Workspaces
Back to blog
POSRestaurantsCafésBars

TSE, GoBD, KassenSichV — what you actually need to know as a restaurant owner in Germany

TSE, GoBD, KassenSichV: What German POS compliance means for your restaurant in 2026 — explained in plain English.

Fynn Blömer|
|
12 min read
TSE, GoBD, KassenSichV — what you actually need to know as a restaurant owner in Germany

You got into hospitality to serve food, not to study tax law. But if you're running a restaurant, cafe, or bar in Germany, there are a few things you need to know so the Finanzamt (tax office) doesn't come knocking.

Three acronyms matter: TSE, GoBD, and KassenSichV. They sound like peak German bureaucracy, and they are. But behind them are rules that directly affect your business. Ignore them and it gets expensive. Understand them and it's actually pretty straightforward.

I worked in restaurants, brewhouses, and hotels before I started building software. I know you don't want to read legal paragraphs after a long shift. So here's everything explained the way I wish someone had explained it to me back then: clear, compact, no legal jargon.

What is the TSE, and why does it exist?

TSE stands for Technische Sicherheitseinrichtung (Technical Security Device). It's a module, either a piece of hardware (a small USB stick or chip in your terminal) or a cloud-based solution, that sits inside your POS system and cryptographically signs every single transaction to make it tamper-proof.

Here's what happens in practice: every time you create a receipt, whether it's 2.80 euros for an espresso or 347 euros for a corporate dinner, the TSE generates a cryptographic signature. Think of it as a digital fingerprint: unique, immutable, verifiable. On top of that, every transaction gets a sequential transaction number and a timestamp.

Why does this exist? The German government wants to prevent tax evasion at the register. Before the TSE requirement, it was technically possible to delete or alter revenue records after the fact — so-called Kassenmanipulation (register manipulation). Estimates put the resulting tax losses at several billion euros per year. The TSE makes this practically impossible because any change would break the signature chain.

Hardware TSE vs. Cloud TSE

There are two variants, both of which must be certified by the BSI (Bundesamt fur Sicherheit in der Informationstechnik — Germany's Federal Office for Information Security):

  • Hardware TSE: A physical chip or USB stick connected directly to your POS terminal. Works offline, but needs to be replaced when the certificate expires.
  • Cloud TSE: Signing happens via a certified server. Advantage: no physical device that can break. Updates happen automatically. Disadvantage: requires an internet connection (short outages are bridged with a local buffer).

Both variants are equally valid, and you don't need to choose one yourself. Your POS system typically dictates which TSE variant is built in or connected. The only thing that matters: it must be BSI-certified.

GoBD: the rules for digital bookkeeping

GoBD stands for Grundsatze zur ordnungsgemassen Fuhrung und Aufbewahrung von Buchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff (Principles for the Proper Management and Storage of Books, Records, and Documents in Electronic Form and for Data Access). Yes, the name is as long as a Sunday roast recipe. At its core, GoBD defines how you must manage, store, and make accessible your business data in digital form.

GoBD doesn't just apply to hospitality. It covers every business in Germany that keeps electronic records. For you as a restaurant owner, it's relevant because your POS system is a central bookkeeping instrument.

The five GoBD principles

Every transaction in your system must meet these five criteria:

  1. Orderly: Recording follows a traceable system. No loose notes, no spreadsheets instead of a proper register.
  2. Complete: Every business transaction is recorded. No receipt may be missing. Cancellations, refunds, and tips must all be documented.
  3. Accurate: What's in the system must reflect what actually happened. 7% VAT on food, 19% on beverages — and it has to be correct.
  4. Timely: Transactions are recorded promptly. In practice, this means: register transactions immediately, not at the end of the week.
  5. Traceable: A qualified third party, meaning a tax auditor, must be able to understand and follow the records.

Immutability

This is the point that matters most in practice: once data is saved, it cannot be changed. If you void a receipt, the void is recorded as its own transaction, and the original receipt stays intact. Your POS system must enforce this technically. This is exactly where the TSE comes in.

Retention requirements

All tax-relevant data must be retained for 10 years, in a machine-readable format. That means: not as a screenshot, not as a printed PDF, but as structured data that the tax office can read during an audit.

KassenSichV: the regulation that ties it all together

The KassenSichV (Kassensicherungsverordnung, or Cash Register Security Regulation) is the regulation that puts TSE and GoBD into practice for POS systems specifically. It spells out in detail what your system must be able to do. The legal basis is Section 146a of the Abgabenordnung (AO — the German fiscal code).

The three core obligations under KassenSichV

1. TSE requirement

Every electronic POS system must use a certified TSE. No exception for small businesses, no transition period left. The requirement has been fully in effect since January 1, 2023. This applies to you whether you run a fine-dining restaurant, a doner kebab shop, or a cocktail bar.

Important note: the TSE requirement kicks in as soon as you use an electronic POS system. A pure offene Ladenkasse (open cash register — a cash drawer with handwritten records) is not subject to the TSE requirement, but in hospitality in 2026, that's hardly practical anymore.

2. Belegausgabepflicht (receipt obligation)

You must offer every guest a receipt for every transaction. You don't have to force it on them, but you must offer it. The guest can decline. But you must generate and have the receipt ready. This can be a printed receipt or a digital one (e.g., a QR code, email, or display).

The receipt must include, among other things:

  • Name and address of your business
  • Date and time
  • Quantity and type of items (e.g., "2x Schnitzel, 1x Weizen")
  • Gross amount and applicable VAT rate
  • Transaction number and serial number of the TSE
  • Signature counter and verification value

Most modern POS systems print all of this on the receipt automatically. You don't need to worry about the technical details yourself. Still, you should know that these details are mandatory.

3. Kassenmeldepflicht (registration obligation)

You must register your POS system with your local Finanzamt (tax office):

  • Within one month of acquisition
  • Within one month of decommissioning

The registration is done electronically and includes details like your tax number, type of system, TSE serial number, and acquisition date. Your tax advisor can help with this, or you can use the ELSTER portal (Germany's electronic tax filing system).

DSFinV-K: the export format for audits

DSFinV-K stands for Digitale Schnittstelle der Finanzverwaltung fur Kassensysteme (Digital Interface of the Tax Administration for POS Systems). It's a standardized data format that your POS system must be able to export all transaction data in. When the tax office conducts an audit, this is exactly the export they request.

Think of DSFinV-K as a common language: regardless of whether you use Kotao, another system, or a custom solution, the tax administration expects data in this exact format. Your POS system must support it. If it doesn't, you have a problem.

The DATEV export is a separate thing: that one goes to your tax advisor. DSFinV-K goes to the tax office. Both are important, but for different purposes.

What happens if you're not compliant?

This is where it gets serious. The consequences for violating TSE, GoBD, or KassenSichV requirements are not theoretical worst cases. They happen.

Kassennachschau (unannounced POS audit)

Since 2018, the Finanzamt can conduct a Kassennachschau — an unannounced POS audit during business hours. An auditor walks into your restaurant, shows their ID, and wants to see your POS system. They check:

  • Is a TSE present and active?
  • Are receipts generated correctly?
  • Can data be exported in DSFinV-K format?
  • Do the register reports match the actual cash on hand?
  • Are there gaps in the receipt numbering?

This can take 30 minutes or an entire day. The auditor is also allowed to take data with them on a USB stick.

Hinzuschatzung (revenue estimation)

This is the consequence that hurts the most. If the Finanzamt determines that your register records are not in order — for example because the TSE is missing, data is incomplete, or the DSFinV-K export doesn't work — they are allowed to estimate your revenue. And the estimate typically does not work in your favor.

In practice, this means: the tax office adds a flat 10 to 30 percent on top of your declared revenue. On this fictional additional revenue, you then owe VAT, income tax, and potentially trade tax. For a restaurant doing 500,000 euros in annual revenue, that can quickly add up to 50,000 to 150,000 euros in back taxes, plus interest.

Fines

Section 379(6) of the Abgabenordnung provides for fines of up to 25,000 euros per violation for breaches of Section 146a AO (the POS regulations). That sounds like a theoretical maximum, but with repeated or systematic violations, it adds up.

On top of that, Section 379(4) AO allows fines of up to 5,000 euros for individual receipt violations (e.g., receipts not generated correctly).

Worst case

If there is suspicion of systematic tax evasion — meaning the tax office believes you are deliberately manipulating records — it becomes a criminal matter. That can lead to formal investigations, substantial fines, and in extreme cases, prison sentences. But that's a different topic and doesn't apply to the restaurant owner who simply hasn't updated their POS system yet.

Bottom line: non-compliance is not a minor offense. It doesn't have to escalate to the worst case, but even a Hinzuschatzung alone can push a small business to the brink.

Checklist: is your POS system compliant?

Go through these points. If you can check off every one, you're in good shape:

  • Does your system have a certified TSE? Hardware or cloud, doesn't matter — it must be BSI-certified and actively running. Ask your provider for the certificate.
  • Can your system export DSFinV-K? Not just any CSV, but the standardized format required by the tax administration. Test it: ask to see the export at least once.
  • Are receipts generated automatically? A receipt must be created for every transaction, even if the guest doesn't take it.
  • Is your POS system registered with the Finanzamt? Registration must happen within one month of going live. Have you done that?
  • Is all data accessible for a Kassennachschau? Daily closing reports, transaction history, voids, Z-reports: everything must be retrievable.
  • Are transactions stored immutably? Check that your system records voids as separate transactions and does not allow retroactive deletions.
  • Are your retention obligations met? 10 years, machine-readable. Where is your data stored? Do you have backups?
  • Are the correct VAT rates configured? 7% on food (note the distinction between dine-in and takeaway), 19% on beverages. Is your configuration right?

If you're unsure about any of these, talk to your POS provider or tax advisor — before the Finanzamt shows up.

What to look for in a new system

If you're considering switching your POS system or getting an electronic system for the first time, there are a few criteria that are non-negotiable in 2026:

TSE integrated from day one

The TSE should be a built-in part of the system, not a module you buy separately and retrofit. Retrofit solutions regularly cause compatibility issues, and in the worst case, the TSE isn't working correctly without you even noticing.

Automatic DSFinV-K export

You don't want to manually gather data every time there's an audit. Your system should generate the DSFinV-K export at the push of a button — complete and in the correct format.

Cloud backup

If your POS terminal gets stolen, dropped, or water-damaged, your data still needs to be available. Cloud backup isn't a luxury; it's essential, because the 10-year retention obligation applies regardless of what happens to your hardware.

Clear documentation

Your provider should supply a Verfahrensdokumentation (procedural documentation) or at least support you in creating one. This document describes how your POS system works, what processes you follow, and how data is secured. The Finanzamt can request it during an audit.

Regular updates

Tax law changes. VAT rates can be adjusted (as happened with the temporary VAT reduction in 2020/2021), and new requirements can be introduced. Your system must be able to reflect these changes promptly, ideally through automatic updates.

European hosting and data privacy

Your POS data contains sensitive business information. Make sure your provider hosts data in Europe and operates in compliance with GDPR. That sounds obvious, but with international providers, it isn't always the case.

What's different in 2026 compared to 2020

The TSE requirement isn't new. It's been in effect since 2020 (with a non-objection rule that lasted until the end of 2022). But in 2026, the landscape is clearer than it was a few years ago:

  • No more transition periods. If you're still operating without a TSE, there's no excuse left.
  • Registration is active. Electronically registering your POS system with the Finanzamt is mandatory.
  • Kassennachschauen are routine. Tax offices now have trained staff and standardized audit procedures.
  • Cloud TSE is mature. The early problems with availability and certification have been resolved.
  • DSFinV-K is expected. Auditors request the export and know exactly what it should look like.

The good news: if you're using a modern, up-to-date POS system, you meet most requirements automatically. The technology is mature and the processes are well established. But if you're still running a legacy system that was purchased before 2020 and hasn't received updates since, you should urgently check whether it's even TSE-capable. Some older systems simply can't be retrofitted. In that case, the only option is to switch.

Conclusion

TSE, GoBD, KassenSichV — three acronyms, one goal: your register should operate correctly, traceably, and tamper-proof. Not because the government distrusts you, but because there need to be rules that apply equally to everyone.

As a restaurant owner, you don't need to become a tax law expert. But you do need to make sure your POS system handles it for you. The TSE signs transactions, GoBD-compliant storage runs in the background, the DSFinV-K export is one click away. If that's in place, you can focus on what you actually want to do: serve great food and make your guests happy.

At Kotao, the TSE is integrated from day one — no add-on module, no extra costs. European hosting, GDPR-compliant, automatic DSFinV-K exports. Learn more.

Related articles:

Related Articles

Continue learning with these related posts

Choosing a restaurant POS system: what actually matters in 2026
POSRestaurantsCafés
Choosing a restaurant POS system: what actually matters in 2026
What a restaurant POS system needs to do in 2026. An honest buying guide from someone who's worked the floor.
13 min
Why Most POS Systems Fail Restaurants
POSRestaurantsCafés
Why Most POS Systems Fail Restaurants
Offline failures, hardware lock-in, hidden fees: why most POS systems fall apart in real restaurant service and what actually matters.
11 min
Digitalization in the restaurant industry — where things actually stand in 2026
POSRestaurantsRetail
Digitalization in the restaurant industry — where things actually stand in 2026
Restaurant digitalization in 2026: what's actually changing, what's hype, and what your restaurant really needs.
12 min
View all posts