My turnover is below KES 5M — does eTIMS apply?

Does RetailPOS' eTIMS integration cost extra?

OSCU vs VSCU — which one applies to me?

What happens if KRA endpoint is down during a sale?

Multi-branch — does each branch need its own Control Unit?

B2C transactions — does buyer PIN matter?

How-to

KRA eTIMS guide for Kenyan retailers (Electronic Tax Invoice Management System)

Last reviewed 2026-05-27 · by the RetailPOS team

KRA's eTIMS (Electronic Tax Invoice Management System) is the mandatory invoice flow for all VAT-registered Kenyan businesses. It replaced the earlier ETR (Electronic Tax Register) mandate via a progressive rollout starting 2022. Every VAT-applicable invoice must flow through an electronic Control Unit (CU) — physical device or software — that signs the invoice with a unique signature + transmits the data to KRA in real-time. Each invoice receives a Control Unit Invoice Number (CUIN) and carries a QR code on the printed/digital receipt.

For a Kenyan retailer running RetailPOS, eTIMS compliance is built into the standard checkout flow — no separate device, no manual upload, no end-of-day batch. This guide covers what eTIMS actually requires, the Control Unit options (OSCU online + VSCU virtual), what the POS-to-eTIMS integration architecture looks like, the penalty schedule, and how RetailPOS' eTIMS connector ships.

eTIMS mandate scope + threshold

eTIMS applies to all VAT-registered businesses in Kenya. The VAT registration threshold is currently KES 5 million annual turnover for compulsory registration; voluntary registration available below.

For non-VAT-registered businesses (below KES 5M annual turnover):

eTIMS technically doesn't apply
Standard receipts suffice (without CUIN + QR)
KRA is progressively pushing for voluntary onboarding to expand the tax base
Some categories may have separate compliance requirements regardless of VAT status

For VAT-registered businesses, eTIMS is non-negotiable. The penalty schedule for non-compliance (issuing invoices without eTIMS CUIN) is meaningful; KRA enforcement has been active since the rollout completed.

OSCU vs VSCU — Control Unit options

KRA offers two Control Unit architectures:

OSCU (Online Sales Control Unit) — software-based; runs as part of the POS or accounting system; communicates with KRA in real-time via API. Suitable for most modern POS deployments. No separate hardware.
VSCU (Virtual Sales Control Unit) — physical or virtual control device; required for some specialised categories (manufacturing, larger taxpayers); communicates with KRA via approved channels.

For typical retail POS deployments, OSCU is the standard path. RetailPOS' eTIMS integration uses the OSCU architecture — the POS itself acts as the Control Unit, signing invoices with the registered credentials and transmitting to KRA in real-time.

For larger taxpayers or specialised categories where VSCU is required, the POS still handles the invoice generation + signing; the VSCU appears as the transmission layer to KRA. RetailPOS' eTIMS connector supports both OSCU and VSCU integration patterns; the right one is selected during onboarding based on your business category + KRA classification.

What eTIMS actually requires on every invoice

Every VAT-applicable invoice generated by your POS must:

Be signed by the Control Unit with the registered eTIMS signature
Carry a Control Unit Invoice Number (CUIN) — unique per invoice
Carry a QR code on the printed/digital receipt decodeable to invoice details on the KRA portal
Include the buyer's PIN (Personal Identification Number) for B2B; B2C may operate without PIN below certain thresholds
Include line-item detail with VAT split (16% standard, zero-rated, exempt per VAT Act schedules)
Be transmitted to KRA in real-time (OSCU) or within the prescribed window
Be retained electronically for the prescribed retention period

The buyer-side experience: customers can verify their invoice on KRA's portal by entering the CUIN or scanning the QR. This is part of KRA's consumer-side compliance push and supports the buyer's input-VAT-credit claim.

POS-to-eTIMS integration architecture

When a covered retailer rings a sale on RetailPOS:

Cashier rings the sale; for B2B captures buyer PIN; standard checkout completes locally
POS commits the sale + emits outbox event
eTIMS connector picks up the event; formats per KRA schema
OSCU layer signs the invoice with the registered eTIMS certificate; generates the CUIN
Signed invoice transmits to KRA endpoint in real-time
KRA acknowledges receipt; receipt prints with CUIN + QR

Total elapsed time from payment confirmation to printed receipt: typically 2-5 seconds with healthy connectivity. The POS doesn't block on KRA response for the customer-facing print — the local Control Unit signing produces the CUIN immediately; KRA transmission happens in parallel.

For sustained KRA endpoint outages (rare since rollout stabilised), the connector queues invoices locally; submits in order when connectivity returns. The local Control Unit signing still completes immediately so receipts print on time.

Registration + Control Unit provisioning

Registration flow:

Log in to the KRA iTax portal with your PIN credentials
Apply for eTIMS Control Unit (specify OSCU or VSCU per your business category)
Generate Control Unit certificate + API credentials
Configure into the POS during onboarding; validate against sandbox endpoint
Move to production endpoint; first live invoice generates the first CUIN

For multi-branch retailers, each branch typically gets its own Control Unit registered to the same PIN; the per-branch CU operates independently. RetailPOS' per-location CU configuration handles routing correctly.

For RetailPOS customers, the onboarding includes the eTIMS Control Unit setup; subsequent new branches self-serve via back-office configuration.

Penalty schedule + audit defensibility

KRA penalty schedule for eTIMS non-compliance:

Issuing an invoice without eTIMS CUIN when required: per-invoice penalty (consult current KRA notification for amount)
Issuing a non-compliant invoice (missing QR, wrong format): per-invoice penalty
Failing to transmit eTIMS data within the prescribed window: penalty + risk of escalation
Repeated non-compliance triggers KRA audit + risk of business closure under serious enforcement actions

KRA enforcement has been active since rollout. Spot checks during high-volume periods (December, Easter, back-to-school) occasionally find non-compliant invoices; the offense plus penalty for those is significant.

The buyer-side impact is also real: a buyer whose invoice doesn't flow through eTIMS can't claim input-VAT credit; this cascades to losing B2B customers.

VAT reconciliation + monthly returns

eTIMS data feeds the monthly VAT return (Form VAT3) auto-prep. At month-end:

KRA's VAT3 auto-draft pre-populates from your eTIMS-submitted invoices
You verify the auto-draft against your POS records; the POS exports the period's sales for cross-check
Any non-eTIMS transactions (B2C below threshold, exempt supplies) add to the auto-draft manually
File monthly VAT3 + remit VAT due by 20th of next month

For corporate buyers requesting tax invoices with their PIN, the buyer-PIN capture at checkout creates the proper audit link. The buyer's VAT3 input-credit + your VAT3 output- VAT reconcile via eTIMS.

Frequently asked

My turnover is below KES 5M — does eTIMS apply?: Below the VAT registration threshold, eTIMS technically doesn't apply (you're not VAT-registered). KRA is progressively pushing for voluntary onboarding to expand the tax base; some categories may have separate requirements regardless. Confirm with your tax advisor.
Does RetailPOS' eTIMS integration cost extra?: Included in the standard subscription. eTIMS connector (OSCU architecture for standard retail) handles signing + KRA real-time submission; no per-invoice fee. For VSCU (specialised categories), confirm at sign-up.
OSCU vs VSCU — which one applies to me?: For most retail POS deployments: OSCU (software-based Control Unit, no separate hardware). For specialised categories — manufacturing, larger taxpayers — VSCU (virtual or physical Control Unit) may be required. The onboarding flow determines based on your category + KRA classification.
What happens if KRA endpoint is down during a sale?: The local OSCU signing completes immediately (CUIN generated locally with the registered certificate); receipt prints on time. KRA transmission queues; retries when endpoint returns. The local-signing + transmit-async pattern means customer never waits for KRA.
Multi-branch — does each branch need its own Control Unit?: Yes — each branch registers its own CU to the same PIN. RetailPOS' per-location CU configuration routes correctly; multi-branch operations get per-branch eTIMS compliance without forcing a single-CU bottleneck.
B2C transactions — does buyer PIN matter?: For pure B2C below certain thresholds, buyer PIN not required; the invoice still flows through eTIMS with CUIN + QR. For B2B (or B2C above the threshold for tax-invoice requests), buyer PIN captured at checkout supports the buyer's input-VAT-credit claim.

Related guides

Want the product side? See the retail pack →

Open your shop in 30 seconds.

No card. Free until your first 100 sales. Bring your own Stripe; keep your hardware.

Start free — no card See pricing