ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

REPUDIATION

The cryptographic guarantee that a party cannot deny what they did — sending, receiving, processing — with an EDI message.

Definition

The NIST glossary (CSRC) defines non-repudiation as: "Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information". The ISO/IEC 13888 standard (in three parts: -1 General, -2 Symmetric, -3 Asymmetric) formalises the property and its sub-classes:

  • NRO — Non-repudiation of Origin: the sender cannot deny having sent. Provided by a sender's signature on the message.
  • NRR — Non-repudiation of Receipt: the receiver cannot deny having received. Provided by a receiver-signed acknowledgment containing a MIC/hash of the received message.
  • NRS — Non-repudiation of Submission: an intermediary delivery (VAN, Access Point) cannot deny having taken charge.
  • NRD — Non-repudiation of Delivery: the intermediary cannot deny having delivered.

In EDI: AS2 provides NRO (sender S/MIME signature) + NRR (signed MDN with MIC). OFTP2 provides NRO + NRR via signed EERP. AS4 provides NRO + NRR via signed SOAP receipt. XAdES (on UBL or CII) provides long-term archivable NRO. The transport + XAdES combination covers the eIDAS requirement for a qualified electronic invoice.

Origin

The concept appeared in the security literature in the 1980s with the first works on digital signature (Diffie-Hellman 1976, RSA 1978). RFC 1421-1424 (Privacy Enhanced Mail, 1993) laid practical foundations. ISO/IEC 13888 (1997-1998, reworked 2009) set the international terminology. In EDI, AS1 (RFC 3335, 2002) then AS2 (RFC 4130, 2002) industrialised the use with signed MDN. Directive 1999/93/EC then Regulation eIDAS 910/2014 transposed the requirement into European law for B2B invoicing.

Example in context

Commercial dispute between a supplier and customer: the customer asserts they never received INVOIC F-2026-0512. The supplier produces their AS2 archive: signed copy of the original INVOIC, customer's signed MDN with SHA-256 MIC identical to the INVOIC hash, customer's X.509 certificate still valid at the MDN date. Non-repudiation of receipt is established: the customer cannot deny. Legally sufficient in France, Germany, and most EU countries.

  • MDN — the NRR instrument in AS2.
  • AS2 — the most-deployed protocol providing NRO+NRR.
  • XAdES — the long-term archivable signature.
  • Audit trail — where the proof is captured.

Last updated: May 14, 2026