The KSeF invoice issuer certificate: what changes in 2025/2026 and how to get your organisation ready

Mandatory KSeF is around the corner, and with it comes a new building block in Poland’s e-invoicing landscape: the invoice issuer certificate. Starting 1 November 2025, taxpayers will be able to request the certificate directly in the KSeF portal via the Certificates & Authorisations Module. While the term sounds technical, the goal is simple: make authentication safer and smoother across invoicing tools — including when you need to work offline.

Why a certificate — and why now?

For years, many KSeF users have relied on tokens. They work, and they will continue to work through 31 December 2026. Certificates, however, raise the bar for security and operational convenience. Think of them as an electronic proof of identity: your systems and invoicing app can trust that the person or entity behind an operation is exactly who they claim to be. In practice this unlocks cohesive sign-in, simpler integrations and, crucially, offline issuing of invoices with a QR code that confirms authenticity and integrity. Once the connection is back, the app can push the document to KSeF.

Who can apply — and how does the process look?

Individuals listed in ZAW-FA and individuals with ownership permissions in KSeF can take the shortest route. Entities with a NIP — for example limited companies — can also apply, provided they use a qualified e-seal for authentication in KSeF. The flow starts with authenticating in KSeF (trusted signature, qualified e-signature or e-seal), then filing an application in MCU with personal or entity data that exactly match your current authentication details. After processing, the certificate becomes available for download and immediate use.

Certificates can be issued to a person (identified by NIP in the case of sole proprietors or by PESEL when the person has KSeF permissions) or to an entity (e.g., a company identified by NIP). This distinction matters: it determines responsibility for handling and using the certificate and shapes how you design access rules.

Personal vs entity certificates — governance matters

A personal certificate can be requested, downloaded and used only by that specific person. This model is perfect for sole proprietors or owner-operators. An entity certificate, on the other hand, is not tied to any particular employee. It is convenient, but it calls for solid governance: keep a register of issued certificates, define how they are assigned and revoked, monitor usage and maintain a clear revocation procedure. In short, your organisation should always know who used which certificate, when and for what purpose — and be able to prove it.

Tokens aren’t gone — until 31 December 2026

The Ministry of Finance is not switching tokens off the moment certificates arrive. Throughout 2026, tokens and certificates will coexist, giving you time to plan migration, test integrations and train your team. The switch happens on 1 January 2027, when tokens are expected to be disabled. The conceptual difference is simple: a token carries a set of permissions declared at generation time, whereas a certificate primarily provides authentication; permissions come from roles configured in KSeF and in your own systems.

A practical, low-stress rollout

Start with an access policy. Decide who should use a personal certificate and who should rely on an entity certificate, and define how offline issuing and QR verification will work in your invoicing app. Maintain a certificate register with the identifier, owner, purpose, issuance and revocation dates and storage location. On security, aim high: store certificates and keys in an encrypted vault, limit copying, enable MFA where possible and rotate secrets regularly. Document an incident response plan for suspected compromise — who revokes the certificate, how fast, via which channel — and how you restore invoicing continuity.

Then move on to testing and training. With your software vendor, verify that offline issuing and QR validation work end-to-end. Update internal SOPs — short, screen-by-screen guides are best — and hold a team Q&A to clear up edge cases.

Dates that matter

You can apply for certificates in MCU from 1 November 2025. Between 1 February 2026 and 31 December 2026, tokens and certificates work in parallel, giving you a comfortable window to transition. On 1 January 2027, tokens are expected to be switched off and certificates become the default way to authenticate within KSeF.

Bottom line: less friction, more control

The invoice issuer certificate isn’t red tape. It’s a practical way to align identity, simplify integrations and keep invoicing moving when the internet doesn’t — without sacrificing security. For sole proprietors, the path is straightforward: apply, download, deploy. For companies, success hinges on clear policy and a tidy certificate register. Either way, from 2026 onwards this will be the new normal.

Source and further details: https://ksef.podatki.gov.pl//ksef-na-okres-obligatoryjny