These are the additional elements that the issued invoice must include in its visible representation (paper or electronic): the QR code, the VeriFactu legend (if applicable) and the minimum data under the Invoicing Obligations Regulation (RD 1619/2012), which remains in force and is complementary.

SIF requirements (the software)

General principles (Art. 8 RD 1007/2023)

The information system must guarantee six essential characteristics of invoicing records:

  • Integrity: records cannot be altered without leaving a trace.
  • Preservation: they must be stored for the legal period (minimum 4 years).
  • Accessibility: the tax authority must be able to access and extract them.
  • Legibility: they must be readable in an electronic format.
  • Traceability: each record must be traceable to its origin.
  • Immutability: once generated, a record cannot be modified or deleted.

Invoice registration record (Art. 10 RD 1007/2023)

For every invoice issued (full or simplified), the SIF must generate — simultaneously with or immediately before the invoice — a record containing at minimum:

FieldDescription
Issuer's tax ID (NIF)Tax identification number of the person required to issue the invoice
Issuer's name/company nameFull name or company name
Recipient's tax ID (NIF)When required under RD 1619/2012
Recipient's name/company nameWhen required
Invoice issuerIndication of whether issued by the obliged party, the recipient or a third party
Third party/recipient issuer ID and nameIf applicable (Art. 5 and 6 of RD 1007/2023)
Invoice numberAnd series, if applicable
Date of issueOf the invoice
Date of transactionIf different from the date of issue
Invoice typeFull or simplified
Regime keyApplicable VAT regime
Description of the transactionInvoice concept
Tax baseBy tax rate
Tax rateVAT percentage applied
Tax chargedVAT amount
Total amountOf the invoice
Exempt baseIf the transaction is VAT-exempt, with indication of the cause
Non-subject baseIf the transaction is not subject to VAT, with indication of the cause
Equivalence surchargeIf applicable
WithholdingWhen income tax or other withholding exists
Previous record dataNumber, series, date and first 64 characters of the hash of the immediately preceding record (chaining)
SIF identificationSystem identification code, name, version and producer's tax ID
Generation date and timeOf the record itself (date, hour, minute and second)
Fingerprint (hash)SHA-256 hash calculated over the record's fields

Cancellation record (Art. 11 RD 1007/2023)

When an invoice is cancelled, the SIF must generate a cancellation record linked to the original registration record. It contains:

  • Tax ID and name of the person generating the cancellation.
  • Indication of who generates the cancellation (obliged party, recipient or third party).
  • Number, series and date of the cancelled invoice (reference to the original registration record).
  • Chaining data with the previous record.
  • SIF identification.
  • Generation date and time.
  • Hash of the cancellation record.

A cancellation record does not delete the original registration record — it supplements it. The original record remains intact and immutable in the system.

Digital fingerprint and chaining (Art. 12 RD 1007/2023)

Every invoicing record (registration or cancellation) must include a digital fingerprint calculated using the SHA-256 function over defined fields. This fingerprint ensures that any subsequent modification of the content is detectable.

Additionally, each new record must include the first 64 characters of the hash of the immediately preceding record, together with its invoice number, series and date. This creates a cryptographic chain where each record depends on the previous one — if a record is altered or deleted, the chain breaks and the system must trigger an alert.

Before generating a new record, the SIF must verify that the last existing record is correctly chained. If it detects a breach in the integrity chain, it must log an anomaly event.

Event log (No-VeriFactu only)

In No-VeriFactu mode (when records are not sent to the AEAT), the SIF must maintain an immutable event log documenting:

  • System starts and shutdowns.
  • Anomalies detected in chaining.
  • Manipulation or alteration attempt detections.
  • System configuration changes.
  • Any incident relevant to traceability.

In VeriFactu mode, the event log is not mandatory, as record custody lies with the AEAT.

Electronic signature

  • VeriFactu mode: local electronic signatures for each record are not required. Records are considered signed when submitted to the AEAT using the taxpayer's or representative's electronic certificate.
  • No-VeriFactu mode: a qualified electronic signature is required for each invoicing record and each event record, as a mechanism to guarantee authenticity and integrity in the absence of AEAT submission.

Responsible Declaration (Art. 13 RD 1007/2023)

The SIF manufacturer or producer must issue a Responsible Declaration certifying that the system complies with all requirements of RD 1007/2023 and Order HAC/1177/2024. This declaration must:

  • Identify the software (name, version, identification code).
  • Identify the producer (company name, tax ID).
  • Be dated and signed.
  • Be easily accessible from within the software or from the producer's website.
  • Be updated with each new software version.
  • Not be modifiable by third parties or by the user.

Without this declaration, the software cannot be considered compliant and its use may carry fines of up to €50,000 per fiscal year.

Invoice requirements (the document)

Tax QR code (Art. 6.5 RD 1619/2012, as amended)

Every invoice issued through a SIF adapted to the RRSIF must include a QR code containing:

  • Issuer's tax ID.
  • Recipient's tax ID (for full invoices).
  • Invoice number and series.
  • Date of issue.
  • Total amount.
  • Invoice type.
  • Information about the system that generated it.

Technical specifications:

  • Size: between 30×30 mm and 40×40 mm.
  • Standard: ISO/IEC 18004.
  • Position: at the beginning of the invoice, visible.
  • For electronic invoices, the graphic QR may be replaced by its content in machine-readable format.

The QR allows the recipient (customer or consumer) to verify the invoice on the AEAT's electronic portal by scanning it with a mobile device or the AEAT app.

VeriFactu legend (only if applicable)

Invoices issued by a SIF operating in VeriFactu mode (with record submission to the AEAT) must include the phrase:

"Invoice verifiable at the AEAT Electronic Portal" or simply "VERI*FACTU"

Invoices issued in No-VeriFactu mode must not include this legend.

Minimum invoice content (RD 1619/2012, still in force)

RD 1007/2023 does not replace the Invoicing Obligations Regulation (RD 1619/2012). Invoices must still contain the data that was already mandatory: sequential number, issuer and recipient details, description, tax base, VAT rate, tax charged, date, etc. What the RRSIF adds is the layer of system requirements (hash, chaining, QR) and software product obligations (Responsible Declaration, event log).

Visual summary: compliance checklist

Your SIF must...

  • Generate an invoice registration record for every invoice issued.
  • Calculate a SHA-256 hash for each record.
  • Chain each record with the previous one (first 64 characters of the previous hash).
  • Detect chain breaks and log anomalies.
  • Preserve records for at least 4 years.
  • Ensure records cannot be modified or deleted without leaving a trace.
  • Include date and time (down to the second) in each record.
  • Identify the SIF (name, version, code, producer's tax ID) in each record.
  • Have an accessible, up-to-date Responsible Declaration from the manufacturer.
  • If No-VeriFactu: electronically sign each record and maintain an event log.
  • If VeriFactu: submit records to the AEAT via secure connection with automatic retry on failure.

Your invoice must...

  • Include a tax QR code (30-40 mm, ISO/IEC 18004) with identifying data.
  • If VeriFactu: include the legend "Invoice verifiable at the AEAT Electronic Portal" or "VERI*FACTU".
  • Meet all prior requirements of RD 1619/2012 (issuer data, recipient, concept, base, rate, tax charged, total, date, sequential number).

What if my software does not meet these requirements?

From 2027, using a SIF that does not comply with these requirements is punishable with up to €50,000 per fiscal year for the user, without the AEAT needing to prove fraud. The manufacturer faces fines of up to €150,000 per fiscal year for each non-compliant program sold.

The recommendation is clear: request the Responsible Declaration from your provider, verify it is up to date for the version you use, and if in doubt, consult your tax adviser before the compliance deadline.

Related reading: VeriFactu vs No-VeriFactu: Key Differences, 2027 Deadlines and Which to Choose

Related reading: VeriFactu Invoicing Software 2027: 21 Programs Compared

Related reading: E-Invoicing in Europe 2026-2030: How It Is Being Implemented Country by Country

InvoSeal complies with all requirements of RD 1007/2023 and Order HAC/1177/2024: SHA-256 hash, chaining, tax QR, event log, electronic signature and Responsible Declaration. It also offers dual mode (VeriFactu / No-VeriFactu) so the choice is yours. Check our documentation or get in touch.