ZATCA E-Invoicing in Saudi Arabia: Complete Phase 2 Compliance Guide for 2026

Why ZATCA E-Invoicing Cannot Be Ignored

Saudi Arabia's Zakat, Tax and Customs Authority (ZATCA) launched its e-invoicing initiative — known as Fatoorah (فاتورة) — as part of Vision 2030's digital transformation program. Fatoorah is not a minor upgrade to your invoicing workflow. It fundamentally changes how every VAT-registered business in the Kingdom generates, signs, and submits invoices.

Phase 2 integration — the technically demanding phase requiring real-time connectivity with ZATCA — is now in active rollout to all business sizes. By 2026, no VAT-registered business in Saudi Arabia is exempt.

The penalties for non-compliance can reach SAR 50,000 per violation. Repeated violations can trigger business licence action. And the technical onboarding process alone takes 4–8 weeks when done properly — which means businesses that wait until the last moment consistently fail their deadlines.

This guide covers everything: what Fatoorah requires, the full technical architecture, the onboarding process, VAT rates, common mistakes, and how to evaluate ERP systems for Saudi Arabia compliance.

The Two Phases of Fatoorah Explained

Phase 1 — Generation (December 4, 2021)

Phase 1 ended the era of paper invoices and unstructured PDF invoices for all VAT-registered businesses in Saudi Arabia. The requirements:

• Generate all invoices using a compliant electronic solution
• Store invoices in structured XML format
• Include a QR code on all simplified tax invoices (B2C)
• Sequential invoice numbering

Phase 1 was a generation-only mandate. There was no requirement for real-time connectivity with ZATCA's systems. Your invoicing software needed to produce the right format; it did not need to talk to ZATCA in real time.

Every VAT-registered business should have completed Phase 1 by December 2021. If you are still generating paper invoices or standard PDF invoices today, you are already in violation.

Phase 2 — Integration (Rollout from January 2023 Onward)

Phase 2 is where the technical complexity of Fatoorah becomes clear. The core requirements:

• Real-time clearance: Standard tax invoices (B2B) must be submitted to ZATCA and cleared by ZATCA before being sent to customers
• Reporting: Simplified tax invoices (B2C) must be reported to ZATCA within 24 hours of issuance
• Cryptographic stamp: Every invoice must be digitally signed using a ZATCA-issued X.509 certificate
• UUID: Every invoice requires a Universally Unique Identifier
• Hash chain: Each invoice includes the hash of the previous invoice — creating a tamper-evident chain across your entire invoice history

Phase 2 is being rolled out in waves by revenue size. Businesses with annual revenue above SAR 3 billion entered Phase 2 in January 2023. The rollout continues downward through successive waves, with all VAT-registered businesses — regardless of size — required to be Phase 2 compliant by 2026.

How to confirm your wave: Check the ZATCA portal (zatca.gov.sa) for your specific integration date. ZATCA provides 6 months notice before each wave's mandatory deadline.

Who Must Comply with Fatoorah?

Every business that meets all three conditions:

VAT-registered in Saudi Arabia (has a Tax Identification Number issued by ZATCA)

Generates tax invoices for goods or services supplied in Saudi Arabia

Has been notified of their Phase 2 wave date (or that date has passed)

This includes:

• Saudi-registered companies of all legal forms and all sizes
• Foreign companies with a permanent establishment (branch, office) in Saudi Arabia
• Companies in Special Economic Zones that make taxable supplies within the Kingdom

What is not in scope: Businesses that are not VAT-registered. The mandatory VAT registration threshold in Saudi Arabia is SAR 375,000 in annual taxable supplies. Businesses below this threshold may be exempt from VAT registration entirely.

Standard Tax Invoice vs Simplified Tax Invoice

Fatoorah distinguishes two invoice types with different technical requirements:

How Clearance Works (Standard Invoices)

When you issue a B2B invoice:

Your system generates the XML invoice with all mandatory fields

Your system signs the invoice with your cryptographic stamp

Your system submits the signed XML to ZATCA's Clearance API

ZATCA validates the invoice (schema, signature, hash chain, UUID uniqueness)

If valid, ZATCA returns a cleared invoice with ZATCA's own stamp added

You send only the ZATCA-cleared version to your customer — never the pre-clearance version

If ZATCA rejects the invoice, you must correct the errors and resubmit before the invoice can be issued. A business that cannot handle ZATCA API rejections gracefully cannot issue B2B invoices.

How Reporting Works (Simplified Invoices)

When you issue a B2C invoice:

Your system generates the XML invoice and signs it

You issue the invoice to the customer immediately (with QR code)

Within 24 hours, your system reports the invoice to ZATCA's Reporting API

ZATCA validates and acknowledges receipt

The customer does not wait for ZATCA — they get the invoice in real time. But you must report every simplified invoice within the 24-hour window.

Mandatory Invoice Fields Under Fatoorah

Every ZATCA-compliant invoice must include these fields in the correct XML structure:

Header Information

• Invoice type code (standard or simplified, in ZATCA-defined codes)
• Invoice number (sequential and unique within your system)
• Invoice issue date and time (ISO 8601 format: YYYY-MM-DDTHH:MM:SS)
• UUID — a universally unique identifier for this specific invoice
• Previous invoice hash — SHA-256 hash of the previous invoice's XML (the hash chain)
• Digital signature from your cryptographic stamp

Seller Information

• Legal business name exactly as registered with ZATCA
• VAT registration number (15-digit TIN)
• Full registered address: building number, street, district, city, postal code, country code

Buyer Information (Standard Invoices Only)

• Buyer legal name
• Buyer VAT registration number (if the buyer is VAT-registered)
• Buyer address

Simplified invoices (B2C) do not require buyer details.

Line Items

• Item description
• Quantity and unit of measure
• Unit price (excluding VAT)
• Discount amount and reason (if applicable)
• VAT category code (standard 15%, zero-rated, exempt, outside scope)
• VAT rate applied to this line
• VAT amount for this line
• Line total excluding VAT
• Line total including VAT

Invoice Totals

• Total amount excluding VAT
• Total discount amount
• Total taxable amount (net of discounts)
• Total VAT amount
• Grand total including VAT
• Amount due (net of any advance payments)

QR Code (Simplified Invoices)

The QR code must encode the following in TLV (Tag-Length-Value) format, then base64-encode the result:

• Tag 1: Seller name
• Tag 2: Seller VAT number
• Tag 3: Invoice timestamp
• Tag 4: Invoice total with VAT
• Tag 5: VAT amount

This is not a URL or JSON object — it is a binary TLV encoding. Incorrect QR format is one of the most common Phase 2 compliance failures.

Technical Architecture: What Your System Must Do

Phase 2 compliance is fundamentally a software engineering requirement. Your invoicing or ERP system must implement:

1. Native XML Generation in UBL 2.1 Format

ZATCA mandates Universal Business Language (UBL) 2.1 XML with Saudi Arabia-specific extensions. The XML schema is defined by ZATCA and publicly available. Your invoices must conform precisely — any field out of place, any value in the wrong format, any missing required element causes schema validation failure.

Critical: PDF-to-XML conversion does not work. The XML must be generated natively from structured data in your system, not converted from a rendered document. Businesses that try to convert existing PDF invoices to XML consistently fail ZATCA's compliance checks.

2. Cryptographic Stamp (Digital Signature)

Every invoice must be signed using an X.509 certificate issued by ZATCA. The signing process:

• Your system generates a Certificate Signing Request (CSR)
• ZATCA issues a Cryptographic Stamp Identifier (CSID) — your certificate
• Your system uses this certificate to sign each invoice's XML using XMLDSig
• The signature covers the entire invoice content — any modification after signing invalidates the signature

The cryptographic stamp is bound to your specific software solution. If you change invoicing systems, you must obtain a new CSID through the onboarding process.

3. Hash Chain Maintenance

Each invoice must include the SHA-256 hash of the previous invoice's XML (after signing). The first invoice in a sequence uses a defined initialization value.

This creates an immutable chain: if any historical invoice is modified, all subsequent hashes become invalid. ZATCA's system can detect any tampering with historical records.

Your system must:

• Store the hash of every issued invoice
• Retrieve the previous invoice's hash when generating a new invoice
• Never allow invoice modification after the hash has been computed

4. ZATCA API Integration

Three APIs are involved in Phase 2:

Compliance API (Onboarding/Testing): Used during the onboarding process to validate your implementation against ZATCA's test environment. You submit sample invoices and receive validation responses identifying any issues.

Clearance API (Production — Standard Invoices): Submit B2B invoices for clearance. ZATCA validates, stamps, and returns the cleared invoice — or returns a rejection with error details.

Reporting API (Production — Simplified Invoices): Submit B2C invoices for reporting within 24 hours. ZATCA acknowledges receipt and reports any validation issues.

5. Rejection Handling and Retry Logic

ZATCA rejects invoices for various reasons:

• Schema validation errors (malformed XML)
• Invalid or expired cryptographic stamp
• Duplicate UUID (same UUID used on two different invoices)
• Invalid hash chain (hash doesn't match previous invoice)
• Missing mandatory fields
• Network timeouts

Your system must:

• Capture and log every rejection with the ZATCA error response
• Display meaningful error messages to users
• Allow correction of rejected invoices without losing invoice sequence integrity
• Implement retry logic for transient network failures

A system that crashes or freezes when ZATCA rejects an invoice cannot support production operations in Saudi Arabia.

The ZATCA Onboarding Process: Step by Step

Before connecting to ZATCA's production environment, every e-invoicing solution must complete onboarding. Plan for 4–8 weeks from start to go-live.

Step 1: Compliance Environment Testing

Your solution submits sample invoices to ZATCA's compliance (test) environment:

• Standard tax invoices (B2B)
• Simplified tax invoices (B2C)
• Credit notes
• Debit notes

ZATCA validates each invoice against all schema, cryptographic, and business rules requirements. Your solution must pass all validation checks before proceeding.

Typical first-round failure areas: incorrect QR code encoding, hash chain errors, missing UBL namespace declarations, wrong VAT category codes.

Step 2: Cryptographic Stamp Issuance

Once compliance checks pass:

Your system generates a Certificate Signing Request (CSR) with specific ZATCA-required attributes

You submit the CSR through ZATCA's portal

ZATCA issues your Cryptographic Stamp Identifier (CSID)

You install the CSID in your system for production signing

This step requires your system to already implement correct CSR generation — ZATCA rejects CSRs with incorrect attributes or missing Organization fields.

Step 3: Production Onboarding

With a valid CSID, your system connects to the production ZATCA environment and submits test transactions. ZATCA verifies end-to-end connectivity and solution functionality before you go live with real business invoices.

Step 4: Go-Live

After ZATCA confirms production onboarding, your system switches to production operations:

• All standard invoices are submitted to the Clearance API before customer delivery
• All simplified invoices are reported to the Reporting API within 24 hours

Critical timing: Begin your onboarding process at least 3 months before your mandatory Phase 2 wave date. Businesses that start onboarding with 4–6 weeks to their deadline almost always miss it.

VAT Rates in Saudi Arabia for 2026

Important: Saudi Arabia raised VAT from 5% to 15% in July 2020. The 15% rate remains in force in 2026. All invoices for standard-rated supplies must reflect 15% VAT — not the pre-2020 5% rate.

For cross-border supplies, the export zero-rating rules are detailed. Goods physically exported from Saudi Arabia qualify for zero-rating with evidence (customs clearance documents). Services supplied to non-Saudi businesses may qualify for zero-rating depending on where the customer is established and where the service is consumed.

Common ZATCA Phase 2 Mistakes to Avoid

1. PDF-to-XML Conversion

Simply converting a PDF invoice to XML does not produce a Fatoorah-compliant invoice. The XML must be generated natively from structured invoice data. Businesses using legacy billing systems that generate PDFs often attempt this conversion — ZATCA's schema validation rejects the output in almost every case.

2. Ignoring the Hash Chain

Many Phase 2 implementations successfully implement UUIDs and digital signatures but fail to implement the hash chain correctly. ZATCA's compliance validation explicitly tests hash chain integrity. A missing or incorrectly computed previous invoice hash causes immediate compliance failure.

3. Incorrect QR Code Format

The QR code for simplified invoices must use TLV (Tag-Length-Value) binary encoding, then base64-encode the result. A common mistake is encoding the data as a JSON object or a URL, which is readable by QR scanners but does not meet ZATCA's specification. ZATCA's compliance checks verify QR code format.

4. Hardcoding VAT Rates

Invoicing systems that hardcode VAT rates (rather than configuring them from a tax table) are brittle. When Saudi Arabia changed VAT from 5% to 15% in 2020, businesses with hardcoded rates issued incorrect invoices until a software update was deployed. Use configurable tax rates that can be updated without code changes.

5. No Rejection Handling

ZATCA rejects invoices for multiple reasons, and rejections are a normal part of production operations (network timeouts, transient API issues, data entry errors). Systems that crash, freeze, or lose invoice data on rejection cannot support business operations. Rejection handling must be built in from day one.

6. Starting Onboarding Too Late

The 4–8 week onboarding timeline assumes your solution is already technically compliant — it is the time to complete ZATCA's verification process, not to build the solution. Businesses that start their ZATCA onboarding four weeks before their mandatory wave date are not starting their solution development four weeks before the deadline — they are already significantly past their safe window.

7. No Audit Trail for ZATCA Transactions

Every clearance request, every reporting submission, every rejection, and every resubmission should be logged with timestamps, ZATCA response codes, and invoice details. ZATCA can conduct field audits and request records. Businesses with no audit trail of ZATCA transactions cannot demonstrate compliance.

Penalties for Fatoorah Non-Compliance

ZATCA conducts field inspections and can request real-time access to your invoicing system. Paper invoices or non-XML digital invoices discovered during an inspection are treated as non-compliance regardless of the reason.

The penalty structure means that a single invoice compliance failure can generate a SAR 50,000 fine. At 15% VAT on a SAR 10 million revenue business, a compliance failure affecting a month of invoices represents massive financial exposure.

Evaluating ERP and Billing Software for Saudi Arabia

When selecting or upgrading software for ZATCA compliance, verify these specific capabilities:

ZATCA Certification: Ask for documentation of ZATCA compliance certification. ZATCA maintains a list of approved e-invoicing solutions. An approved solution has passed ZATCA's technical review — it is not self-declared.

Native XML Generation: Verify that the software generates UBL 2.1 XML natively, not through conversion. Ask to see a sample output XML and validate it against ZATCA's published schema.

Built-in Cryptographic Stamp Integration: The software must handle CSID management, certificate storage, and XML signing internally — not require you to manually sign invoices with a separate tool.

Hash Chain Implementation: Confirm the software stores invoice hashes and uses them correctly in the next invoice's XML. Test this by examining the XML of two sequential invoices.

API Integration with Retry Logic: Clearance and Reporting APIs must be integrated with proper error handling, rejection capture, and retry logic for transient failures.

Comprehensive Audit Log: Every ZATCA transaction (submission, clearance, rejection, resubmission) must be logged with timestamps and ZATCA response codes.

Multi-Tax Rate Support: The system must support configurable VAT rates (15% standard, 0% zero-rated, exempt) with the ability to update rates without software changes.

How Taskmate ERP Supports ZATCA Compliance

[Taskmate ERP](/taskmate) by AHAD Global Ventures is designed for businesses operating in GCC regulatory environments. For Saudi Arabia operations, Taskmate provides:

Native UBL 2.1 XML Generation: Every invoice generates directly to the required XML structure from structured ERP data — no PDF conversion, no manual formatting.

Cryptographic Stamp Integration: Taskmate manages the CSID lifecycle, handles XML signing using ZATCA's required cryptographic methods, and stores signatures with each invoice record.

Hash Chain Management: Taskmate maintains the hash chain automatically — each invoice is linked cryptographically to the previous one. The chain is immutable; posted invoices cannot be modified.

Clearance and Reporting API Connectivity: Standard invoices are submitted to ZATCA's Clearance API before becoming available to send to customers. Simplified invoices are queued for automatic reporting within the 24-hour window.

Rejection Handling: ZATCA rejection responses are captured, logged with full error details, and surfaced to users with clear resolution steps. The invoicing workflow does not fail silently.

Complete Audit Log: Every ZATCA interaction is logged with timestamp, invoice UUID, API endpoint, response code, and response payload — providing a complete compliance audit trail.

Double-Entry Accounting Integration: Unlike standalone invoicing tools, Taskmate connects e-invoicing directly to the general ledger. Every posted sales invoice generates the corresponding revenue and VAT liability entries automatically.

For businesses evaluating ZATCA-compliant solutions, [explore our services](/services) or discuss your Saudi Arabia implementation requirements with our team.

Frequently Asked Questions

When does Phase 2 apply to my business? ZATCA rolls out Phase 2 in waves based on annual revenue. Check the ZATCA portal (zatca.gov.sa) for your specific wave date. If your wave date has already passed, you are currently required to be Phase 2 compliant. If you are unsure whether you received the notification, contact ZATCA directly.

What happens if my ERP system doesn't support ZATCA Phase 2? You cannot use it for Saudi Arabia invoicing unless you add a ZATCA-compliant middleware layer. The middleware approach adds complexity and potential points of failure. A native solution that generates compliant XML directly is significantly more reliable long-term.

Do I need a separate ZATCA certificate for each branch or store? The CSID (cryptographic stamp) is issued per ERP/billing solution instance, not per physical location. If all your branches use a single ERP system, one CSID covers all branches. If branches use separate invoicing systems, each system requires its own CSID and onboarding.

Can I issue an invoice to a customer before it's cleared by ZATCA? No — for standard tax invoices (B2B). The cleared version from ZATCA must be the one you send to your customer. Sending an invoice before clearance violates the Phase 2 mandate. For simplified invoices (B2C), you issue to the customer immediately, then report to ZATCA within 24 hours.

What if ZATCA's API is down and I can't clear an invoice? Your system should queue invoices for submission when the API is unavailable and submit them once connectivity is restored. For critical clearance failures, document the downtime and the failed submission attempts — ZATCA's guidance addresses connectivity issues in their compliance documentation.

How long must I retain ZATCA invoices? ZATCA requires retention of tax records for a minimum of 5 years. This includes all XML invoice files, ZATCA clearance/reporting responses, and your cryptographic stamp history.

Does Fatoorah apply to credit notes and debit notes? Yes. Credit notes and debit notes are subject to the same e-invoicing requirements as standard invoices. They must reference the original invoice UUID and follow the same clearance (B2B) or reporting (B2C) process.

Conclusion

ZATCA's Fatoorah mandate is the most technically comprehensive e-invoicing system in the GCC — and for good reason. The combination of real-time clearance, cryptographic signing, hash chain integrity, and detailed XML schemas ensures that Saudi Arabia's VAT records are auditable, tamper-evident, and accurate.

For businesses operating in Saudi Arabia, the path forward is clear: implement a ZATCA-certified ERP or billing solution that generates native UBL 2.1 XML, manages cryptographic stamps, integrates with ZATCA's Clearance and Reporting APIs, and provides a complete audit trail. Start the 4–8 week onboarding process at least 3 months before your mandatory wave date.

Non-compliance is not a risk to manage — it is a penalty to pay. With fines up to SAR 50,000 per violation and field audit exposure, the cost of a proper Phase 2 implementation is a fraction of the cost of non-compliance.

AHAD Global Ventures builds business management systems for GCC regulatory environments, including ZATCA Phase 2 compliant invoicing. [Explore our services](/services) to discuss your Fatoorah implementation requirements.

Read more about [UAE VAT compliance for businesses](/blog/uae-vat-guide-for-small-businesses), [setting up a business in Dubai](/blog/how-to-setup-business-in-dubai-2026), or [how API-first ERP architecture enables compliance automation](/blog/api-first-architecture-for-modern-erp).