e-Invoices Are Becoming the Foundation of an Integrated and Transparent Economy

As the global economy faces the need for greater transparency, electronic invoices offer a solution that satisfies both tax authorities and private entrepreneurs. Legislation has significantly accelerated the adoption of eInvoices in the B2G segment, but the real potential lies in the B2B exchange, which is growing daily. Digital transformation is often wrongly interpreted only as the introduction of new software, but the real results are visible in a change of business paradigm.

The ICT services market in Croatia is saturated with terms such as Cloud, AI, and digitalization, but there are few examples of solutions that have such a direct impact on operations as the electronic invoice. Marko Emer, director of Elektronički računi, has, as he himself says, witnessed the evolution of this system from its very beginnings to its current status as critical business infrastructure. In an interview for ICTbusiness Media – ICTbusiness.biz, Emer speaks openly about the challenges faced by companies trying to modernize their finance departments. He points out that technology is no longer the barrier, but rather outdated business processes that do not keep pace with the rhythm of the digital age.

We discuss integration, security, and the necessity of connecting all links in the procurement and sales chain through uniform standards. Elektronički računi has positioned itself as a bridge between technology and the end user, making the transition to paperless business easier. Emer explains why it is important to look at the bigger picture and how the eInvoice serves as an entry point for advanced analytics and better business decision-making.

What certificates and accreditations does your organization hold, and why are they relevant for the security of eInvoices? Do you hold an ISO/IEC 27001 certificate for information security management, and how often do you undergo external audits of its implementation in practice – not just on paper? Are you registered with the Croatian National Bank (HNB) as an authorized payment service provider, and what does that regulatory obligation specifically mean for the level of security you must maintain? Is there a legal or regulatory gap in Croatia that allows someone to operate as an information intermediary in the eInvoice system without minimum security standards, and how do you, as an industry, view that? How is your infrastructure adapting to the new directives on digital operational resilience (DORA)?

We have continuously held the ISO/IEC 27001 certificate since 2015, which means that every year we undergo regular audits and compliance checks with information security requirements. However, what sets us apart in the market is that in 2022 we became a payment institution, entered in the register of payment service providers and electronic money issuers as the only licensed provider of the two fundamental payment services defined by PSD2: PIS (Payment Initiation Service) and AIS (Account Information Service).

Accordingly, as a licensed payment institution, we were declared critical infrastructure, which means that, as entities subject to NIS2 and DORA regulation, we are also subject to regular annual compliance audits with the said regulations. In addition, HNB, as the regulator of business operations in the part concerning the integration of our fintech platform with banks, regularly supervises the security aspects of the company’s internal processes as well. In general, we believe that even the activity of information intermediation would not be possible without full compliance with these standards and directives, which is also a guarantee of security and reliability for all users.

For us, the ISO certificate is not a formal mark of quality and security, but the foundation of the operating model. However, we believe that having a certificate in itself is not enough, so when we speak about what truly sets us apart from the rest of the market, it is that our security standards are actually implemented in everyday business operations. For us, security is not “a certificate that is good to have”, but a system that is continuously tested, monitored, and improved, and that level of discipline and consistency is what clearly sets us apart from those providers of information intermediation services who have fulfilled the formal requirement with an ISO certificate.

In addition, and this should be particularly emphasized, by entering the register of payment service providers, we committed ourselves to operating according to the standards that apply to financial institutions, under continuous regulatory supervision. This means that at every second, we must ensure a high level of security, from user authentication and data protection to incident management and operational resilience. In practice, this means that our systems and processes undergo a level of control that a large part of the market does not have at all, which gives users a significantly higher level of security and reliability.

Already when the Fiscalization Act was published for public consultation on eSavjetovanje, we warned about the dangers arising from the real difference in regulatory burden between payment service providers and information intermediaries, although both in fact manage money. We believed then, and we still believe today, that there is a real concern that some information intermediaries, especially those that have only just been established, have no real idea of the challenges when we speak about cybersecurity in the exchange of eInvoices. The proposal we submitted to the legislator, together with numerous professional associations, was to introduce an obligation of professional liability insurance or, even more importantly, a cyber attack protection policy.

It was concluded that it is sufficient to legally oblige information intermediaries to apply the NIS2 directive, but who will and how will supervision be carried out, and especially how tens of thousands of companies will be compensated if such attacks occur and the intermediary closes its doors, is not entirely clear. As far as Mer is concerned, users can be sure that we have security standards far above the prescribed minimum. After all, we apply financial industry standards even where this is not explicitly prescribed, because we believe that this is the only sustainable model for systems that process sensitive business data.

Accordingly, for us, DORA is not a beginning, but a continuation of an already established model of managing security and operational risks. Our infrastructure is already set up in accordance with the high requirements of PSD2 regulation, and DORA additionally formalizes and deepens what we already do, from managing ICT risks and incidents to control over external service providers and testing system resilience. In other words, while part of the market is only now catching up with the new requirements, we are incorporating them into the existing framework and using them as an opportunity to further strengthen the reliability and security of our services.

How does your organization financially and operationally manage the risk of a cyber incident? Do you have a cyber risk insurance policy in place – and what does that policy cover: only your operational costs, or also the damage incurred by your client entrepreneurs whose data may be compromised? Do you conduct regular vulnerability assessments and penetration testing of your systems, and who conducts those tests – your internal team or an independent third party? If one of your clients – a small sole trader or a company – suffers financial damage due to a security failure on your side, what protection and compensation mechanism is available to them? Do you have 24/7 monitoring, your own SOC, or a contracted external center, and how is incident escalation organized?

In practice, we can often see that cyber risk is treated as an isolated IT problem, and not as a business and financial risk of the highest level, which is what it actually is. To confirm that thesis, it is enough to conduct a short survey among entrepreneurs who only begin to think about information security when it has been seriously or irreversibly compromised. At mer, the story has been different from the very beginning. In our business model, cybersecurity is a prerequisite for doing business, not a support function.

Ever since the idea of the eInvoice and the first lines of code in 2013, we have known that our business is the transfer of sensitive financial and business data, something we became even more aware of when we entered the register of payment service providers, and we strengthened all available security instruments, so we manage cyber incident risk at the level at which financial institutions manage it, and not typical IT providers. This means that we do not treat security as a cost, but as an investment in the stability of the system on which our clients depend.

The market clearly shows the difference between organizations that build security systematically and those that react only when a problem arises, and we undoubtedly belong to the first group. We manage cyber risk through a combination of a regulatory-compliant framework, but also on the basis of our own security policies and continuous investments in technology, people, and processes. Operationally, this means multilayer protection of systems, constant monitoring, and clearly defined procedures for prevention, detection, and response to incidents.

Financially, we additionally mitigate risk through insurance, but also through a conservative approach to managing infrastructure and partners, because we believe that the greatest part of the risk must be eliminated in advance, not remedied afterwards. For those who do not know, as a payment institution, Mer had to establish numerous security procedures that no other information intermediary implements to that extent. In addition to a personal liability insurance policy, which is a mandatory prerequisite for licensing as coverage for operational and security incidents, we have implemented SCA, PSD2 APIs, cryptographic data protection, and numerous other security systems prescribed by the regulator on the basis of EU and domestic legislation.

We have also additionally formalized the ICT risk management framework, established incident reporting to HNB, and defined business continuity and recovery plans (BCP/DRP). In addition, we are obliged to report regularly to the regulator, and we are subject to constant on-site and off-site supervision and required to prove compliance at every moment. Of course, alongside that we are also obliged to conduct regular internal ISMS audits, penetration tests and vulnerability assessments, as well as continuous monitoring of security events (SIEM/SOC approach) to retain the ISO certificate, which is de facto the only obligation of other information intermediaries, while for us it is only one of the segments of security management within the company.

What does your daily operational security monitoring look like? Do you have an incident detection and response system that functions 24 hours a day, 7 days a week – and how quickly, realistically speaking, can your team respond to a security alarm in the middle of the night or over the weekend? Do you use anomaly monitoring systems with or without AI in data traffic that can detect unauthorized access or data theft in time, such as the 560 GB allegedly extracted from the Spanish tax agency in one go? When was the last time your organization had a serious security incident or near-incident, and what exactly did you change in your protection system as a result? What are your defined RTO and RPO for key eInvoice exchange services? How do you notify clients in real time if you detect suspicious activity on their accounts?

The security and availability of our systems are among the leading in the industry, but what truly differentiates us is not only the level of the implemented measures, but their consistent operational application because of our role in the market, but also our many years of experience thanks to which we have not only learned to respond to challenges, but also to anticipate them and accordingly incorporate them into security procedures. In terms of infrastructure, the data we mediate and store are housed in two geographically separate, highly available data centers in Croatia, on infrastructure designed for continuous operation and resilience to interruptions.

The system is organized through multiple active nodes that evenly distribute the load and enable uninterrupted service operation. If an individual component stops working, traffic is automatically redirected to the remaining systems without impact on the user experience. All data are located on isolated, redundant systems that are not directly accessible from public internet addresses, with multilayer access protection and regular backups of data and configurations. In this way, we ensure both a high level of protection and the possibility of rapid recovery in the event of unwanted incidents. The system’s operational availability is confirmed by an SLA of 99.97%, while our recovery parameters are defined in accordance with the criticality of the service and in accordance with the regulation prescribed for entities entered in the Register of Payment Service Providers.

Given that from the very beginning we built infrastructure that in most situations enables continuity of operation without interruption for end users, we can say that our approach to security is not based only on recovery plans, but primarily on the prevention of unwanted events. The architecture of the system is conceived in such a way that work is systematically carried out on reducing dependence on individual providers, by which we seek to enable stable system operation even in situations of partial network difficulties or the unavailability of individual components.

Alongside technical security, we also devote great attention to transparency towards users. In the event of difficulties or deviations, users are informed promptly through several communication channels, including in-app messages, email notifications, and announcements on the website. Through the user portal and API integrations, we also provide detailed insight into the status of each invoice, including the reasons for possible errors and clear instructions for correcting them. It is particularly important to us that a high level of security and availability does not come at the expense of the user experience, so security measures are implemented in a way that is maximally transparent to the user, thereby ensuring a combination of reliability, protection, and ease of use.

In the context of the introduced obligation of exchanging eInvoices and their role in determining tax liabilities, we believe that selecting a reliable information intermediary is a key business decision. We have long emphasized that this is not only a technical issue, but a strategic issue for the company, because it directly affects the stability and security of business operations.

Who has access to the data that passes through your system, and how do you control that? Do you apply the principle of least privilege – that is, do each of your employees have access only to the data necessary for the performance of their job, and how do you ensure that technically? Do you use the services of subcontractors or cloud providers for the storage or processing of your clients’ data, and in what way do you ensure that they, too, meet the same security standards that you advocate? How do you deal with the threat of insider attacks – situations in which the security failure does not come from outside, but from your own employee or former associate who has or had access to the system?

In our system, data protection is based on a strictly controlled access model in which data are available exclusively to authorized systems and employees, and only to the extent necessary for the performance of their work tasks. Access to information is neither static nor universal, but is granted, monitored, and periodically reviewed through formalized processes, with full traceability of all activities. With processes established in this way, we ensure that data are not available “by default”, but exclusively based on real need and with appropriate supervision. As part of the Visma group, we apply a standardized security framework that includes continuous employee education, practical training, and knowledge verification systems, being very aware that security challenges do not come exclusively from outside.

For that reason, we approach insider threats systematically, combining technical controls, organizational measures, and continuous employee education, and we regularly assess their knowledge and ability to handle cyber risks. Accordingly, no access is permanent or uncontrolled, but each one is monitored and reviewed, and not because we view security as a technological problem, but because we see it as an organizational culture on which we insist strongly, precisely for the benefit of our users. For example, all employees undergo regular information security training, covering topics such as phishing attacks, social engineering, access management, and data protection. In addition, we conduct simulations of security incidents and security awareness tests to ensure that employees not only understand the risks but also know how to respond in real situations if and when they occur.

All of the above shows that security within the Visma ecosystem, and therefore in Mer as well, is integrated into everyday work, from software development to systems management, with the use of interactive educational tools and the previously mentioned regular testing of employees’ knowledge. All of this indicates that our goal is not only to prevent incidents, but to build an organization in which every employee understands that they are part of the security system that must be protected to the maximum extent.

What does the entrepreneur who uses your services actually know about how you protect their data? Is there a clear, understandable, and publicly available document – not hidden in the depths of a contract – that explains what happens to your user’s data in the event of a hacker attack, and what his rights and steps are? In which situations are you obliged by law or by your own business policy to notify the user of a security incident concerning him, and how quickly after detection do you do so? If an entrepreneur were to ask a simple question tomorrow: “Why should I trust you more than some other intermediary?” – what is your concrete, measurable answer that is not just marketing?

The entrepreneur who uses Mer does not have to guess how the system works or what happens to his data in the background. Through the user portal, API integrations, and the notification system, he has insight at every moment into the status of his invoices, the processing stage, and any possible errors. In other words, the system is not some kind of “black box” that can be read only by our experts, but the user transparently sees what is happening and why it is happening, which we consider a basic standard for infrastructure that exists for him and for the secure exchange of his data.

We have clearly defined and accessible documentation that explains how data are processed, where they are located, and according to which standards and based on which legal frameworks we collect, process, and store them. That information is not hidden in complex contractual wording, but is publicly available and structured in such a way that the user can understand the concrete processes and our role in them. What is crucial is that we do not tie user notification exclusively to formal regulatory obligations and deadlines, but to the actual impact of the incident on the user. As soon as we assess that an event is relevant, the user is informed without delay. In the case of technical issues, this means immediate notification through the system and communication channels, while in the case of security incidents, the communication takes place in parallel with the resolution of the problem, and not after it.