How Does the Second Phase of Electronic Invoicing Work?

In today’s rapidly evolving digital landscape, regulatory authorities across the globe are radically transforming the way business is conducted, streamlining commercial processes, and achieving unprecedented levels of seamless integration. At the forefront of this digital revolution is the Kingdom of Saudi Arabia. Driven by the ambitious goals of Vision 2030, the Zakat, Tax and Customs Authority (ZATCA) has fundamentally overhauled the taxation ecosystem through the implementation of the “Fatoora” project.

But how exactly does the critical second phase of electronic invoicing operate? What are the profound technical shifts from Phase 1, and what must taxpayers do to comply fully in 2026 and beyond? In this comprehensive, deep-dive guide, we will take an in-depth look at every single step, technical requirement, and legal mandate without omitting any details. Start your zatca e-invoicing journey with a system built to meet Saudi compliance flawlessly and protect your enterprise from costly penalties.

1. The Mechanism for the Second Phase of Electronic Invoicing

To understand the magnitude of Phase 2, we must first look at its structural implementation and scope. Phase 2—officially termed the Integration and Connectivity Phase—is not a mere software update; it is a paradigm shift in how commercial data is transmitted to the government.

When Does It Start?

The Zakat, Tax and Customs Authority (ZATCA) officially began applying the second phase of electronic invoicing on January 1, 2023. However, understanding the timeline requires acknowledging the “Wave” methodology.

How Is It Implemented?

Recognizing the massive technological burden this places on businesses, ZATCA chose to roll out this phase in gradual stages, or “waves,” targeting specific groups of taxpayers based on their historical annual taxable revenue. For example, the earliest waves targeted multi-billion Riyal conglomerates, while the 2025 and 2026 waves are bringing medium and smaller enterprises into the fold. As of 2026, Wave 23 targets businesses with revenues exceeding SAR 750,000 (with a deadline of March 31, 2026), followed immediately by Wave 24 targeting the SAR 375,000 threshold (with a deadline of June 30, 2026). Taxpayers are notified at least six months prior to their mandatory compliance date.

What Are the Requirements for Taxpayers?

Taxpayers subject to the electronic invoicing regulations must adhere to strict real-time or near-real-time data transmission protocols. They can no longer simply store invoices locally; their billing software must speak directly to ZATCA’s Fatoora servers via an Application Programming Interface (API).

And What About the First Phase?

The first phase (Issuance and Preservation) was implemented universally on December 4, 2021. In that initial phase, taxpayers were required to issue and store tax invoices or debit and credit notifications using electronic systems that complied with basic invoicing regulations. Handwritten invoices and simple word-processor PDFs were banned, but direct internet integration with the government was not yet required.

Which Technical Solution is Approved?

The Daysum ERP system is a fully approved, native solution for the second phase. It is capable of meeting all of the Authority’s rigorous cryptographic requirements and facilitating frictionless, automated integration with the Fatoora platform.

2. Decoding Key Terminology: The Language of Compliance

Understanding the technical and legal terminology is essential for grasping the complexities of the integration process. Without a firm command of these concepts, businesses risk purchasing non-compliant software or failing government audits.

• E-invoicing (Fatoora): A comprehensive procedural mandate aimed at converting the issuance, processing, and storage of paper invoices and notifications into a fully integrated, secure electronic process.
• E-invoicing Solutions (EGS): These encompass the devices, systems, applications, networks, and means of connectivity used for generating, storing, exchanging, and managing electronic invoices and notifications. This includes retail cashier Point of Sale (POS) devices and complex cloud ERPs. Approved solutions for the second phase include the Daysum system.
• E-invoice: A structured digital file issued and stored in an organized electronic format via an electronic system, containing all the required elements of a tax invoice. A scanned paper document or a flat image file (like a JPEG) is legally not an e-invoice.
• QR Code: A highly specific type of barcode in a square matrix format. In Phase 2, this is not a simple link to a website; it is a Base64 encoded string containing critical cryptographic data that is read automatically by a QR scanner or the official ZATCA smartphone application.
• Tax Invoice (B2B/B2G): An invoice typically issued from one registered business entity to another, or to a government body. It contains all elements required for input VAT deduction.
• Simplified Tax Invoice (B2C): An invoice generally issued from a business entity directly to an end consumer (like a retail receipt). It contains fewer buyer details but maintains strict seller and tax data.
• Integration: The continuous, automated process of linking a taxpayer’s e-invoicing systems directly with the ZATCA “Fatoora” platform to electronically share invoices.
• UUID (Universally Unique Identifier): A 128-bit number generated by the invoicing algorithm to guarantee that no two invoices in the universe share the exact same identifier.
• Cryptographic Stamp: A digital signature applied to the invoice data to prove its origin and guarantee that the contents have not been tampered with.

3. The Evolutionary Timeline of E-Invoicing Implementation

The roadmap to total digital compliance has been years in the making. Understanding this timeline provides context for the urgency of the current 2026 mandates.

• December 4, 2020: The foundational electronic invoicing regulations were published to the public.
• May 28, 2021: ZATCA issued the comprehensive decision detailing the controls, technical requirements, security specifications, and procedural rules for implementing the regulations.
• December 4, 2021 (Phase 1 Go-Live): The absolute obligation to issue and store invoices electronically commenced. All businesses had to abandon manual receipt books.
• January 1, 2023 (Phase 2 Go-Live): The Integration and Connectivity phase officially began with Wave 1 (revenues exceeding SAR 3 billion).
• 2024 to 2026 (The SME Expansion): Successive waves progressively lowered the revenue thresholds. Wave 14 initiated in February 2025, and by mid-2026, the mandate encompasses virtually all VAT-registered small and medium enterprises (SMEs).

Navigating these deadlines requires highly capable software. Investing in premium e invoicing software saudi arabia is essential to ensure your business transitions smoothly through its designated wave without suffering operational downtime.

4. Technical Specifications: What Powers a Phase 2 Invoice?

The technological leap from Phase 1 to Phase 2 is immense. The government requires a level of data structure and security that legacy accounting systems simply cannot handle.

Supported Formats

Phase 2 mandates that all electronic invoices be generated in one of two strict formats:

1. XML (UBL 2.1): A machine-readable Extensible Markup Language format that ZATCA servers can parse instantly.
2. PDF/A-3 (with embedded XML): A hybrid file format that looks like a standard PDF to a human reader but contains the structured XML data hidden within its metadata for computers to process.

Cryptographic Security Features

To prevent fraud, tax evasion, and post-issuance data manipulation, ZATCA enforces strict anti-tampering measures.

• Cryptographic Hashing: The system must generate a SHA-256 hash of the invoice. If a single digit in the total amount is altered after issuance, the hash changes, immediately alerting auditors to the tampering.
• Sequential Numbering Counter: A hidden, unalterable counter that increments with every invoice issued, preventing the deletion or skipping of invoice records.

Executing these technical maneuvers in the background of a busy retail store or manufacturing plant requires expert configuration. An expert odoo implementation saudi arabia bridges the gap between your daily commercial activities and these complex cryptographic government requirements.

5. What Must Be Done to Comply Fully?

Achieving compliance is a multi-step journey that requires coordination between your finance team, IT department, and software vendor.

Fulfilling Phase 1 (Issuance and Preservation) Requirements:

Even if your Phase 2 wave hasn’t hit yet, you must maintain perfect Phase 1 compliance:

• Use an approved electronic invoicing system capable of local network generation.
• Issue and store invoices electronically without reliance on paper archives.
• Ensure the inclusion of the basic required fields, such as the buyer’s VAT registration number (if they are registered) and the Phase 1 QR code.

Fulfilling Phase 2 (Integration and Connectivity) Requirements:

When your specific wave approaches, the following steps become mandatory:

• Infrastructure Check: Confirm that your technical solution has highly reliable, continuous internet connectivity.
• System Upgrade: Upgrade your software to generate the required XML structure, UUIDs, and Cryptographic hashes.
• Fatoora Integration: Securely integrate your solution with the ZATCA Fatoora platform via API credentials.
• Sandbox Testing: Before going live, you must pass ZATCA’s strict Sandbox testing environment to prove your system generates error-free XML payloads.
• Production Rollout: Issue and store live invoices in the approved PDF/A-3 format, ensuring real-time or near-real-time synchronization.

6. The Dual Mechanisms: Clearance vs. Reporting

Phase 2 introduces a fundamental operational split depending on who the buyer is. The Fatoora system operates on two distinct models: Clearance and Reporting.

Tax Invoices (B2B/B2G): The Clearance Model

When a business sells to another registered business or a government entity, the invoice must be “cleared” before it is legally valid.

1. The seller generates the XML invoice.
2. The system transmits the XML file directly to ZATCA via the API.
3. ZATCA validates the data, applies its own Cryptographic Stamp, and returns the approved XML to the seller (this happens in milliseconds).
4. The seller then converts this cleared XML into a readable PDF/A-3 and provides it to the buyer.
   Note: A B2B invoice shared with a buyer before receiving ZATCA’s cryptographic clearance is considered an illegal tax document.

Simplified Tax Invoices (B2C): The Reporting Model

When a business sells to an end consumer (e.g., a supermarket checkout), asking the customer to wait for government server clearance is impractical.

1. The seller’s POS system instantly generates the invoice, complete with a locally generated Cryptographic Stamp and Phase 2 QR code.
2. The receipt is handed directly to the consumer, allowing them to leave the store immediately.
3. The seller’s system then has a maximum of 24 hours to “Report” this generated invoice to the ZATCA portal via the API.

7. The Anatomy of the Phase 2 QR Code

In Phase 1, the QR code was relatively simple. In Phase 2, the QR code is an incredibly dense, Base64-encoded string of TLV (Tag-Length-Value) data. This ensures that a smartphone app can verify the invoice offline.

What Information Does the QR Code Include?

1. Seller’s Name: The registered legal name of the entity.
2. Seller’s VAT Registration Number: The 15-digit TRN.
3. Timestamp: The exact date and time the invoice or notification was generated.
4. Invoice Totals: The total invoice amount (including VAT) and the total VAT amount.
5. Cryptographic Hash: The SHA-256 hash of the XML invoice.
6. Cryptographic Stamp: The digital signature verifying the document’s authenticity.
7. Public Key: The ECDSA public key used to validate the signature.

8. Configuring Your E-Invoicing Solution via the “Fatoora” Platform

To allow your software to speak to the government, a strict digital handshake must occur. This is done by onboarding your EGS (Electronic Generation Solution) units to the portal.

The Onboarding Process:

1. Portal Access: Log in to the official taxpayer portal on the Fatoora platform using your ERAD credentials.
2. Initiate Configuration: Click on “Configure Electronic Invoicing Solution” or “Onboard New Device.”
3. OTP Generation: Generate a unique One-Time Password (OTP) for the specific device or server you are connecting.
4. Input to Software: Enter the OTP into your Daysum system settings.
5. CSID Retrieval: The system uses the OTP to automatically request a Certificate Signing Request (CSR) and receives a Cryptographic Stamp Identifier (CSID) from ZATCA.
6. Go Live: Complete the integration and begin issuing fully compliant Phase 2 invoices.

An approved electronic invoice ksa platform guarantees that this highly technical cryptographic exchange is handled smoothly in the background, shielding the business owner from IT headaches.

9. Key Pitfalls, Penalties, and Prohibited Specifications

The Zakat, Tax and Customs Authority does not take non-compliance lightly. The penalties for failing to adhere to the Phase 2 mandates are severe and can cripple a business financially.

Common Mistakes to Steer Clear Of

• Issuing electronic invoices using a system that is not properly configured for API communication.
• Reverting to handwritten invoices during a power or internet outage (systems must queue B2C invoices offline and report them when connectivity returns).
• Deleting electronic invoices after issuance (if an error occurs, a formal Credit Note must be issued).

The Financial Penalties

According to official ZATCA regulations, the fines for non-compliance are structured as follows:

• Failure to report or clear invoices electronically can result in fines ranging from SAR 5,000 to SAR 50,000 per violation.
• Failure to generate a compliant QR code can result in fines up to SAR 10,000 per invoice.
• Tampering with invoice data or deletion of records triggers maximum punitive measures, including potential commercial suspension.

Prohibited System Functionalities

ZATCA explicitly bans certain features in billing software:

• Phase 1 Prohibitions: Lack of user access management (anonymous logins), allowing multiple invoice sequences for the same unit, and granting users the ability to manually change the internal system clock or date to backdate invoices.
• Phase 2 Prohibitions: Any functionality that allows the manipulation of cleared electronic records, and any ability to extract, transfer, or copy the private cryptographic key used for the digital stamp.

10. Expanding the Digital Ecosystem: Beyond Invoicing

While Phase 2 compliance is a legal necessity, smart businesses view it as a catalyst for holistic digital transformation. When your billing is fully digitized, it opens the door to automating the rest of your enterprise.

For instance, when an e-invoice is cleared and paid, that data should not sit in isolation. Connecting financial data with cloud hrms solutions provides unprecedented operational synergy. When an invoice is processed, the system can automatically attribute the sale to a specific employee, instantly updating their performance metrics, calculating their monthly sales commissions, and factoring that data directly into the next payroll cycle. This eliminates hours of manual HR calculations and prevents internal disputes.

11. How Can Taxpayers Prepare for Electronic Invoicing?

Are you ready to embrace the digital transformation? Preparation is the ultimate defense against compliance failures.

1. Educate Your Team: Visit the electronic invoicing awareness page on the official ZATCA website and review the published guidelines.
2. Audit Your Current Tech: Assess whether your current software provider is officially capable of Phase 2 API integration. If not, it is time to migrate.
3. Upgrade and Install: Install or update your invoicing system well ahead of your wave’s deadline.
4. Train Your Staff: Ensure your sales, accounting, and IT staff are trained to handle the new electronic workflow, specifically how to process Credit Notes for rejected B2B invoices.
5. Test Rigorously: Use the ZATCA Sandbox environment to test issuing electronic invoices and verify their structural accuracy before the mandatory go-live date.
6. Partner with Experts: Leverage the approved Daysum system for the second phase to ensure seamless, worry-free compliance with the Authority’s most complex requirements.

Conclusion

The transition to ZATCA Phase 2 E-Invoicing is one of the most significant regulatory shifts in the history of Saudi Arabian commerce. It is a bold step toward a hyper-efficient, transparent, and digitally secure economy. While the technical requirements—ranging from UUID generation to Cryptographic Stamping and API integration—may seem overwhelming, they do not have to disrupt your business.

By understanding the mechanisms, avoiding prohibited practices, and adopting a certified, powerful ERP solution like Daysum, you transform a daunting legal mandate into a strategic operational advantage. Equip your business with the right tools today, and step confidently into the future of the Kingdom’s digital economy.

Frequently Asked Questions (FAQ)