ZATCA Phase 2 Checklist for Saudi Businesses (2026)

ZATCA Phase 2 ("Integration Phase") is where many Saudi businesses get stuck. Phase 1 just required QR-coded simplified invoices — your printer could handle most of it. Phase 2 demands real cryptographic integration with the Fatoora platform: device onboarding, signed XML, real-time clearance for B2B invoices, and reporting for B2C.

This is the checklist we run for every Phase 2 client.

1. Confirm your wave and deadline

ZATCA rolls out Phase 2 in waves based on annual revenue. Confirm your wave on the Fatoora portal before scoping work — a 6-month deadline and a 6-week deadline drive very different architectures.

2. Inventory your invoice surface

List every system that emits an invoice or receipt:

• ERP (Oracle, SAP, Odoo, NetSuite, Microsoft Dynamics, custom)
• POS terminals (one per branch, sometimes more)
• E-commerce checkouts
• Mobile field-sales apps
• Standalone billing utilities (Excel sheets that print to PDF count too)

Each invoice source needs a CSID (Cryptographic Stamp Identifier). Forgetting an invoice source is the #1 reason a go-live slips.

3. Decide on direct vs. middleware integration

You have two paths:

Direct. Each invoice source connects to ZATCA's APIs itself. Lower latency. Higher integration surface. More CSIDs to manage. Good for a single ERP, painful for multi-branch retail.

Middleware (recommended for most). A single Smart Ideal e-invoicing service sits between your invoice sources and ZATCA. One signed-XML path. One retry queue. One rejection dashboard. Your ERP and POS just emit an invoice; the middleware handles signing, clearance, and reporting.

For multi-branch retail and any operation with 3+ invoice sources, middleware almost always wins.

4. Onboard your CSIDs

For each invoice-emitting device:

1. Register the device on the Fatoora portal (production-ready ZATCA Fatoora portal, not the sandbox).
2. Generate an OTP and exchange it for a Production Cryptographic Stamp Identifier (PCSID).
3. Store the private key in a hardware-backed keystore (HSM-class device on the server, or TPM on the POS terminal). Storing keys in a .pem file on disk is the second most common cause of audit findings.

We script this end-to-end for clients with more than ~3 devices.

5. Validate against the sandbox first

Before touching production, every invoice template must clear the ZATCA sandbox. Common rejections to budget for:

• VAT registration number missing or malformed
• Item-line discount calculations off by 0.01 SAR (rounding)
• Buyer details required for B2B but missing on a B2C-style invoice
• Mismatch between subtotal and sum of line totals

Build a rejection-handling workflow before you go to production. You will see rejections — your operations team needs a UI to fix them, not a Slack ping.

6. Plan the cutover with a parallel run

Best-practice cutover:

1. Week -2. All invoices flow through the middleware in report-only mode. Nothing goes to ZATCA. You're building confidence the middleware does not mangle your invoice volume.
2. Week -1. Switch B2B invoices to ZATCA clearance. B2C stays on report-only.
3. Week 0. Switch B2C to full reporting. ZATCA is now authoritative.
4. Week +2. Decommission any legacy "print and sign by hand" workflow.

Skipping the parallel run is the #1 reason a Phase 2 cutover blows up.

7. Build the operations dashboard, not just the integration

After go-live, your finance team needs to see:

• Clearance success rate by source (a single sick POS terminal can quietly drop 5% of invoices).
• Rejection queue with one-click resubmit.
• Daily totals reconciled between ERP, middleware, and the ZATCA portal.

Without this dashboard, your VAT return becomes a 3-day spreadsheet expedition every month.

8. Production support — first 90 days matter

Most Phase 2 failures happen 6 to 8 weeks after go-live, when a software update at the ERP or POS vendor silently breaks the invoice XML schema. Run an automated daily ZATCA-side reconciliation against your ERP totals for the first 90 days. Alert on any drift over 0.5%.

Want our reference architecture?

Smart Ideal has integrated ZATCA Phase 2 into Oracle ERP, SAP, Odoo, NetSuite, and a half-dozen custom systems. Reach out and we'll share the reference architecture diagram that has cleared every sandbox audit we've run.