Can you send invoices by email? Risks, legal rulings and secure solutions

Why businesses must act now when it comes to email invoice delivery – and how to send invoices easily, securely and in an automated way.

Can you send invoices by email? Risks, legal rulings and secure solutions

Sending invoices by email is fast, cost-effective and a daily routine for many companies. But a recent ruling by the Higher Regional Court (OLG) of Schleswig calls this common practice into question: The previously widespread assumption that basic transport encryption (TLS) is sufficient to meet data protection requirements no longer holds.

What was once considered a pragmatic solution has become a legal risk. If data is lost or fraud occurs, companies can be held liable. This article explains what really matters when it comes to secure invoice delivery – and how businesses can effectively protect themselves.

What’s the problem with sending invoices by email?

Sending invoices by email is convenient – but many companies still rely solely on TLS. The issue: transport layer security (TLS) only protects the transmission between the sender’s and the recipient’s mail servers. Once the message reaches the recipient, it is no longer encrypted – meaning it is stored in plain text, with no further protection.

In other words: anyone who gains access to the server – for example, through a security vulnerability or a compromised mailbox – can view, forward or even alter the invoice.

Cybercriminals actively exploit such weaknesses in email infrastructure – for instance, through man-in-the-middle attacks on poorly configured connections or email spoofing, where fake sender addresses are used to trick recipients. The risk is particularly high when large invoice amounts are involved.

Common risks associated with unsecured invoice delivery via TLS:

  • Interception and unauthorised access: Emails can still be read at certain points during transmission, despite TLS. The risk increases significantly in unsecured networks.

  • Manipulation: Invoices can be deliberately altered in transit – for example, by replacing bank account details. In many cases, the recipient only notices when it’s too late.

  • Liability: According to the UK GDPR (Article 32), companies are required to implement appropriate technical and organisational safeguards. If they fail to do so, they may face legal liability and fines.

  • Reputational damage: If fraud occurs, customer and business partner trust may be permanently damaged.

Common risks when sending invoices via TLS: Email is intercepted, invoice is manipulated, identity theft, legal violations

What the Higher Regional Court of Schleswig ruled on email invoice delivery

In December 2024, the Higher Regional Court (OLG) of Schleswig issued a ruling with far-reaching consequences for digital invoice delivery. In the case in question, a construction company sent an invoice for €15,000 to a private customer via email. However, the email was intercepted and manipulated by a third party – in particular, the bank details were changed.

The customer transferred the amount to the wrong account. The company demanded payment again – but the court ruled in favour of the customer.

The key findings of the ruling:

  • Inadequate security measures: The court found that TLS alone is not sufficient to meet the requirements of the GDPR. In cases involving a high financial risk, end-to-end encryption is required.

  • Company liability: The construction company was held responsible for the resulting financial loss, as it had failed to implement appropriate technical and organisational measures to protect personal data.

  • End-to-end encryption is reasonable: Even small and medium-sized businesses can be expected to implement end-to-end encryption, especially when large invoice amounts are involved. Given the current threat landscape – including the rise in cyberattacks – the court ruled it is reasonable to expect even mid-sized firms to inform themselves about suitable security measures and implement appropriate software.

  • Right to compensation: The customer was awarded compensation equal to the invoice amount under Article 82 of the GDPR. The company was not permitted to demand the payment a second time.

What does the ruling mean for businesses?

The decision by the Higher Regional Court of Schleswig highlights how important it is to implement appropriate security measures when sending invoices by email. It also makes clear that the threshold for what constitutes “reasonable protective measures” is lower than many had previously assumed. Today, end-to-end encryption is a legal requirement – even in B2C contexts.

Businesses must ensure that, at no point during transmission, can unauthorised third parties gain access to invoice contents. Basic transport encryption such as TLS is not enough. Even password-protected PDF invoices fail to offer sufficient protection and do not meet the standards set by the GDPR.

Digitalisation alone is not enough: E-invoicing requires secure delivery methods

Since 1 January 2025, electronic invoicing has been mandatory in the B2B sector in Germany. Companies must now issue and receive invoices in a structured, machine-readable format (e.g. XML, XRechnung or ZUGFeRD).

This step undoubtedly advances digitalisation – but what’s often overlooked is this: structured invoices also contain sensitive data. These details are subject to the same protection requirements as any other type of personal or business-critical information.

In short: the electronic invoice may change the format – but not the responsibility. The switch to e-invoicing does not replace the need for secure transmission. Without securing the delivery channel, companies face legal risks – even if their processes are technically compliant.

Options for end-to-end encryption – an overview

There are several ways to send emails securely using end-to-end encryption – depending on your technical setup, company size and use case. Below, we outline three common approaches and assess them in terms of practical implementation.

1. S/MIME and PGP: Traditional certificate-based encryption

S/MIME and PGP (Pretty Good Privacy) are well-established standards for secure email encryption and digital signatures. Both rely on asymmetric encryption using public and private keys exchanged between sender and recipient.

Many email programmes offer both methods. In practice, however, the classic manual implementation often presents hurdles in terms of setting up, managing and exchanging keys – especially when working with partners who are not regular communication partners. For smaller companies or heterogeneous recipient groups, the technical and time requirements quickly become too high.

Secure invoice delivery made simple.

Discover how FTAPI SecuMails lets you send invoices easily and securely – no complicated certificates required.

Read more

2. Web portals with secure document access

An alternative approach is to deliver invoices via a secure web portal. The recipient receives a notification by email and can then download the document using a secure link.

This method is especially useful when there is no shared encryption infrastructure between sender and recipient. However, it’s essential that the process is low-threshold and user-friendly – otherwise, there’s a risk that recipients will turn to insecure or unofficial communication channels.

3. Platform-based encryption solutions

In addition to traditional encryption tools and portals, many businesses now rely on centralised platform solutions that integrate seamlessly into existing systems. These often combine secure file transfer, end-to-end encryption and a user-friendly interface – for example, through Outlook add-ins or browser-based input forms.

The key benefit: even large volumes of data or automated workflows can be handled without requiring the recipient to install additional software or possess technical knowledge. The next section will explore what this can look like in practice – using the FTAPI platform as an example.

Secure solutions for invoice delivery: How FTAPI can help

Companies that want to send invoices in a data protection-compliant and efficient way need processes that are not only secure but also practical. FTAPI offers two flexible solutions tailored to different industries and requirements: SecuMails for encrypted invoice delivery by email, and SecuFlows Advanced for automated invoice processing.

Sending encrypted invoices by email

FTAPI SecuMails allows companies to send invoices end-to-end encrypted – either via browser or directly from Outlook. The process takes place within the user’s familiar environment, without the need for additional software or complex infrastructure. For recipients, accessing the invoice is just as simple: they receive a notification email containing a secure download link.

Even larger files – such as invoice attachments or bundles – are no issue. This e-mail encryption method avoids media disruptions, keeps sensitive data protected, and allows companies to define their own access rules and select from four available security levels.

Plus: FTAPI SecuMails is also available with an optional direct S/MIME integration. The system then uses intelligent rules to automatically identify the appropriate encryption method: if the recipient supports S/MIME, emails are encrypted according to the standard. If not, FTAPI's own encryption is seamlessly applied. This eliminates the normally cumbersome manual certificate and key management – FTAPI also handles this automatically in the background, without any additional effort for users.

Digitally mapping and automating invoice processes

Companies that regularly handle high volumes of invoices – whether incoming or outgoing – benefit from automated workflows. FTAPI SecuFlows Advanced enables recurring processes to be securely mapped and consistently protected. Incoming invoices can be captured and forwarded to accounting teams automatically – with no need for manual scanning or processing.

More complex approval processes can also be modelled, using role-based permissions or interactive tasks assigned to specific employees. Thanks to graphical modelling, all workflows can be designed intuitively via drag-and-drop in accordance with the BPMN 2.0 standard – from initial invoice receipt through to final archiving in the system.

Why FTAPI? Key benefits at a glance

FTAPI delivers secure, flexible solutions that integrate seamlessly into your existing processes – ensuring data protection exactly where it’s needed: in the transmission and management of sensitive information. The focus is on usability, compliance and adaptability.

  • Protect sensitive invoice data: End-to-end encryption with SecuMails ensures compliance with legal requirements such as GDPR and recent court rulings.

  • Handle large invoice volumes efficiently: Automated workflows with SecuFlows reduce manual effort and minimise the risk of errors.

  • Work across different IT systems: Seamless integration into existing environments – no additional tools or media disruptions required.

  • Ensure user acceptance: Intuitive interface and Outlook integration enable quick onboarding with minimal training needs.

Whether you’re sending individual invoices or managing scalable workflows: FTAPI enables invoice processes that are secure, transparent and easy to use.

Tips for businesses: What you should do now

Secure invoice delivery isn’t just about choosing the right encryption technology – it’s about combining the right tools, processes and awareness across your organisation. If you want to make your invoice delivery legally compliant and future-proof, a structured approach is essential:

  • Review your delivery processes:
    Gain a clear overview of how invoices are currently sent, which systems are involved, and what types of data are transmitted. Identify weak points – such as unsecured transmission paths or manual handovers.

  • Define your protection requirements:
    The more sensitive the data and the higher the invoice amount, the more comprehensive the safeguards need to be. Legal frameworks such as the GDPR and the OLG Schleswig ruling provide clear expectations.

  • Implement suitable solutions:
    Use end-to-end encrypted email (e.g. FTAPI SecuMails) for individual invoices. For larger volumes or recurring processes, automated and auditable workflows are recommended.

  • Raise employee awareness:
    Train your teams to handle data responsibly – especially in finance, IT and customer service. Clear processes, user-friendly tools and regular internal training help minimise risk.

  • Strengthen external communication:
    Be transparent about your data protection measures. Communicating openly builds trust and positions your company as a professional and responsible partner.

With these steps in place, you lay the foundation for invoice processes that are both efficient and secure.

Tips for businesses on secure invoice delivery: Review sending process, define protection requirements, implement solutions, raise employee awareness, strengthen external communication

Conclusion: Secure invoice delivery is both a legal obligation and a competitive advantage

The ruling by the Higher Regional Court of Schleswig makes one thing clear: businesses can no longer rely on basic technical standards like TLS when sending invoices by email. As soon as personal data is transmitted – which is the case in every invoice – the sender is responsible for ensuring it cannot be intercepted or manipulated in transit. End-to-end encryption is no longer a “nice to have” – it is a legal requirement.

FTAPI provides secure solutions that integrate seamlessly into your existing working environment – whether for individual email invoices or for fully automated, protected workflows. This allows you to meet regulatory requirements, avoid liability risks, and send invoices both securely and efficiently.