ZATCA Wave 23 and 24: What Developers Need to Know Before the 2026 Deadlines
ZATCA continues to roll out Phase 2 e-invoicing enforcement in waves. If you build software for Saudi businesses — whether ERP, POS, or accounting — your clients may be in Wave 23 or 24. Here's what that means for your integration timeline.
The Deadlines
| Wave | Compliance Deadline | Who's Affected |
|---|---|---|
| Wave 23 | March 31, 2026 | Businesses with taxable revenue exceeding SAR 2.5 million in 2022 or 2023 |
| Wave 24 | June 30, 2026 | Businesses with taxable revenue exceeding SAR 2 million in 2022 or 2023 |
These deadlines are for the Integration Phase (Phase 2). Businesses in these waves must connect their invoicing systems to ZATCA's FATOORA platform and submit invoices electronically.
What Phase 2 Requires
Phase 2 is significantly more complex than Phase 1. Your system must:
- Generate UBL 2.1 XML — not PDF, not JSON. The full UBL 2.1 schema with ZATCA-specific extensions.
- Sign invoices cryptographically — ECDSA signatures using a production certificate issued by ZATCA.
- Submit via API — B2B invoices must be "cleared" (approved) before issuance. B2C invoices must be "reported" within 24 hours.
- Generate QR codes — TLV-encoded payloads with seller info, amounts, hash, and signature.
- Handle ZATCA responses — warnings, errors, and validation codes that may require invoice correction.
Common Pitfalls
1. XML Namespace Errors
ZATCA's validator is strict about XML namespaces. Missing or misplaced namespace declarations will cause silent failures. The invoice will be rejected with cryptic error codes.
2. Certificate Expiry
Production CSIDs expire. Your system needs to handle renewal before expiry, or all submissions will fail. There's no grace period — an expired certificate means immediate rejection.
3. Invoice Counter and UUID
Every invoice needs a sequential counter (ICV) and a UUID. ZATCA tracks these. Gaps, duplicates, or resets can trigger compliance warnings.
4. Hash Chain
Each invoice must include the hash of the previous invoice (PIH). This creates a chain that ZATCA uses to detect tampering or missing invoices. Your first invoice uses a zero hash.
Timeline for Integration
Based on what we've seen from teams integrating directly with ZATCA:
| Step | Direct Integration | With Jibrid |
|---|---|---|
| CSR + CSID onboarding | 1-2 weeks | Handled by Jibrid |
| XML builder | 2-4 weeks | Handled by Jibrid |
| Cryptographic signing | 1-2 weeks | Handled by Jibrid |
| QR code generation | 2-3 days | Handled by Jibrid |
| Testing + compliance | 1-2 weeks | Same day |
| Total | 6-10 weeks | 1 day |
How Jibrid Helps
Jibrid is an API layer that sits between your app and ZATCA. You send JSON, Jibrid handles the XML, signing, QR, and submission. Your integration code looks like this:
curl -X POST https://api.jibrid.com/v1/zatca/invoices \
-H "Authorization: Bearer jbr_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"invoice_type": "simplified",
"customer": { "name": "Ahmed" },
"items": [
{ "name": "Service", "quantity": 1, "unit_price": 500, "tax_rate": 15 }
]
}'That's it. No XML, no certificates, no QR encoding. Jibrid returns the ZATCA response, the signed invoice, and the QR code — all as JSON.
What You Should Do Now
- Check your clients' wave status — ask them to verify on the FATOORA portal.
- Start in sandbox — create a Jibrid account and test with sandbox credentials.
- Go live before the deadline — onboarding to production takes minutes, not weeks.
Wave 23 deadline is March 31, 2026.
Don't spend 6 weeks building what Jibrid handles in one API call. All connectors are free during beta.
Get your API key →