ZATCA Compliance Guide 2025: Mastering Phase 1 & Phase 2 Integration
The ultimate guide to ZATCA E-Invoicing (Fatoora) for Saudi SMEs. Learn about Phase 1, Phase 2 integration, technical requirements (XML, UUID, Hash), and how to avoid fines.
Navigating the ZATCA E-Invoicing Landscape in Saudi Arabia
Since the launch of the Fatoora project by the Zakat, Tax and Customs Authority (ZATCA), the business landscape in Saudi Arabia has undergone a digital revolution. Compliance is no longer just about filing returns; it is about real-time data integrity and seamless system integration.
Whether you are a startup or an established enterprise, understanding the nuances of ZATCA E-Invoicing is critical to avoiding heavy penalties and ensuring business continuity. This guide breaks down everything you need to know about Phase 1 (Generation) and Phase 2 (Integration).
📋 Phase 1 vs. Phase 2: Key Differences
Saudi Arabia implemented e-invoicing in two distinct phases. While Phase 1 focused on the ability to generate and store invoices, Phase 2 is about connectivity.
| Feature | Phase 1 (Generation) | Phase 2 (Integration) |
|---|---|---|
| Implementation | Dec 4, 2021 | Started Jan 1, 2023 (In Waves) |
| Technical Requirement | E-invoicing software (not Excel/Word) | API Integration with ZATCA (Fatoora Portal) |
| Invoice Format | Any digital format with QR code | UBL 2.1 XML or PDF/A-3 (with embedded XML) |
| Connectivity | Offline (No internet required) | Real-time or batch clearance/reporting |
| QR Code | Required for B2C (Simplified) | Required for all types (with more data) |
💡 Tip: Use our ZATCA Readiness Checker to see if your current system meets the latest requirements.
🛠️ The Technical Anatomy of a Phase 2 Invoice
In Phase 2, an invoice is more than just a piece of paper; it is a complex data structure. Every invoice must contain specific technical elements to be valid:
1. UUID (Universally Unique Identifier)
Each invoice must have a 128-bit RFC4122 compliant UUID. This ensures that no two invoices in the Kingdom share the same identity.
2. ICV (Invoice Counter Value)
This is a sequential number that tracks the order of invoices generated by a specific EGS (E-Invoicing Generation Suite). It prevents tampering with the sequence of sales.
3. PIH (Previous Invoice Hash)
To ensure a “chain of trust,” each invoice must contain a digital fingerprint (hash) of the previous invoice. If one invoice is deleted or altered, the chain breaks, alerting ZATCA to potential fraud.
4. Cryptographic Stamp (Digital Signature)
For B2B invoices, ZATCA signs the invoice (Clearance). For B2C invoices, your system signs it using a private key obtained during the onboarding process.
5. QR Code Requirements (TLV Encoding)
Phase 2 QR codes are more complex. They must be Base64 encoded and follow the TLV (Tag-Length-Value) format, including the Seller’s name, VAT number, timestamp, invoice total, and VAT total. For a detailed technical guide, see ZATCA QR Code Requirements & TLV Encoding.
✅ Steps to Ensure Full Compliance
Step 1: Onboard Your EGS
You must register your accounting software on the ZATCA Fatoora portal. This involves generating a CSID (Cryptographic Stamp Identifier).
Step 2: Categorize Your Invoices
- Standard Tax Invoices (B2B): Must be shared with ZATCA in real-time for “Clearance” before being sent to the buyer.
- Simplified Tax Invoices (B2C): Must be reported to ZATCA within 24 hours of issuance.
Step 3: Implement Internal Controls
Ensure your Accounting & Finance module prevents the following prohibited actions:
- ❌ Manual editing of generated invoices.
- ❌ Deletion of invoices.
- ❌ Multiple sequences for the same branch.
- ❌ Anonymous access to the invoicing system.
⚠️ Common Rejection Errors and How to Avoid Them
Integrating with the ZATCA API can lead to various rejection codes. Some of the most common include:
- 401 Unauthorized: Usually due to an expired or invalid CSID.
- BR-KSA-31: Incorrect VAT category code for the specific line item.
- Hash Mismatch: Occurs when the XML content is changed after the hash has been calculated.
For a detailed list, check our guide on Top 15 ZATCA Rejection Errors.
💡 Why Cloud ERP is the Best Strategy for ZATCA
Managing XML files, UUIDs, and API handshakes manually is impossible for SMEs. A cloud-based solution like Qeemah automates the entire process:
- Automatic Sync: Invoices are sent to ZATCA the moment you click ‘Save’.
- Validation Engine: We check for VAT errors before the invoice reaches ZATCA.
- Secure Archiving: All invoices are stored for the legally required 6-year period with high encryption.
- Integrated Ecosystem: Your Inventory and Sales update automatically with every compliant invoice. Start with professional quotations that seamlessly convert to Phase 2-compliant invoices.
🚀 How Qeemah Helps You Stay Compliant
At Qeemah (قيمة), we have built a ZATCA-first architecture. We don’t just add a QR code; we handle the entire Phase 2 cryptographic handshake behind the scenes so you can focus on growing your business.
- Zero-Touch Integration: Onboard your branches in minutes.
- Fatoora-Ready: Fully compliant with UBL 2.1 and TLV standards.
- Expert Support: Our team understands Saudi VAT laws and Labor regulations.
Ready to automate your ZATCA compliance? Explore Qeemah Features | View Pricing Plans | Contact our Saudi Experts