To use the National e-Invoicing System (KSeF), it is not necessary to create an account within the system. However, identity verification and confirmation of permissions are required. The authentication process ensures that access to the system is granted only to verified individuals, eliminating anonymity. This provides assurance to both the seller and the buyer that invoices are issued by authorized persons.
Entities using KSeF can verify their identity using one of the following primary methods:
- Trusted Profile – a free tool that allows identity verification in online public administration services. It can be created online (e.g., via electronic banking) or confirmed in person at a verification point (e.g., a tax office).
- Qualified Electronic Signature – a digital equivalent of a handwritten signature with full legal validity. It enables signing documents in a way that guarantees their authenticity and integrity. Unlike the Trusted Profile, it can also be used in business-to-business (B2B) relations, not just with public administration.
- Qualified Electronic Seal – a tool dedicated to companies, linked to their tax identification number (NIP). It plays a key role in mass and automated processes, significantly simplifying initial access to KSeF without the need to submit paper notifications.
After initial authentication, additional secondary methods can be used:
- KSeF Certificate – a digital cryptographic tool issued by the Certification Center of the Ministry of Finance. It enables secure, efficient, and automated use of the system.
- Token – a unique alphanumeric string generated by KSeF after authenticating a taxpayer or authorized entity (e.g., via Trusted Profile, qualified signature, or seal). The token is assigned to a specific entity and contains defined permissions within the system.
IMPORTANT!
THE ABILITY TO AUTHENTICATE USING THE TRUSTED PROFILE WILL EXPIRE ON MARCH 31, 2026.
THE ABILITY TO GENERATE AND USE TOKENS WILL EXPIRE ON DECEMBER 31, 2026.
User authentication in the KSeF system
The authentication method in the KSeF system depends on the legal form of the entity – the relevant classification is presented below.
Authentication of natural persons
- Trusted Profile
- Qualified Electronic Signature
- Token
- KSeF Certificate
Authentication of entities other than natural persons
- Qualified Electronic Seal
- Token
- KSeF Certificate
Granting permissions within the team
The National e-Invoicing System (KSeF) operates based on a credential model, which means that every individual or entity must be authenticated and authorized before gaining access to the system. Once successfully logged in, the user can utilize KSeF within the scope of the permissions granted.
The system defines four main types of permissions, which can be assigned to both users and IT systems integrated with KSeF:
- Granting and revoking permissions to use KSeF
- Issuing and accessing structured invoices
- Self-invoicing – issuing invoices by the purchaser of goods or services
- Issuing VAT RR invoices and corrections to VAT RR invoices
Permissions can be granted in two ways:
- By submitting a ZAW-FA notification – in paper or electronic form – regarding the granting or revocation of access rights to KSeF
- Electronically, via the free KSeF 2.0 Taxpayer Application, provided by the Ministry of Finance
Assigning roles and permissions within the organizational structure
As part of the implementation of the National e-Invoicing System (KSeF), it is advisable to define the responsibility structure and permission levels within the organization already at this stage. Below is an example role model that can be applied in most companies:
- Purchasing Specialist / Secretariat – has access only to purchase invoices for the purpose of receiving, verifying, and forwarding them to the accounting department or external accounting office.
- Customer Invoicing Specialist – authorized only to issue sales invoices.
- IT Administrator – does not have permissions to view or issue invoices. Their role is limited to technical system support and integration with KSeF.
- External Accounting Office – depending on the agreement, may have permissions to issue and receive structured invoices.
- Management Board – has KSeF Administrator permissions, allowing them to manage access and view all invoices (read-only mode) for control and supervisory purposes.
Control questions?
The implementation of the National e-Invoicing System (KSeF) 2.0 is a complex, multi-stage process that requires precise planning and close cooperation between finance, administration, and IT departments.
To better understand the scope of the project and determine the current stage of your organization’s preparations, it is worth answering the following questions:
- Has a decision been made regarding who and how will perform the initial authentication in the KSeF system?
- Has a person been appointed to act as the KSeF administrator, responsible for granting and revoking access and permissions?
- Has the method for transferring data from KSeF (purchase and sales invoices) to the accounting office been defined?
In addition to the above issues, it is also important to establish procedures related to organizational security in the context of KSeF, including:
- Who and how will monitor the status of KSeF certificates – including their expiration (the certificate lifecycle is 2 years)?
- Has a deputy KSeF administrator been designated in case of absence or unavailability of the main administrator?
