,

Avoiding VAT audits: best practices for OSS record-keeping

Running an online business across Europe has never been easier. With the EU’s One-Stop Shop (OSS) system, small and medium e-commerce companies can sell into multiple Member States while only filing VAT returns in one place. What once required a patchwork of registrations and filings has been simplified into a single portal. But with that simplification comes something many entrepreneurs don’t think about until it’s too late: the risk of a VAT audit.

Spis treści

  1. Mandatory OSS Record-Keeping Requirements
  2. Standard audit file for OSS (myth vs. reality)
  3. Best practices to strengthen record-keeping
  4. Additional resources
  5. Conclusion

Tax administrations across Europe are paying closer attention to cross-border online sales. E-commerce has exploded, and governments want to make sure VAT is being reported and paid correctly. An OSS registration does not protect a business from being audited; in fact, it can sometimes make businesses more visible, since multiple Member States can request access to your records at any time. For a small company run by a young team with limited administrative capacity, this can quickly turn into a nightmare if the records are incomplete, inconsistent, or hard to retrieve.

The good news is that avoiding problems is absolutely possible. The EU has laid out clear rules on what needs to be stored, how long records must be kept, and in what format they should be made available. By following those rules—and combining them with smart internal practices—you can build a compliance system that not only keeps you safe from audits but also makes your day-to-day business run more smoothly. The central principle is simple: keep complete, accurate, and readily accessible records of all your OSS-related transactions, and you will dramatically lower the risk of trouble.

In this article, we are going to walk through everything you need to know. We’ll start with the mandatory record-keeping requirements under EU law, the exact data points you must retain, and the ten-year retention rule that catches many new business owners by surprise. Then we’ll explain the Standard Audit File for OSS, a format designed to make your electronic records acceptable in every Member State without file-format disputes. After that, we’ll move into best practices: automating data capture, running internal audits, setting up clear invoicing rules, and designing a compliance roadmap that fits even a small team. Finally, we’ll discuss what happens when tax authorities request information, the deadlines you need to know, and how to make sure your business can respond quickly without panic.

By the end, you will not only understand the rules but also have a practical toolkit for protecting your e-commerce company from VAT audits. Instead of seeing OSS compliance as a burden, you’ll see it as a way to build trust, maintain continuity, and scale your business across Europe with confidence.

Mandatory OSS Record-Keeping Requirements

When you register for the OSS scheme, you take on responsibilities that go well beyond submitting a quarterly VAT return. The most important of these is keeping detailed records of every sale you declare under OSS. These records are far from a box-ticking exercise. They are the evidence tax authorities will request if they ever review your business, and if they are incomplete, inconsistent, or missing, the risk of penalties—or even exclusion from the scheme—rises sharply.

The Ten-Year Retention Rule

Under Article 63c of Council Implementing Regulation (EU) No 282/2011, all OSS-registered businesses must keep their records for ten years, counted from the end of the year in which the transaction took place. A sale in March 2024, for example, must remain in your files until 31 December 2034.

For a small online store, ten years may feel like an eternity, but the requirement is not negotiable. The reasoning is simple: any Member State of consumption must be able to review your data long after the original transaction. Thanks to digital storage this is achievable, but only if you are disciplined about how you save and structure your records from the very beginning.

The Details You Must Store

The regulation sets out the exact information that must be included for every OSS transaction. Each record has to capture the Member State of consumption, the type and date of supply, the taxable amount, the VAT rate applied, the customer’s identification and location, details of payments received, and the evidence that proves the place of supply.

In practical terms, this means keeping far more than a simple invoice. You must be able to show clearly where your customer was based, why a particular VAT rate applied, and how delivery or access was fulfilled. Think of it as being ready to tell the complete story of a transaction: who bought, what was purchased, when it happened, what tax was charged, and how the order reached the customer.

Electronic Accessibility on Demand

Perhaps the most important part of the rule is that your records must be stored electronically and made available without delay. If a tax authority in any EU country asks for them, you cannot rely on excuses about your accountant still preparing the files or data being stuck on a laptop in another office. The expectation is that you are able to deliver the requested information promptly and in digital form.

For many small businesses, this is where things get tricky. Invoices often end up in messy folders, delivery proofs are misplaced, and transaction details get scattered across different platforms. During an audit, tax officials will not wait for you to dig through old emails or call your courier for a copy of a receipt. If the records are not ready and complete, you will be treated as non-compliant.

Key Takeaway

The lesson is simple: build systems that make your OSS records retrievable at the click of a button. Doing so not only protects you during a potential audit but also brings everyday benefits by cutting down on frantic last-minute searches and preventing valuable data from being lost.

Standard audit file for OSS (myth vs. reality)

When it comes to OSS record-keeping, many business owners ask themselves in what format the data should be stored. Each Member State has its own tax administration and systems, which creates uncertainty about whether there is a single European template for presenting records.

At EU level, there is no official standardized file format for OSS. Unlike the OECD’s Standard Audit File for Tax (SAF-T), which some countries such as Portugal, Poland, and Norway have adopted for their domestic VAT systems, there is no legal requirement for a “SAF-OSS.” The regulation is clear about what data must be kept, but it leaves the format up to businesses, as long as the information is complete, electronic, and available without delay.

What this means in practice

You are free to keep your OSS records in the format that works best for your business, provided the required information is included. A well-organized spreadsheet, an export from your accounting software, or a dedicated VAT compliance database are all perfectly acceptable. The key is not the file type but whether you can supply the requested data quickly and accurately when asked by any EU tax authority.

Some accounting platforms and compliance providers use the term “SAF-OSS” informally to describe their own export file that resembles SAF-T in structure. These can be useful, since they bring consistency, but it is important to understand that they are not part of EU law.

The benefits of using a structured format

Even though there is no official obligation, keeping your OSS data in a standardized structure still brings clear advantages. Uniform records save you from having to reformat data for different authorities or advisors. A consistent approach also makes your files easier to share, whether with a tax authority during an audit or with your accountant during a review. Just as importantly, a structured record sends the signal that your business takes compliance seriously, which can help shorten audits and reduce the number of questions asked.

Why a structured approach is a smart move

For a young e-commerce business, adopting a structured internal format may feel like an extra step. In reality, it is a small investment that pays off in peace of mind. If you ever face an audit, being able to provide your entire OSS history in a clean, consistent file is far less stressful than scrambling through scattered records. It also helps you scale, because whether you are processing a handful of transactions each month or thousands, your compliance will remain transparent and manageable.

Best practices to strengthen record-keeping

Keeping records for OSS is not just about fulfilling a legal obligation. The way you design your internal processes can make the difference between constant stress and smooth sailing. Weak systems lead to scattered documents, inconsistent invoicing, and long nights before filing deadlines. Strong systems, by contrast, give you confidence, save time, and make audits far less intimidating. For young e-commerce businesses, where energy is better invested in growth than in chasing missing receipts, building smart habits from the start pays off enormously. These practices align with the OSS rules to keep electronic records for ten years and to make them available without delay to any Member State of consumption.

Automate data capture and storage

The first step toward reliable compliance is automation. Manual spreadsheets or notes may feel manageable in the early days, but as soon as order volumes rise, the error risk grows with them. Modern ERP systems and VAT tools can capture transaction details at the source, apply the correct VAT rate based on the destination country, and retain all the fields required for your OSS return.

For businesses selling digital services, such as streaming, e-books, or software, the rules are stricter. You must keep two non-contradictory pieces of evidence for the customer’s location, such as billing address and IP address, or payment instrument BIN and delivery address. Automation ensures these are collected and stored consistently across all sales channels, rather than relying on someone to piece them together manually later.

Storing this information is not only about completeness but also about resilience. A secure and professional setup means cloud storage with encryption, access controls such as two-factor authentication, and automatic, versioned backups. Because certain data points, like IP addresses, count as personal data, your storage also needs to respect GDPR principles. That means lawful collection, data minimisation, robust security, and clear retention aligned with tax-law obligations. Getting this right avoids the risk of a clash between VAT compliance and data protection requirements.

A well-designed automated system also creates a full audit trail, showing who changed what and when, and keeps unique references alongside each transaction. This allows you to reconcile your returns quickly and prove how decisions on VAT rates or country rules were made, which is exactly the kind of transparency tax authorities look for.

Conduct regular reconciliations and internal audits

Even the most advanced automations need regular checks. Data flows can break, refunds may be missed, or fees might be misposted. By running monthly reconciliations between your OSS reports, your payment processor data, and your accounting ledger, you can catch mismatches before they spiral out of control. For example, a refund that was issued to a customer but not reflected in your OSS records will quickly surface in a reconciliation.

Quarterly internal audits add another layer of control. These reviews give you the chance to step back and test whether VAT rates are applied consistently across different markets, whether customer-location evidence is present and valid, and whether supporting documents such as shipping proof or payment confirmations are correctly tied to each order. For digital services, this also means checking that two pieces of evidence are always stored for every sale.

Crucially, when you find errors, document both the issue and the corrective action. This not only helps you improve but also creates a control history that auditors value. Showing that you have processes in place to detect and fix mistakes demonstrates diligence, which can go a long way toward building trust with tax authorities.

Maintain clear invoicing and documentation policies

Invoices remain a key part of your documentation, but here the nuance is important. For intra-EU distance sales of goods declared under the Union OSS, there is no EU-level requirement to issue an invoice. However, if you do issue them, the invoicing rules of your Member State of identification apply. In practice, many businesses still choose to issue invoices consistently, both for customer service and for audit readability. A uniform invoicing policy makes your records clearer and reduces confusion when different authorities review them.

Beyond invoices, proof of delivery is vital. For goods, this can take the form of courier tracking reports, signed delivery notes, or customs documents for cross-border shipments. For services, especially digital ones, it can mean payment confirmations, account access logs, or the customer-location evidences required for TBE services. The important thing is that each piece of documentation is tied to a specific order ID so that you can quickly reconstruct the full story of any given sale.

Digital receipts are an additional layer that strengthen both your customer experience and your audit defence. By making invoicing and documentation policies clear and consistent across your operations, you build a reliable framework that supports compliance and reduces risks.

Establish a compliance roadmap

Strong record-keeping is not just about systems; it is also about structure. A compliance roadmap turns scattered obligations into a coherent plan that your business can follow with confidence. This can take the form of a short OSS compliance manual that outlines who is responsible for preparing and reviewing returns, who maintains VAT rates and evidence rules, and how filing deadlines and payment cut-offs are managed.

The roadmap should also define your data retention policy, clearly stating how you will meet the ten-year requirement and the expectation that records must be electronically available without delay. It should spell out what happens when errors are found, how corrections are made, and how these corrections are documented.

Because VAT rules evolve, keeping your roadmap up to date is essential. This is where a “VAT champion” comes in. Whether internal or external, this role is responsible for monitoring EU and national updates, adjusting VAT rates, ensuring new evidence requirements are built into your process, and serving as the first point of contact with advisors or authorities. Having a dedicated owner avoids the common problem of compliance being everyone’s responsibility in theory but no one’s in practice.

A compliance roadmap does more than satisfy regulators. It creates peace of mind, distributes responsibilities fairly, and fosters a culture where compliance is seen as part of professional business operations rather than a burden. For young e-commerce businesses, that mindset shift can be the difference between reactive fire-fighting and sustainable, confident growth.

Responding to information requests

Even with strong systems and meticulous records, sooner or later a tax authority may ask to see them. This is not necessarily a signal that something has gone wrong. Audits and checks are a built-in part of the OSS framework, and Member States have the right to request records directly from you in order to confirm that VAT has been applied and paid correctly. The challenge for businesses is not whether requests will come, but how quickly and completely they can respond when they do.

The timeline you must respect

OSS rules require that records be kept in electronic form and made available without delay to any Member State of consumption. In practice, this means that when a tax authority asks for your records, you should be able to provide them immediately. If you cannot, you may receive a formal reminder. Once that reminder has been issued, you have one month to comply. This period is not meant as an extension of time to prepare data; it is simply the last opportunity to deliver what should already be accessible in your systems. Ignoring or missing this deadline risks being flagged as non-compliant, which can trigger closer scrutiny in the future.

The consequences of failing to respond

The regulation introduces the concept of persistent failure to provide records. This is not about a single delay but about a repeated or ongoing inability to comply with information requests. The consequences are significant. Persistent failure can lead to exclusion from the OSS scheme, and losing access to OSS is a major setback for any cross-border business. Instead of filing one VAT return through a single Member State of identification, you would need to register, declare, and pay VAT separately in every country where you sell. For small businesses, this extra administrative burden can make European expansion far more expensive and, in some cases, unsustainable.

How to ensure fast and smooth responses

The best defence is preparation. If your systems are set up so that invoices, payment records, customer location evidence, and delivery proofs are all linked together for each transaction, responding to a request becomes as simple as exporting data. Automation and structured storage eliminate the need for frantic searches through old emails or lost courier slips.

It is also wise to create an internal response procedure. Decide in advance who in your team will communicate with tax authorities, who will gather and check the data, and how the final response will be delivered. If you rely on an external advisor, make sure they are properly authorized to act on your behalf and that they have immediate access to your OSS records. Documenting this procedure in your compliance manual ensures that when a request arrives, everyone knows what to do.

Finally, it helps to see information requests as opportunities rather than threats. A prompt and professional response demonstrates transparency and shows that your business takes compliance seriously. Even if small errors are uncovered, cooperation and readiness often lead to a smoother audit process and a quicker resolution.

Additional resources

Record-keeping for OSS can feel complex, especially when you are running a young e-commerce business and every hour matters. The good news is that there are reliable resources available to guide you, from official EU documentation to practical commentary written for entrepreneurs like you.

European Commission guidance

The European Commission publishes official guidelines on the OSS scheme, including detailed instructions on record-keeping and audits. These outline the ten-year retention requirement, the mandatory data fields, and the obligation to make records electronically available to any Member State of consumption. Because they come directly from the Commission, these guidelines are the most authoritative reference when you want to confirm exactly what the law requires.

Practical guides and expert commentary

In addition to official documents, there are resources designed to make the rules more accessible. Commentators and advisors break down technical requirements into clear, actionable steps. For example, guides explain how to manage refunds under OSS, how to reconcile cross-border payments, and how to put together an internal compliance manual without overcomplicating things. These resources help you turn regulation into practice, giving you confidence that your processes will stand up to an audit.

How amavat can help

At amavat, we specialise in helping e-commerce businesses navigate the challenges of OSS and cross-border VAT compliance. On our site, you’ll find in-depth articles, practical checklists, and answers to the common questions entrepreneurs ask when dealing with VAT across multiple EU countries. Whether you need clarity on documentation, guidance on reconciliations, or advice on avoiding audits, our resources are designed to make compliance simpler and more transparent. If you are ready to strengthen your OSS processes, we invite you to explore our knowledge base and see how we can support your business as it grows across Europe.

Conclusion

VAT compliance under the OSS scheme does not need to be a source of stress. The rules are clear: records must be complete, kept for ten years, and made electronically available without delay to any Member State of consumption. What determines whether an audit feels like a crisis or a simple formality is the strength of your internal systems. Businesses that automate data capture, store information securely, and run proactive checks are far better positioned to respond quickly and confidently.

While there is no official EU-wide file format for OSS, adopting a structured approach to your data brings significant benefits. Keeping your records consistent, transparent, and easy to export makes life easier for your team, reduces the risk of mistakes, and signals to tax authorities that you take compliance seriously. Combined with regular internal audits, these practices form the strongest shield against the risk and disruption of a VAT audit.

Now is the time to review your own processes. Ask yourself whether your records can be retrieved instantly, whether your documentation tells the full story of each transaction, and whether your team knows exactly what to do if a tax authority comes calling. If the answer is no, this is the moment to make changes that will protect your business for years to come.

At amavat, we specialise in guiding e-commerce companies through OSS compliance. From practical resources to tailored support, we help you put the right systems in place so you can focus on growth while staying audit-ready. Explore our knowledge base or reach out to our team to see how we can help strengthen your OSS record-keeping today.

Iza

The author of the article is the amavat® team

amavat® is one of the leading firms providing comprehensive accounting services for Polish e-commerce companies and VAT Compliance across the European Union, the United Kingdom, and Switzerland. The company also offers a proprietary innovative application that integrates accounting with IT solutions, allowing for the optimization of accounting processes and integration with major marketplaces such as Allegro and Kaufland, as well as integrators like BaseLinker.

Ask a Question »
This publication is non-binding information and serves for general information purposes. The information provided does not constitute legal, tax or management advice and does not replace individual advice. Despite careful processing, all information in this publication is provided without any guarantee for the accuracy, up-to-date nature or completeness of the information. The information in this publication is not suitable as the sole basis for action and cannot replace actual advice in individual cases. The liability of the authors or amavat® are excluded. We kindly ask you to contact us directly for a binding consultation if required. The content of this publication iis the intellectual property of amavat® or its partner companies and is protected by copyright. Users of this information may download, print and copy the contents of the publication exclusively for their own purposes.