The responsibilities of the software supplier
In principle, the supplier is responsible for the entire cash register system being compliant with the new cash register system legislation. In a chain comprising manufacturer, importer, dealer, partner and so forth, it will be the party who last changes the software before the sale to the entity subject to a bookkeeping obligation who is considered the supplier and who must submit a product declaration for the cash register system. The supplier is responsible for the cash register system's compliance with the Cash Register Systems Act and Regulations.
Transfer of responsibility
Some suppliers only offer the software for a cash register system, while the entity subject to a bookkeeping obligation itself takes care of other components. By agreement with the entity subject to a bookkeeping obligation, the supplier can transfer responsibility for the cash register system's other components, such as:
- Operating system and file system
- Hardware such as PCs, printers, cash drawers etc.
- Other, such as middleware, configuration, clock setting
The agreement must specify which components in the cash register system the entity subject to a bookkeeping obligation will be responsible for. The entity subject to a bookkeeping obligation can never assume responsibility for the software, since in-house development of cash register systems is not permitted. The entity subject to a bookkeeping obligation will always be responsible for the secure retention of the electronic journal.
Securing of electronic logs by digital signature
Under Section 2-7 (1) of the Cash Register Systems Regulations, the electronic journal must be secured against alteration and deletion. Secure storage of electronic journals can be provided through access controls and/or integrity checks. A reference is made in the comments on this provision to chapter 5 of NBS 1 – Safeguarding of accounting material. The requirement there is:
The entity subject to a bookkeeping obligation shall implement measures to reduce to an acceptable level the risk of alteration, deletion, damage and loss of accounting material for which there is a retention obligation.
This means that electronic journals must be secured through both access controls and integrity checks. Integrity checks shall be performed using digital signatures in the software and will always be the supplier's responsibility. The requirement for this is set out in the document Requirements and guidelines for implementing digital signatures for transactions in cash register systems (PDF).
In cases where the supplier has operational responsibility and access control, and where only the user interface with the cash register system is accessible to the entity subject to the bookkeeping obligation, there will be no requirement for an integrity check through a digital signature. It must then not be possible for the entity that is subject to a bookkeeping obligation to gain access to the electronic journal other than via the functions in the application/software.