Navigating ZATCA Phase 2: A Technical Compliance Guide for Saudi Enterprises

As the Kingdom of Saudi Arabia accelerates its digital transformation journey, the Zakat, Tax and Customs Authority (ZATCA) has transitioned into Phase 2 of e-invoicing (Fatoora). Unlike Phase 1, which focused on generation, Phase 2 is centered around deep system integration.

1. Understanding the Integration Mandate

Phase 2 requires tax-compliant businesses to integrate their billing systems (ERP, POS, custom invoicing software) directly with ZATCA’s portal via Web APIs. Invoices must now be generated in a specific XML format (UBL 2.1) and transmitted in real-time or near-real-time for clearance or reporting.

2. Key Technical Components Required

To successfully integrate, enterprise systems must support several cryptographic and structured data protocols:

• Cryptographic Stamps: Every invoice must contain a unique Digital Signature generated using a cryptographic private key issued during onboarding.
• UUID Generation: A universally unique identifier (UUID) must be computed for each document to prevent duplication.
• Invoice Hash: A SHA-256 hash value must be calculated over the XML contents to guarantee document integrity.
• QR Code Specs: The generated QR code must embed the signature, hash, and seller VAT info formatted in Base64.

3. The Three-Step Onboarding Process

Before transmitting live transactions, systems must undergo a strict Device Onboarding process:

1. Generate a Cryptographic CSR (Certificate Signing Request) locally within your ERP/POS environment.
2. Submit the CSR to the ZATCA API to retrieve a CCSID (Cryptographic Stamp).
3. Run mock transaction validation API checks in the ZATCA Sandbox environment to confirm signature clearances.

Conclusion

Compliance is not just about avoiding regulatory fines; it is an opportunity to digitize accounting pipelines and enable automated tax audits. Soleeb Digital Arabia provides custom ZATCA phase 2 API middleware that bridges legacy systems to the Fatoora platform seamlessly.