DAC6 and DAC7: EU Tax Reporting and Audit Implications

DAC6: what triggers a reporting obligation

DAC6 requires the mandatory disclosure of cross-border tax arrangements that meet at least one of five categories of hallmarks (A through E). The obligation falls on “intermediaries” (advisors, banks, law firms, tax consultants who design, market, organise, or manage the arrangement) and, in specified circumstances, on the taxpayer directly. The reporting deadline is 30 days from the earlier of: the day the arrangement is made available for implementation, the day it is ready for implementation, or the day the first step in implementation is taken.

Not every cross-border arrangement is reportable. The hallmarks target specific risk indicators. Category A covers generic hallmarks (confidentiality conditions, fee arrangements linked to tax savings), but these only trigger reporting when paired with the main benefit test: one of the main benefits of the arrangement must be obtaining a tax advantage. Specific hallmarks tied to the main benefit test fall under Category B (arrangements that convert income into a lower-taxed category, circular transactions). Category C covers cross-border payments to related parties in low-tax jurisdictions or jurisdictions with preferential regimes. Categories D and E cover arrangements that undermine Common Reporting Standard (CRS) reporting and opaque beneficial ownership structures.

The practical difficulty is that Categories C, D, and E trigger reporting without the main benefit test. Any cross-border payment to a related party in a jurisdiction with a preferential tax regime (Hallmark C1) is reportable regardless of whether tax savings were a main purpose. This means a standard intercompany licence fee between a Dutch parent and an Irish IP subsidiary may be reportable solely because Ireland applies a preferential IP regime (the Knowledge Development Box). Finance teams overlook this because the arrangement feels routine rather than aggressive.

The intermediary reports first. But if no intermediary exists (because the arrangement was designed in-house), or if the intermediary claims legal professional privilege (which several EU member states allow), the reporting obligation transfers to the taxpayer. Your client may have a filing obligation it doesn’t know about. The penalty for non-filing varies by member state: €25K to €100K in the Netherlands (depending on the degree of culpability), up to €250K in Germany, and up to €300K in Poland.

DAC7: who is a platform operator and what must they report

DAC7 applies to “reporting platform operators” that facilitate “relevant activities” by sellers. Relevant activities include the sale of goods, personal services, rental of immovable property, and rental of transport. The definition of “platform operator” is broad: any entity that contracts with sellers to make all or part of a platform available to them. If your client operates a marketplace, a booking platform, a freelancer matching service, or a rental listing site, DAC7 likely applies.

The reporting obligation requires the platform operator to collect specified information about each reportable seller (name, address, tax identification number, date of birth for individuals, business registration number for entities) and report it to the tax authority of the member state where the platform operator is registered or has a permanent establishment. Reporting is annual, due by 31 January for the preceding calendar year. The first reporting deadline was 31 January 2024 for activity in calendar year 2023.

Sellers become “reportable” once they exceed a de minimis threshold: more than 30 transactions or more than €2,000 in consideration during the reporting period for sellers of goods. For services, rental of property, and rental of transport, all sellers are reportable regardless of volume.

The platform operator must also perform due diligence procedures on sellers to collect and verify the required information. If the seller doesn’t provide a tax identification number, the platform operator must make two requests and, if unsuccessful, report the seller without the TIN and flag the account.

The compliance burden is operational, not conceptual. The challenge isn’t understanding the rules. It’s building the data collection infrastructure, running the due diligence, producing the XML reporting file in the prescribed schema, and submitting it on time. For a platform operator with 15,000 sellers across six EU jurisdictions, the data quality requirements alone are a significant undertaking.

Before and after: what DAC6 and DAC7 changed for your audit file

Before DAC6 (transposition deadlines varied by member state, with most implementing between July 2020 and January 2021), cross-border tax arrangements existed in a disclosure-optional environment. Aggressive tax planning was a matter of professional judgment and reputational risk. After DAC6, certain cross-border arrangements are subject to mandatory disclosure with financial penalties for non-compliance. The shift is from soft law to hard law with defined deadlines and quantified penalties.

Before DAC7 (effective 1 January 2023), platform operators had no standardised tax reporting obligation for seller activity. Individual sellers were responsible for their own tax compliance.

After DAC7, the platform operator must collect, verify, and report seller data to tax authorities. The shift is from a bilateral obligation (seller to tax authority) to a trilateral one (seller to platform, platform to authority, authority to other authorities through automatic exchange). For your audit, this means the platform operator now has a compliance cost, a data quality risk, and a penalty exposure that didn’t exist two years ago.

What you actually need to do on the file has changed in two ways. First, ISA 250.14 now requires you to consider DAC6 and DAC7 compliance as laws with a direct effect on the financial statements (because non-compliance creates penalties that are provisions or contingent liabilities). Second, your risk assessment under ISA 315.12 should identify whether the entity has cross-border arrangements that may trigger DAC6 hallmarks or operates a platform within the DAC7 scope. If the entity has no process for identifying reportable arrangements, that’s an internal control deficiency you should communicate under ISA 265.9.

How to assess penalty exposure under IAS 37

When you identify potential DAC6 or DAC7 non-compliance, the financial statement implications follow IAS 37.14. A provision is required when three conditions are met: a present obligation exists as a result of a past event, an outflow of resources is probable, and the amount can be reliably estimated.

For DAC6, the past event is the failure to file a reportable arrangement within 30 days. The obligation is the penalty imposed by the tax authority. Whether an outflow is probable depends on whether the tax authority is likely to identify the non-filing. In jurisdictions with active enforcement (the Netherlands, Germany, France), the probability is materially higher than in jurisdictions where enforcement infrastructure is still developing.

The amount is estimable because penalty ranges are published in the implementing legislation.

If an outflow is possible but not probable, IAS 37.86 requires disclosure of a contingent liability unless the possibility of outflow is remote. For a client with multiple cross-border arrangements where DAC6 analysis has never been performed, the contingent liability disclosure may be the appropriate treatment until the entity completes its assessment.

For DAC7, the penalty structure is similar but the enforcement mechanism is more automated. Tax authorities receive the platform operator’s report (or notice its absence) through the automatic exchange framework. A platform operator that fails to file faces penalties that compound: initial non-filing penalties followed by escalating penalties for continued non-compliance. In the Netherlands, the penalty for non-compliance with DAC7 is up to €900K for entities (Algemene wet inzake rijksbelastingen, Article 67b). The amount depends on severity, duration, and culpability.

Your assessment should quantify the exposure range (minimum to maximum penalty per jurisdiction), assess probability by considering the enforcement posture of each relevant tax authority, and determine whether a provision or contingent liability disclosure is appropriate. If the entity’s DAC6/DAC7 position involves significant judgment (for example, whether a particular arrangement meets a hallmark), consider whether IAS 37.92’s restriction on disclosure applies (the entity may argue that disclosure would seriously prejudice its position in a dispute with the tax authority). This exception is narrow and rarely applicable, but your file should document why it was or wasn’t invoked.

ISA 250: testing compliance with DAC6 and DAC7

ISA 250.14 requires you to obtain sufficient appropriate audit evidence about compliance with laws and regulations that directly affect the financial statements. DAC6 and DAC7 fall into this category because non-compliance generates penalties that are either provisions or contingent liabilities.

For DAC6, your procedures should include the following. Enquire of management and tax advisors whether the entity has cross-border arrangements that meet any of the five hallmark categories. Review the entity’s DAC6 register (if one exists) and assess its completeness by comparing it to the intercompany transaction register, the list of related party transactions, and any restructuring or planning transactions completed during the period. Arrangements already in the register need verification that the 30-day filing deadline was met. Arrangements that should be in the register but aren’t require a penalty exposure assessment.

DAC7 procedures are different because the obligation is operational rather than transaction-specific. Confirm whether the entity operates a “platform” within the DAC7 definition. If yes, obtain the entity’s DAC7 compliance documentation: the list of reportable sellers, the due diligence records, the XML filing confirmation, and the submission receipt from the tax authority. Test a sample of sellers for completeness and accuracy of the reported information (TIN, name, address, transaction totals). Assess whether the entity’s systems captured all relevant transactions during the reporting period.

ISA 250.19 requires you to evaluate the effect of identified non-compliance on the financial statements. If non-compliance is identified, quantify the penalty exposure, assess whether a provision or contingent liability is required, evaluate whether the non-compliance indicates a deficiency in the entity’s compliance monitoring process, and consider the implications for the auditor’s report under ISA 250.26.

Worked example: auditing a Dutch entity with DAC6 exposure

Client: Vermeer Digital Solutions B.V., a Dutch technology company (€45M revenue) with subsidiaries in Ireland (IP holding, €8.2M in inbound royalties from the Dutch parent), Cyprus (sales and marketing hub, €3.1M in management fees from the parent), and India (development centre, €6.5M in service fees from the parent). The entity also operates a B2B software marketplace connecting independent consultants with enterprise clients (approximately 2,200 active sellers in the Netherlands, Germany, and France).

1. Assess DAC6 exposure for cross-border arrangements

Three intercompany arrangements to evaluate:

The royalty payment to Ireland (€8.2M). Ireland applies the Knowledge Development Box, a preferential IP regime. Hallmark C1 (cross-border deductible payment to associated enterprise in a jurisdiction with a preferential regime) applies. This arrangement is reportable regardless of the main benefit test. Check the entity’s DAC6 register: the arrangement was filed with the Belastingdienst in March 2023, within 30 days of the arrangement being made available. Filing confirmed.

The management fee to Cyprus (€3.1M). Cyprus has a standard corporate tax rate of 12.5% (effective 2023, increased from 10% under the Budget Law). The Hallmark C1 analysis depends on whether Cyprus applies a “preferential regime” to the specific income. Management fees are taxed at the standard rate. Hallmark C1 does not apply. However, Hallmark C4 (transfer of functions, risks, or assets where projected annual EBIT is less than 50% of projected annual EBIT if the transfer hadn’t occurred) should be assessed if the Cyprus entity was recently established and functions were transferred. The entity was established in 2021 with a transfer of the EMEA sales function. Hallmark C4 applies. Check the register: filed in October 2021.

The service fee to India (€6.5M). India is not an EU member state, but DAC6 applies to arrangements where at least one participant is in an EU member state. The service fee arrangement lacks hallmark triggers: no preferential regime, no confidentiality conditions, no conversion of income type. Not reportable.

2. Assess DAC7 obligations for the software marketplace

Vermeer operates a B2B marketplace connecting consultants with clients. This falls within the DAC7 definition of “relevant activity” (personal services). Vermeer is the reporting platform operator.

The entity has 2,200 active sellers. Under the DAC7 de minimis rules, all sellers providing services are reportable (no 30-transaction or €2,000 threshold for services). Obtain the entity’s DAC7 compliance file: the seller list, due diligence records (TIN collection), the XML filing, and the submission confirmation.

Test a sample of 25 sellers: verify that name, address, TIN, and transaction totals are accurately reported. Two sellers have missing TINs. Check that the entity made the required two requests and documented the attempts. Both sellers were flagged in the filing as “TIN not available after two requests.” Compliant.

Verify the filing was submitted to the Belastingdienst by 31 January 2024. Submission receipt confirms filing on 28 January 2024. Compliant.

3. Assess penalty exposure and financial statement impact

No DAC6 or DAC7 non-compliance identified. No provision or contingent liability required. However, document the assessment: three cross-border arrangements were analysed for DAC6 hallmarks, two were reportable and both were filed on time, one was not reportable. The DAC7 filing was completed before the deadline with adequate due diligence.

A reviewer examining this file sees a systematic hallmark analysis for each cross-border arrangement, DAC7 sample testing with documented results, filing confirmations, and a clear conclusion that no penalty exposure exists.

Practical checklist for DAC6 and DAC7 audit procedures

1. Obtain the entity’s intercompany transaction register and identify all cross-border arrangements involving deductible payments, transfers of functions or assets, and arrangements with entities in jurisdictions with preferential tax regimes. Assess each against the five DAC6 hallmark categories (A through E).
2. For each reportable arrangement, verify that the disclosure was filed within 30 days of the trigger event and that the entity retained the filing reference. If an intermediary filed on the entity’s behalf, obtain confirmation from the intermediary.
3. Determine whether the entity operates a platform within the DAC7 definition. If yes, obtain the DAC7 compliance file (seller list, due diligence documentation, XML filing, submission confirmation) and test a sample of reportable sellers for data accuracy and completeness.
4. If non-compliance is identified, quantify the penalty exposure by jurisdiction using the published penalty ranges in the implementing legislation. Apply IAS 37.14 to determine whether a provision is required (present obligation, probable outflow, reliable estimate) or whether contingent liability disclosure under IAS 37.86 is appropriate.
5. Communicate any non-compliance to those charged with governance under ISA 250.23. If the non-compliance is material to the financial statements (because the penalty exposure requires a provision or changes the tax position), evaluate the effect on the auditor’s report under ISA 250.26.
6. For entities that have never performed a DAC6 hallmark assessment, communicate the internal control deficiency under ISA 265.9. The absence of a process to identify reportable arrangements is a deficiency regardless of whether any arrangements turn out to be reportable.

Common mistakes

• Limiting the DAC6 assessment to “aggressive” arrangements and ignoring routine intercompany transactions. Hallmark C1 (cross-border payments to related parties in preferential regimes) applies without the main benefit test. Standard royalty payments to Ireland or Luxembourg subsidiaries are frequently reportable even when the arrangement has genuine economic substance. The Belastingdienst’s 2023 guidance specifically confirmed that routine transfer pricing arrangements can trigger C1.
• Assuming the intermediary has filed and not verifying. ISA 250.14 requires you to obtain audit evidence of compliance. An assertion from management that “our tax advisor handled it” is not sufficient evidence. Obtain the filing reference or confirmation from the intermediary.
• Overlooking the DAC7 obligation for B2B platforms. Finance teams sometimes assume DAC7 only applies to consumer marketplaces (Airbnb, Uber). The directive covers any platform facilitating the sale of goods, personal services, rental of property, or rental of transport. A B2B freelancer marketplace, a commercial property listing site, or an equipment rental platform all fall within scope.

Related content

Frequently asked questions

Further reading and source references

• Directive 2018/822 (DAC6): the EU mandatory disclosure regime for cross-border tax arrangements, including hallmark definitions (Annex IV) and reporting obligations.
• Directive 2021/514 (DAC7): the EU reporting framework for digital platform operators, including platform operator definitions, due diligence requirements, and reporting schemas.
• IAS 37, Provisions, Contingent Liabilities and Contingent Assets: paragraphs 14 and 86 on provisioning and disclosure of penalty exposure.
• ISA 250, Consideration of Laws and Regulations in an Audit of Financial Statements: paragraphs 14 and 19 on testing compliance and evaluating financial statement effects.
• ISA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management: paragraph 9 on communicating deficiencies in compliance monitoring processes.
• ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement: paragraph 12 on identifying compliance-related risks in the risk assessment.