Complete Guide to ZATCA E-Invoicing Compliance in Saudi Arabia (2024-2025)

What's on This Page

• Introduction to ZATCA and Fatoorah
• Understanding Phase 1 vs Phase 2
• Technical Requirements for Compliance
• Compliance by Business Type
• Penalties for Non-Compliance
• 10 Steps to Achieve ZATCA Compliance
• How DNA ERP Ensures Compliance
• ZATCA Compliance Checklist
• Frequently Asked Questions

Introduction to ZATCA and Fatoorah

The Zakat, Tax and Customs Authority (ZATCA) has transformed the Saudi Arabian business landscape with its ambitious e-invoicing initiative known as Fatoorah. This comprehensive guide provides everything you need to know about achieving and maintaining ZATCA compliance in 2024-2025.

What is ZATCA?

ZATCA (Zakat, Tax and Customs Authority) is Saudi Arabia's integrated government authority responsible for collecting Zakat, taxes, and customs duties. Formed in 2021 through the merger of the General Authority of Zakat and Tax (GAZT) and the Saudi Customs Authority, ZATCA plays a pivotal role in the Kingdom's Vision 2030 economic transformation.

As part of its modernization efforts, ZATCA introduced the Fatoorah e-invoicing system — a mandatory electronic invoicing framework designed to:

• Reduce tax evasion and improve tax collection efficiency
• Digitize the Saudi economy in line with Vision 2030 objectives
• Create a standardized, transparent invoicing ecosystem
• Enable real-time monitoring of business transactions
• Simplify VAT compliance and reporting processes

The Fatoorah E-Invoicing Mandate

Fatoorah, which means 'invoice' in Arabic, requires all VAT-registered businesses in Saudi Arabia to generate, store, and share invoices in a standardized electronic format. Unlike simple PDF invoices, Fatoorah-compliant invoices must be machine-readable, cryptographically secured, and integrated with ZATCA's central platform.

The mandate affects all VAT-registered taxpayers in the Kingdom, regardless of size or industry. This includes:

• Large enterprises and multinational corporations
• Small and medium enterprises (SMEs)
• Individual taxpayers conducting taxable activities
• Non-resident businesses with a tax presence in Saudi Arabia

Why Compliance Matters for Saudi Businesses

ZATCA compliance is not optional — it's a legal requirement with significant business implications:

1. Legal Obligation: Non-compliance results in penalties, fines, and potential business restrictions
2. Business Continuity: Non-compliant invoices may not be accepted by customers or for tax deductions
3. Competitive Advantage: Early adopters gain operational efficiencies and build trust with partners
4. Future-Proofing: ZATCA compliance prepares your business for upcoming digital initiatives
5. Government Contracts: Compliance is often mandatory for participating in government tenders

Understanding ZATCA Phase 1 vs Phase 2

ZATCA has implemented e-invoicing in two distinct phases, each with different requirements and timelines. Understanding these phases is critical for planning your compliance journey.

Phase 1: Generation Phase (December 4, 2021)

Phase 1, also known as the Generation Phase, established the foundation for electronic invoicing in Saudi Arabia. Key requirements included:

• Electronic Invoice Generation: All invoices must be generated electronically through a compliant system — handwritten or scanned invoices are prohibited
• Standardized Format: Invoices must contain all mandatory fields specified by ZATCA
• QR Code: Simplified tax invoices (B2C) must include a QR code with specific encoded data
• UUID: Each invoice must have a Universally Unique Identifier
• Tamper-Resistance: Systems must prevent unauthorized modifications to invoices
• Arabic Language: Invoice fields must be in Arabic (additional languages permitted)

Phase 1 applied to all VAT-registered taxpayers simultaneously, giving businesses several months to prepare their systems.

Phase 2: Integration Phase (January 1, 2023+)

Phase 2, the Integration Phase, represents a significant technical advancement requiring real-time or near-real-time integration with ZATCA's central Fatoorah platform. This phase introduces:

• API Integration: Direct electronic connection between your ERP/invoicing system and ZATCA's platform
• Real-Time Clearance: Standard tax invoices (B2B) must be cleared by ZATCA before being shared with customers
• Near-Real-Time Reporting: Simplified tax invoices (B2C) must be reported to ZATCA within 24 hours
• Cryptographic Stamps: Invoices must include ZATCA-issued cryptographic stamps after clearance
• XML Format: Invoice data must be transmitted in UBL 2.1 XML format
• Digital Signatures: Invoices must be digitally signed using ZATCA-issued certificates

Phase 2 Wave Rollout Schedule

Unlike Phase 1, Phase 2 is being implemented in waves based on annual taxable revenue:

Wave 1 — SAR 3 billion+ — January 1, 2023
Wave 2 — SAR 500 million+ — July 1, 2023
Wave 3 — SAR 250 million+ — October 1, 2023
Wave 4 — SAR 150 million+ — November 1, 2023
Wave 5 — SAR 100 million+ — December 1, 2023
Wave 6 — SAR 70 million+ — January 1, 2024
Wave 7 — SAR 50 million+ — February 1, 2024
Wave 8 — SAR 40 million+ — March 1, 2024
Wave 9+ — Remaining taxpayers — 2024-2025 (ongoing)

ZATCA notifies taxpayers of their wave assignment at least 6 months before their integration deadline.

Technical Requirements for ZATCA Compliance

Phase 2 compliance requires meeting specific technical standards. This section covers the detailed specifications your system must support.

XML Invoice Format (UBL 2.1)

ZATCA mandates the use of Universal Business Language (UBL) 2.1 for invoice data transmission. Your system must generate XML files that conform to:

• ZATCA's customized UBL 2.1 schema
• Mandatory and conditional field requirements
• Arabic character encoding (UTF-8)
• Proper namespace declarations
• Schema validation rules

QR Code Specifications

All invoices must include a QR code containing TLV (Tag-Length-Value) encoded data:

• Tag 1: Seller's name
• Tag 2: VAT registration number
• Tag 3: Invoice timestamp
• Tag 4: Invoice total (with VAT)
• Tag 5: VAT amount
• Tag 6: Invoice hash (Phase 2)
• Tag 7: Digital signature (Phase 2)
• Tag 8: Public key (Phase 2)
• Tag 9: Cryptographic stamp identifier (Phase 2)

Cryptographic Stamps and Digital Signatures

Phase 2 introduces robust cryptographic security measures:

1. Cryptographic Stamp Identifier (CSID): A unique certificate issued by ZATCA for each solution/device
2. Digital Signature: Invoices must be signed using the private key associated with your CSID
3. Invoice Hash: SHA-256 hash of the invoice XML for integrity verification
4. Previous Invoice Hash: Each invoice references the hash of the previous invoice, creating an auditable chain

UUID and Invoice Hash Requirements

Every invoice must have:

• UUID: A version 4 UUID (128-bit identifier) that uniquely identifies each invoice globally
• Invoice Hash: A SHA-256 hash computed over the signed invoice XML
• Previous Invoice Hash: Links to the preceding invoice for chain integrity

API Integration with ZATCA Portal

Your system must integrate with ZATCA's Fatoorah platform APIs:

• Compliance API: For onboarding and CSID generation
• Reporting API: For B2C simplified invoice reporting
• Clearance API: For B2B standard invoice clearance
• Production vs Sandbox: Test in sandbox environment before going live

ZATCA Compliance by Business Type

Large Enterprises

Large enterprises (SAR 500 million+ revenue) face the most stringent requirements:

• Earlier wave deadlines with less preparation time
• Complex multi-entity and multi-location requirements
• High transaction volumes requiring robust system performance
• Integration with legacy ERP systems (SAP, Oracle, etc.)
• Need for dedicated compliance teams and processes

SMEs and Mid-Market Companies

Small and medium enterprises have different considerations:

• Later wave deadlines provide more preparation time
• May need to upgrade or replace existing accounting software
• Cloud-based ERP solutions often provide fastest path to compliance
• Limited IT resources require turnkey solutions
• Cost-effective compliance without enterprise complexity

Specific Industry Requirements

Certain industries have additional considerations:

• Retail: High B2C transaction volumes, POS integration requirements
• Construction: Progress billing, retention handling, project-based invoicing
• Healthcare: Insurance claim integration, patient billing complexities
• Trading: Multi-currency transactions, import/export documentation
• Services: Time-based billing, project invoicing, recurring invoices

Penalties for Non-Compliance

ZATCA enforces compliance through a structured penalty framework:

Fine Structure and Escalation

Not issuing e-invoices: SAR 5,000 (first offense) / SAR 20,000+ (repeat)
Deleting or modifying invoices: SAR 10,000 (first offense) / SAR 40,000+ (repeat)
Missing mandatory fields: SAR 5,000 (first offense) / SAR 20,000+ (repeat)
Not integrating with ZATCA (Phase 2): SAR 10,000 (first offense) / SAR 40,000+ (repeat)
Using non-compliant systems: SAR 5,000 (first offense) / SAR 20,000+ (repeat)

Penalties can be issued per invoice, meaning high-volume businesses face significant financial exposure.

Business Operation Risks

Beyond financial penalties, non-compliance creates operational risks:

• Invoices may be rejected by customers
• VAT input tax deductions may be denied
• Government contract eligibility may be affected
• Business license renewals may be complicated
• Banking and financing relationships may be impacted

10 Steps to Achieve ZATCA Compliance

1. Assess Your Current Invoicing System: Evaluate whether your existing software can be upgraded or needs replacement. Document current invoice formats, volumes, and processes.
2. Choose a ZATCA-Compliant ERP: Select a solution that is certified or proven compliant with ZATCA requirements. Look for built-in ZATCA modules rather than add-ons.
3. Register on the Fatoorah Portal: Create your organization's account on ZATCA's Fatoorah platform. This is required before you can generate certificates.
4. Generate Your CSID: Obtain your Cryptographic Stamp Identifier through ZATCA's compliance API. This certificate is required for signing invoices.
5. Configure Invoice Templates: Set up your invoice templates with all mandatory fields, proper Arabic translations, and QR code positioning.
6. Implement Cryptographic Signing: Configure your system to properly sign invoices and generate valid hashes. Test signature verification.
7. Test in Sandbox Environment: ZATCA provides a sandbox environment for testing. Run comprehensive tests before production deployment.
8. Train Your Finance Team: Ensure your team understands the new processes, common errors, and troubleshooting procedures.
9. Go Live with Production: After successful sandbox testing, switch to production APIs. Monitor closely during initial days.
10. Monitor and Maintain Compliance: Establish ongoing monitoring processes. Stay updated on ZATCA announcements and requirement changes.

How DNA ERP Ensures ZATCA Compliance

DNA ERP provides comprehensive, built-in ZATCA compliance that eliminates complexity and ensures ongoing adherence to all requirements.

Built-in ZATCA Module

Unlike solutions that require third-party add-ons, DNA ERP includes a native ZATCA module:

• Pre-configured for both Phase 1 and Phase 2 requirements
• Automatic updates when ZATCA releases new specifications
• No additional licensing or integration costs
• Unified support from a single vendor

Automatic XML Generation

DNA ERP automatically generates compliant UBL 2.1 XML for every invoice:

• All mandatory and conditional fields properly populated
• Arabic character encoding handled automatically
• Schema validation before submission
• Error handling with clear guidance for corrections

Real-Time Portal Integration

Seamless integration with ZATCA's Fatoorah platform:

• Automatic B2B invoice clearance before customer delivery
• Near-real-time B2C reporting within required timeframes
• Cryptographic stamp application and verification
• Secure credential management for CSIDs

Compliance Dashboard

Monitor your ZATCA compliance status in real-time:

• Submission success rates and error tracking
• Pending clearance queue visibility
• Failed invoice alerts and resolution workflows
• Compliance reporting for audits

ZATCA Compliance Checklist

Use this checklist to verify your compliance status:

System Requirements

• Electronic invoice generation capability
• UBL 2.1 XML export functionality
• QR code generation with TLV encoding
• Digital signature implementation
• UUID generation for each invoice
• Invoice hash computation (SHA-256)
• Previous invoice hash chaining
• ZATCA API integration (Clearance and Reporting)

Operational Requirements

• Fatoorah portal registration completed
• CSID obtained and configured
• Sandbox testing completed successfully
• Production API credentials configured
• Finance team trained on new processes
• Error handling procedures documented
• Monitoring and alerting configured

Ongoing Compliance

• Regular system updates applied
• Compliance dashboard monitored daily
• Failed submissions investigated promptly
• ZATCA announcements tracked
• Annual compliance review scheduled

Frequently Asked Questions

What is the deadline for ZATCA compliance?

Phase 1 has been mandatory since December 4, 2021 for all VAT-registered taxpayers. Phase 2 deadlines depend on your wave assignment based on annual revenue. ZATCA notifies taxpayers at least 6 months before their Phase 2 deadline.

Do I need new hardware for e-invoicing?

Most cloud-based ERP solutions like DNA ERP don't require new hardware. If you're using on-premise systems, you may need to ensure adequate server capacity and secure key storage for cryptographic operations.

Can I use my existing accounting software?

Depends on your software. Many legacy systems are not ZATCA-compliant and cannot be upgraded. Check with your vendor if they have a ZATCA-compliant version. If not, you'll need to migrate to a compliant solution.

What if my ERP doesn't support ZATCA?

You have several options: (1) Upgrade to a newer version if your vendor offers ZATCA support, (2) Use a third-party ZATCA middleware (adds complexity), or (3) Migrate to a natively compliant ERP like DNA ERP.

How long does it take to become compliant?

Implementation timelines vary: Simple businesses with cloud ERP can be compliant in 2-4 weeks. Mid-size companies typically need 4-8 weeks. Large enterprises with complex requirements may need 3-6 months.

Is ZATCA compliance required for all industries?

Yes, all VAT-registered taxpayers must comply regardless of industry. This includes retail, manufacturing, services, construction, healthcare, and all other sectors.

What about credit notes and debit notes?

Credit notes and debit notes must also be electronically generated and reported to ZATCA. They follow similar requirements to invoices, including XML format, QR codes, and portal integration.

Related Articles

• ERP Software for Saudi Construction and Contracting Companies
• Managing Multi-Company Operations Across GCC
• ERP Implementation Guide for Qatar Businesses

Last updated: May 2026 — DNA ERP maintains ongoing compliance with all ZATCA requirements and updates this guide as regulations evolve.