Verifactu in 2026: the plain-English readiness checklist for Spanish-facing software

Every invoicing software vendor selling in Spain has been repeating the same line for months: “we’re already Verifactu-ready”. Open seven websites and you’ll read it seven times, almost word for word. The reality is that most of them are confusing “we’ve read RD 1007/2023” with “we’ve implemented it”.

This isn’t a deep dive into the legal text. It’s the pragmatic guide you need so you don’t arrive at 2027 with a tool that claims to comply but doesn’t, and so you can ask the right questions before signing any contract.

What Verifactu is in one sentence

Verifactu is the Spanish tax authority (AEAT) regulation (RD 1007/2023) that requires invoicing software to generate invoices with an unalterable, traceable signature, chain each invoice to the previous one, and store records ready for the tax authority to request.

You don’t have to send every invoice to the AEAT in real time (that’s SII, a different obligation). You just have to be able to send them if asked, and you have to sign each one in a way that any later modification leaves a trace.

The 4 obligations the law puts on your software

Simplified to the bone. Your software (or the software you’re evaluating) must:

1. Record every invoice the moment it’s issued, with no quiet retouching. If you modify an issued invoice, the modification has to be logged with a timestamp.
2. Chain each invoice to the previous one via a cryptographic hash. Break the chain and it shows.
3. Preserve records in an AEAT-readable format for the legal retention period (4 years, extendable).
4. Export on demand a structured file the AEAT can process without human intervention. This includes a QR code on every printed invoice.

If your software fails any of the 4, it’s not Verifactu-compliant, no matter what the marketing page says.

The timeline: when it hits you

Type of obligor	Deadline
Companies (sociedades)	1 January 2027
Self-employed individuals (autónomos)	1 July 2027
Invoicing software sold in Spain	Already operational, new customers should be on compliant versions

The AEAT has deferral mechanisms for justified cases, but counting on them is a bad idea: migration costs are high and the extensions are short.

Verifactu vs SII vs TicketBAI: why people confuse them

These three get mixed up constantly, even in sales decks. The fast difference:

• SII (Immediate Information Supply): obligation to send invoice details to the AEAT within four days of issue. Applies only to large companies, REDEME, and VAT groups.
• TicketBAI: Verifactu’s equivalent in the Basque Country, in production since 2022 with its own calendar.
• Verifactu: general obligation for all invoicing software operating in mainland Spain. Not real-time submission, but traceability and signature.

If you sell to a SII-obligated company, you’ll also have to comply with Verifactu. If you sell in the Basque Country, you’re already on TicketBAI. They’re not alternatives.

The 7 most common traps in “Verifactu-ready” software

I’ve talked to firms migrating right now. These are the traps they’re hitting, ordered by frequency:

1. Signature yes, chaining no. The software signs each invoice but doesn’t chain it to the previous one. Passes obligation 1, fails obligation 2.
2. Untracked retroactive edits. Editing an issued invoice overwrites the original record with no audit trail. Fails obligation 1.
3. Broken export. The file it generates fails AEAT validation. You discover this when they’ve already requested the data.
4. Verifactu as a paid add-on. The base software doesn’t include Verifactu; you pay 25-50 €/month extra. If you already pay for the software, this is hidden upselling.
5. Issuance only, no reception. They sign the invoices you issue but don’t process the ones you receive. For accounts payable, this is a hole.
6. No QR code on the PDF. The QR is mandatory on every printed invoice. If it’s missing, the recipient can reject the invoice.
7. No downloadable audit trail. You can’t generate a report of which invoices were issued, modified, or cancelled. If the AEAT asks, you reconstruct it by hand.

Your 12-question checklist for any vendor

Print this list and use it in every demo:

1. Is every issued invoice timestamped immediately?
2. Is the hash chain exposed and can I verify it?
3. What happens when I edit an already-issued invoice? Show me.
4. In what format does the AEAT export work? Show me.
5. Does the QR code appear on every PDF and in the customer portal?
6. Is Verifactu included in my plan or a separate module?
7. If separate, how much does it cost?
8. Do you process received invoices with the same traceability?
9. Is there an uptime SLA for the signing service?
10. Who signs the invoices: your servers or a third party?
11. How do you migrate my last 4 years of invoice history?
12. If the AEAT audits you, what do I have to provide?

If any answer is vague or “we’re finishing it”, red flag.

How Calitem handles it

At Calitem, Verifactu isn’t a module: it’s base plumbing. Every invoice processed by our AI, whether you’re issuing or receiving, runs through the signature and chaining pipeline. Traceability is exposed via API, no need to ask support. The AEAT export is validated against the latest official spec, not last year’s.

And, most importantly: we don’t charge extra to comply with the law.

Related reading

• Verifactu: the glossary entry with deadlines and regulatory references.
• SII: why SII and Verifactu are different obligations.
• Accounts payable with AI: how Verifactu fits into the full procure-to-pay cycle.
• OCR vs AI in accounts payable: the prior post that opens the blog.