HMRC’s consultation on EPOS and MPOS software standards may mark the beginning of a new compliance era for UK retail
The UK has opened a consultation that could become one of the most important retail compliance developments in the country for years. On 23 June 2026, HMRC published its consultation on Electronic Sales Suppression — Introduction of software standards in EPOS/MPOS systems, inviting views on mandatory software standards for electronic point-of-sale and mobile point-of-sale systems. The consultation runs for eight weeks and closes on 18 August 2026 at 11:59pm.
The subject is electronic sales suppression, often described as till fraud. In simple terms, it is the manipulation of digital sales records to hide or reduce transactions, lower reported turnover and reduce tax liabilities. HMRC’s consultation is not yet a law and not yet a technical specification, but it is much more than a general policy discussion. The document already shows a clear direction of travel: the UK government is considering moving from traditional downstream enforcement toward preventive controls built into the software layer of retail transactions.
For decades, the UK has operated without mandatory EPOS software standards comparable to those seen in several European fiscalization countries. HMRC now states that there are currently no mandatory standards for EPOS or MPOS systems in the UK, while noting that other countries have introduced mandatory EPOS requirements to generate and preserve sales data for tax compliance. The consultation also notes that 16 of the 37 OECD countries have taken such an approach, with five of them also requiring automated data transmission to the tax authority.
The strongest signal in the consultation is that HMRC does not appear to be thinking primarily about a classic real-time fiscalization model in the first step. The direction looks closer to an audit-based, software-standard-driven fiscalization model built around unalterable transaction logs, encrypted chaining, SAF-T data, certification or registration of systems, mandatory receipt or report data, and new compliance checks designed specifically for the retail sector. In other words, this looks less like a Croatian-style real-time online model and more like a UK-specific combination of Germany, Austria and Norway, adapted to the realities of a large, diverse and commercially sensitive EPOS market.
HMRC’s proposed package is revealing. It includes an unalterable and complete transaction log using the OECD SAF-T format, with every transaction and adjustment indelibly linked in an encrypted chain. It also considers a register of EPOS and MPOS systems sold, transferred or used in the UK, a certification method for new systems, mandatory information on receipts and reports, streamlined compliance checks, supplier obligations to protect system integrity, and stronger legislation around ESS. The consultation says these measures would ideally be implemented through updates to existing systems rather than wholesale replacement, and that they would likely be introduced over time rather than all at once.
The questions HMRC asks show what it still needs to understand before moving from policy direction to legal design. The government wants more detail on how ESS threats have changed since 2018, how MPOS and low-cost cloud-based systems have reshaped the market, how ESS tools are marketed and sold, how encryption and transaction chaining could be implemented, where in the transaction lifecycle protection should begin, who should certify or register systems, whether self-certification is acceptable, what receipt data should be mandatory, and how far mandatory EPOS use should extend in high-risk sectors. These are not superficial questions. They are the questions of a government trying to decide the architecture of a new fiscal control regime.
The consultation also makes clear that HMRC is studying the international playbook carefully. The stakeholder list includes discussions with tax authorities in Austria, Germany, Greece, the Netherlands, New Zealand, Norway and Australia, while the international annex summarises approaches from Austria, Germany, the Netherlands, Norway, Australia and New Zealand. Austria is highlighted for mandatory standards, receipt requirements and cryptographic chaining; Germany for technical certification, digitally signed transactions and supplier/manufacturer penalties; Norway for product declaration, mandatory SAF-T, registered systems and digitally signed receipts; and the Netherlands for its voluntary quality mark around reliable SAF-T-based record processing.
The UK’s likely path therefore seems to be a hybrid. It will probably not start with permanent real-time transmission of every transaction to HMRC, because that would be politically, technically and commercially heavy. It will more likely begin with mandatory software standards requiring tamper-resistant transaction records, standardized audit export, cryptographic protection, system registration or certification, receipt/report verification and stronger supplier obligations. Once that foundation exists, more advanced reporting or targeted digital access could be added later, especially if HMRC concludes that audit-based controls alone do not sufficiently reduce ESS. This is an inference, but it is strongly supported by the fact that the proposed measures focus on secure local records, SAF-T, certification, reports and compliance checks, rather than immediate continuous reporting to HMRC.
The political and operational context also matters. The National Audit Office reported in 2024 that tax evasion costs the UK around £5 billion a year, is most prevalent among small businesses, and includes sales suppression as one of the important retail risks. The NAO concluded that HMRC’s prevention strategy is sensible but has not been followed through sufficiently for tax evasion, and that tighter controls and more compliance work could raise significant sums while improving value for money. That report helps explain why HMRC is now looking at upstream software controls rather than relying only on forensic investigations after fraud has already happened.
The technical debate will not be simple. A 2019 response from the UK Computing Research Committee warned that ESS requires a socio-technical approach because purely technological measures can be circumvented by misuse, misconfiguration or by simply failing to record transactions through the controlled system. The same response recognised that cryptographic techniques can make records almost impossible to falsify once entered, but also warned that fraud can move to stages before the transaction enters the log if the regulatory design is too narrow. This is exactly why the UK consultation spends so much attention on transaction lifecycle, supplier responsibility, registration, certification, user obligations and compliance checks.
For POS vendors, this is the most important part of the message. A future UK regime will probably not only affect retailers. It will almost certainly affect software suppliers, resellers, integrators and possibly anyone who adapts or configures systems for business users. Norway provides an instructive comparison, because its rules apply to suppliers offering cash register systems on the Norwegian market, require product declarations before sale, and allow sanctions where systems are not declared or do not meet requirements. HMRC’s consultation asks similar questions around supplier obligations, certification, registration and penalties, which suggests that the UK is not only thinking about taxpayer behaviour but also about the software supply chain.
The most sensitive design decision will be timing. HMRC’s consultation closes in August 2026, but the move from consultation to law normally follows the UK tax policy-making cycle, in which policy design, draft legislation and implementation are separate stages. The UK government’s tax policy principles state that draft tax legislation typically continues to be published on Legislation Day in the summer, although technical consultations can also be published at other points in the cycle sufficiently ahead of the Finance Bill.
Based on that process, the earliest realistic window for a first draft legislative proposal would likely be 2027, especially if HMRC publishes a summary of responses and then opens a technical consultation on draft legislation. A faster route could produce policy announcements around the next fiscal event and draft clauses before or around summer 2027, while a more cautious route could push draft legislation into late 2027 or 2028. The current consultation itself says that responses will inform future policy proposals and that further steps will be announced in accordance with the tax policy-making process, with additional technical consultation if required.
International experience supports the view that full implementation would take longer than the first legal draft. Austria introduced individual recording and receipt issuing obligations from January 2016, moved into the cash register obligation from 2016 and required the technical security device with electronic signatures from 1 April 2017. Germany introduced its legal basis through the law of 22 December 2016 and the TSE obligation applied from 1 January 2020, with practical transition measures following. Norway required compliant systems to be sold from 1 January 2017, while enterprises had until 1 January 2019 to upgrade or replace existing systems. These examples suggest that once the UK decides on a model, suppliers could receive an earlier compliance deadline than users, while retailers may receive a longer transition period.
A reasonable estimate is therefore that the UK could see draft legislation or a technical draft during 2027, adoption during 2027 or 2028, and phased implementation somewhere between 2028 and 2030, depending on whether the government chooses a supplier-first approach, a high-risk-sector approach, or a broader obligation for all relevant EPOS and MPOS systems. The consultation already points in that direction by stating that measures would likely be introduced over time and preferably through updates to existing systems rather than mandatory replacement.
For retailers and POS providers, the practical conclusion is clear. This is not the moment to wait for the final law before acting. The UK is still in consultation, but the strategic direction is visible. POS platforms should begin assessing whether their transaction logs are complete, whether voids and cancellations are protected, whether reports can be generated in standardized formats, whether receipt data can support verification, whether audit trails are tamper-resistant, and whether system configuration by resellers or local implementers can create compliance risk. Retailers should start mapping where EPOS, MPOS, self-checkout, online ordering, hospitality systems, delivery integrations and accounting systems create sales data that could fall within future requirements.
The deeper point is that the UK appears to be moving toward fiscalization without calling it by that name. It is not beginning with a traditional fiscal device obligation, nor with a pure online reporting model, but with a software integrity regime for retail transaction systems. If this becomes law, the UK will join the broader international trend in which tax authorities no longer treat POS data as an ordinary internal business record, but as a regulated source of fiscal truth.
That is the real story behind the consultation. The UK is not only trying to punish electronic sales suppression after it happens. It is exploring how to make suppression harder by design. For the retail technology industry, that is a much bigger change than another compliance update. It is the possible beginning of a UK fiscalization model built around software standards, transaction integrity and trusted audit evidence.