ZATCA Phase 2 (Fatoora): the Saudi business owner's integration checklist

If you sell in Saudi Arabia, e-invoicing isn’t optional — and Phase 2 is the part that trips businesses up. Phase 1 just asked you to generate structured invoices with a QR code. Phase 2 (“Integration”, or Fatoora) asks your system to talk directly to ZATCA and get each invoice cleared or reported in real time. Here’s what that means in practice, and a checklist to get there.

Phase 1 vs Phase 2 in one minute

• Phase 1 — Generation (live since Dec 2021): issue tax invoices electronically, in Arabic, with the required fields and a QR code. No connection to ZATCA needed.
• Phase 2 — Integration (rolling out in waves): your e-invoicing solution integrates with ZATCA’s Fatoora platform. Standard (B2B) invoices must be cleared by ZATCA before you send them to the buyer; simplified (B2C) invoices are reported within 24 hours. Invoices carry a cryptographic stamp and a UUID.

ZATCA notifies businesses of their Phase 2 wave by annual revenue, working down from the largest. You get a window (typically a few months’ notice) to integrate — so the question isn’t if, it’s when your wave lands.

What Phase 2 actually requires

1. A compliant e-invoice generation solution (EGS) — your accounting/ERP system.
2. Onboarding that EGS with ZATCA: generate a one-time password (OTP) in Fatoora, then exchange it for a cryptographic certificate (CSID).
3. XML in the right format (UBL 2.1), with the cryptographic stamp, UUID, and a hash chain linking invoices.
4. A QR code that encodes the stamped invoice data.
5. Clearance (standard) or reporting (simplified) of every invoice through the API.

That’s a lot of cryptography and schema detail — which is exactly why you want software that handles it invisibly rather than building it yourself.

The integration checklist

Before your wave

• Confirm your VAT registration number and that your legal/seller data is complete and correct (name, address, VAT number).
• Make sure customer records carry valid VAT numbers — standard invoices won’t clear without the buyer’s details.
• Verify your accounting/ERP is a ZATCA-compliant EGS that supports Phase 2 (don’t assume — ask the vendor directly).
• Clean up your product tax codes (standard 15% / zero-rated / exempt) so VAT is correct at source.

Onboarding

• In the Fatoora portal, generate an OTP for a new device/solution.
• In your software, onboard with that OTP to obtain the CSID certificate.
• Pass the compliance checks (sample standard, simplified, credit, and debit documents).
• Confirm the connection shows Live.

After go-live

• Issue a real standard invoice and confirm it’s cleared.
• Issue a simplified invoice and confirm it’s reported within 24 hours.
• Set a reminder to renew the certificate before it expires.
• Reconcile your VAT control accounts before each return.

Common reasons clearance fails

• Missing buyer VAT number or address on a standard invoice.
• Incomplete seller data in your company profile.
• Expired OTP during onboarding — they’re short-lived, so generate and use immediately.
• Wrong tax code on a line, producing a VAT mismatch.

Almost every rejection traces back to data completeness, not the cryptography — so the prep work above is where the real wins are.

How XO handles it

XO Books ships Phase 1 and Phase 2 built in. Onboarding is a guided screen — paste your Fatoora OTP, and XO requests the certificate, runs the compliance samples, and flips to Live. From then on, every invoice you issue is stamped, QR-coded, and cleared/reported automatically, with the rejection reason shown right on the invoice if anything’s off. No plugins, no XML wrangling.

Want the step-by-step inside the product? See the guide: Tax & ZATCA Compliance.

The businesses that sail through Phase 2 are the ones that treated it as a data-hygiene project a quarter early — not a software scramble the week their wave lands. Use the checklist, get your customer and product data clean, and let the system do the cryptography.