📌 General Questions
❓ What is ZATCA Phase 2?
▼
ZATCA Phase 2 is the mandatory integration phase where taxpayers must connect their systems directly to ZATCA's Fatoora portal via APIs. Unlike Phase 1 (which only required QR codes on invoices), Phase 2 requires real-time or near-real-time submission of invoice data for B2B transactions.
❓ Who needs to comply with ZATCA Phase 2?
▼
All taxable businesses in Saudi Arabia, including resident and non-resident taxpayers, must comply with ZATCA Phase 2 e-invoicing regulations. Deadlines vary by annual revenue.
❓ What is the deadline for Phase 2 integration?
▼
Deadlines vary by business revenue. Large taxpayers (over SAR 3 million) have earlier deadlines. Small and medium businesses have extended timelines. Check your ZATCA portal for your specific integration date.
❓ What is the difference between Phase 1 and Phase 2?
▼
Phase 1 required QR codes on invoices but no API integration. Phase 2 requires full API integration with ZATCA's Fatoora portal, CSD certificates, XML UBL 2.1 format, and real-time or near-real-time submission.
🔐 CSD Certificate Questions
❓ What is a CSD certificate?
▼
A CSD (Compliance Services Device) certificate is a digital certificate issued by ZATCA-approved providers. It is mandatory for Phase 2 e-invoicing and enables digital signing, cryptographic stamping, and secure API communication with the Fatoora portal.
❓ How do I get a CSD certificate?
▼
You must purchase a CSD certificate from ZATCA-approved providers like Geotrust (DigiCert), Digicert, Entrust, or GlobalSign. The process takes 5-10 business days and requires business registration, TRN, and identity verification.
❓ How much does a CSD certificate cost?
▼
Costs vary by provider and validity period: 1-year: SAR 800-1,500, 2-year: SAR 1,500-2,500, 3-year: SAR 2,000-3,500.
❓ Can I use a free SSL certificate instead of CSD?
▼
No. Free SSL certificates (like Let's Encrypt) are NOT accepted. You must purchase a paid CSD certificate from ZATCA-approved providers. Free certificates lack the cryptographic capabilities required for digital signing.
❓ Is CSD required for both Clearance and Reporting models?
▼
Yes, both models require a valid CSD certificate for digital signing and cryptographic stamp generation. There is no exception for either model.
⚙️ Technical & Integration Questions
❓ What is the XML format required for ZATCA invoices?
▼
All invoices must be generated in UBL 2.1 XML format. This includes specific fields for seller/buyer details, line items, VAT amounts, and cryptographic stamps. Use our XML Validator tool to check your files.
❓ What is the QR code format for ZATCA invoices?
▼
The QR code must contain a cryptographic stamp encoded in TLV (Tag-Length-Value) format and then Base64 encoded. It includes seller name, TRN, timestamp, invoice total, VAT amount, and digital signature.
❓ What is the difference between Clearance and Reporting models?
▼
Clearance model (B2B): Real-time validation by ZATCA before buyer receives invoice. Reporting model (B2C): Submit within 24 hours of issuance. No real-time validation.
❓ How long does API response take?
▼
Clearance endpoint: 2-5 seconds (synchronous). Reporting endpoint: Response within seconds (asynchronous), but invoice status may update later via webhook.
❓ What is the rate limit for Fatoora APIs?
▼
Standard limit is 10 requests per second. For higher volumes (enterprise), contact ZATCA support to request increased limits.
❓ Can I test integration before going live?
▼
Yes, ZATCA provides a Sandbox environment at https://sandbox.fatoora.zatca.gov.sa where you can test all API calls with test CSD certificates before production.
⚠️ Compliance & Penalties
❓ What are the penalties for non-compliance?
▼
Penalties include: Missing CSD certificate: SAR 10,000-50,000, incorrect QR code: SAR 5,000-20,000 per invoice, late reporting: SAR 5,000-20,000, using wrong model: up to SAR 50,000 per invoice, repeated violations: suspension of e-invoicing privileges.
❓ What happens if my invoice is rejected?
▼
You cannot edit a rejected invoice. You must correct the issue in your system and submit a brand new invoice with a new invoice number. Rejected invoices cannot be resubmitted.
❓ Can one CSD certificate be used for multiple branches?
▼
Yes, a single CSD certificate can be used for all invoices from the same legal entity (same TRN). Each branch does not need a separate certificate.
❓ What happens if my CSD certificate expires?
▼
ZATCA will reject your e-invoices. You must renew the certificate before expiry. The renewal process is simpler and faster (3-5 business days) than the initial application.
❓ Do I need Arabic text on my invoices?
▼
Yes. The visual representation of the invoice must include Arabic for mandatory fields (seller/buyer names, invoice date, line items, VAT amount, total due, and invoice heading). Bilingual (Arabic/English) is acceptable.