Pillar reference

The compliance map: Irish SME software regulatory cheat-sheet

Irish business software touches four regulators at once. No vendor marketing page tells you which boxes they tick.

Revenue Commissioners

ROS-compatible filings and PAYE Modernisation submissions.

Central Bank of Ireland

Authorises every payment institution and e-money issuer.

Data Protection Commission

GDPR enforcement across every vendor that processes personal data.

Companies Registration Office

Supplier on the register, not struck off.

This is the page that does. It anchors the live Compliance Matrix, explains what each regulator wants, and links to the categories where each rule bites hardest.

Last verified May 2026

Live data

Open the Irish Compliance Matrix

One row per vendor. One column per Irish regulatory dimension. Every cell verifiable, dated and traceable to a source. Filter by category, sort by compliance score.

Open the matrix

The Irish reality: four regulators, one stack

Revenue Commissioners

Revenue owns every tax-adjacent integration. Your accounting software has to produce a VAT3 return and a Return of Trading Details. Your payroll software has to submit a Pay As You Earn Modernisation Payroll Submission on or before each pay date, retrieve Revenue Payroll Notifications, and where relevant operate Relevant Contracts Tax for the construction sector. The published Revenue list of compatible software is the canonical reference. Revenue e-invoicing under the Finance (No. 2) Act 2024 phases in over the second half of the decade, starting with large corporates and rolling down to small and medium enterprises.

Central Bank of Ireland

Authorisation under the European Union (Payment Services) Regulations 2018 (transposing PSD2) and the European Union (Electronic Money) Regulations 2011 determines who can operate a payment institution or e-money issuer in or into Ireland. The Central Bank publishes its register of regulated entities and passporting notifications. For business banking, expense management and any tool that holds client money, CBI authorisation is the floor. The Markets in Crypto-Assets Regulation (MiCAR) adds a parallel regime for crypto-asset service providers from December 2024.

Data Protection Commission

Every software vendor that touches personal data falls inside the DPC's remit under the Data Protection Act 2018 and the General Data Protection Regulation. The DPC enforces Schrems II transfer rules, breach notification timelines, Data Protection Impact Assessment requirements, and the lawful-basis tests for processing. Vendor data residency (EU only, both, or US-hosted) is the single most decision-relevant compliance field for general-purpose software and is captured per vendor in the matrix.

Companies Registration Office

The CRO maintains the legal-entity register every Irish supplier and Irish branch should appear on. A struck-off or non-compliant entity is a procurement red flag regardless of product quality. The matrix surfaces CRO Active status as a baseline trust signal.

Adjacent regimes landing in 2026 and beyond

Two regimes have moved from theoretical to operational in 2026. The Automatic Enrolment Retirement Savings System Act 2024 commenced on 1 January 2026, creating NAERSA and My Future Fund. Every payroll vendor has to retrieve Auto-Enrolment Payroll Notifications and remit phased contributions. The EU VAT in the Digital Age (ViDA) package locks in cross-border e-invoicing on the OpenPEPPOL network from July 2030, with member-state e-invoicing for domestic business-to-business transactions permitted from January 2025 and mandated by July 2028. Vendors that ship a PEPPOL Access Point integration today are future-proofed. Both regimes are tracked as live columns in the matrix.

Build your compliance shortlist

Open the matrix, filter by your software category, pin the vendors that clear your regulatory floor with the shortlist button on each vendor card, then land on the side-by-side comparison once you have two or more pinned.

Open the shortlist comparison

How the matrix is built

The Compliance Matrix renders one row per vendor in the Vendors.ie dataset and one column per regulatory dimension. Cells are derived from each vendor's structured JSON profile. Booleans (revenue_integration, paye_modernisation, irish_bank_feeds, sepa_direct_debit, irish_iban_support) are set from vendor documentation and verified monthly by the verification cron, which uses Perplexity sonar against the live web with Claude Haiku as fallback. Pending columns (PEPPOL, Revenue-approved list, CBI authorised) wait on the ingest crons scraping the OpenPEPPOL Directory, the Revenue published software lists, and the Central Bank register respectively.

Statutory references on this page (commencement dates, contribution rates, mandate years) carry the date the page was last reviewed by the named editor below. Every vendor row carries its own last_verified_at stamp surfaced in the matrix table.

Go deeper on a specific regime

Irish software compliance - frequently asked questions

What each regulator wants, and where it bites your stack.

Which Irish regulator owns business software compliance?
No single regulator. Revenue Commissioners owns tax-adjacent software (ROS filings, PAYE Modernisation, VAT3, RCT, Revenue e-invoicing). The Central Bank of Ireland (CBI) authorises payment institutions, e-money issuers and any vendor providing regulated financial services. The Data Protection Commission (DPC) enforces GDPR across every software vendor that processes personal data, which is effectively all of them. The Companies Registration Office (CRO) maintains the legal-entity register every vendor should appear on. Auto-Enrolment adds NAERSA from January 2026, and the upcoming EU e-invoicing mandate adds OpenPEPPOL from 2028. A single piece of software typically touches three of these regimes at once.
What does "Revenue-approved" actually mean?
Revenue does not certify accounting or payroll software in the way a notified body certifies medical devices. What "Revenue-approved" means in practice is that the vendor has implemented and tested against the Revenue Online Service (ROS) APIs covering Pay As You Earn Modernisation Payroll Submissions, Revenue Payroll Notifications, VAT3 returns, the Return of Trading Details, and where relevant Relevant Contracts Tax. Revenue publishes lists of compatible payroll and accounting software on revenue.ie. The Compliance Matrix flags each vendor by whether they appear on those lists or have published documentation confirming the integration.
When does the EU e-invoicing mandate apply to Irish businesses?
The European Commission VAT in the Digital Age (ViDA) package legislates mandatory cross-border e-invoicing on the OpenPEPPOL network from July 2030, with member-state e-invoicing for domestic business-to-business transactions allowed from January 2025 and mandated by July 2028 under the standard transposition window. The Department of Finance has signalled Ireland will align with the EU timeline rather than front-running it. Vendors that ship a PEPPOL Access Point or Service Provider integration today are future-proofed. The matrix flags PEPPOL readiness per vendor as the OpenPEPPOL Directory sync lands.
Does Central Bank of Ireland authorisation apply to my accounting software?
Not directly. Accounting and payroll software is not a regulated activity under the Central Bank Act. CBI authorisation matters when your stack includes a payment institution (open banking aggregator, payment processor), an e-money issuer (business prepaid card), or a crypto-asset service provider under the Markets in Crypto-Assets Regulation. Revolut Business and Wise Business are authorised in their home regimes and operate in Ireland under EU passporting. The matrix flags CBI authorisation against the vendors where it is materially relevant, not as a universal column.
How does GDPR data residency affect my software choice?
The General Data Protection Regulation does not require EU data residency, but the Data Protection Commission enforces the lawful-transfer rules under Schrems II. Vendors that host data inside the European Economic Area without onward transfer to the United States face the lowest compliance burden. Vendors that host in the United States need a transfer mechanism (Standard Contractual Clauses plus a Transfer Impact Assessment, or reliance on the EU-US Data Privacy Framework). The matrix marks vendors EU, Both, or US so you can match residency posture to your own risk appetite without re-reading the contract.
What is the CRO Active status check for?
The Companies Registration Office maintains the legal-entity register for every company trading from Ireland. A vendor whose Irish entity is struck off, in liquidation, or otherwise non-compliant on annual returns is a procurement risk regardless of how good the product is. The matrix flags CRO status as a baseline trust signal. It is the cheapest piece of due diligence available and the one most commonly skipped.
How often is the compliance data verified?
Every cell is dated. Vendor profiles carry a last_verified_at stamp updated by the monthly verification cron, which uses Perplexity sonar (with Claude Haiku fallback) to check each compliance boolean against the vendor's current documentation. Statutory references (commencement dates, contribution rates, mandate years) carry the date this page was last reviewed by the named editor. Live registers (CRO, CBI, OpenPEPPOL, Revenue published lists) are scraped on their own cadence per the GitHub Actions cron workflows.