ZATCA Compliance

Odoo ERP for ZATCA Phase 2 e-Invoicing: The 2026 Compliance Playbook for Saudi Arabia

Wave schedule, Fatoora clearance mechanics, XML + cryptographic stamp, production CSID path, rejection diagnostics, and the audit-defence chain that keeps Saudi businesses ZATCA-clean.

iWesabe Editorial TeamApril 10, 20249 min read

ZATCA Phase 2 stopped being a project and became a default in Saudi Arabia somewhere between the 12th wave and the 18th. By mid-2026 the question is no longer "are you live on Phase 2?" — every VAT-registered business above the ZATCA revenue floor is — but "is your Phase 2 chain audit-defensible end-to-end?" The two questions look similar; they have very different cost profiles when ZATCA inspects.

This guide is iWesabe's working Odoo ZATCA playbook — the wave logic, the technical chain (XML schema, cryptographic stamp, QR/TLV encoding, clearance vs reporting model), the CSID production path, the rejection diagnostics that actually move incidents, and the four-pillar audit-defence posture that keeps a system clean across multiple filing cycles.

Where does ZATCA Phase 2 stand in 2026, and who is in scope?

Phase 2 (the Integration Phase) rolled out in tiered waves from 1 January 2023, with each wave defined by a VAT-revenue threshold. By 2026 the high-revenue tiers are deep into business-as-usual; new entrants drop into upcoming waves as their VAT revenue crosses ZATCA's published floor. The practical implication for ERP planning: any Saudi business at or near the floor must treat ZATCA-readiness as a procurement default, not a future project.

What does Odoo ship out of the box for ZATCA Phase 2, and what configuration extends it?

Odoo's Saudi localisation (`l10n_sa` + `l10n_sa_edi` family of modules) covers the Phase 2 technical chain. The platform-side answer is solid; what determines whether a deployment is genuinely production-clean is configuration discipline. The table below is the audit-grade map iWesabe carries into every Saudi engagement.

Odoo ZATCA Phase 2 — what's native, what needs configuration
ZATCA requirementOdoo coverageConfiguration discipline
UBL 2.1 XML with Saudi extensionsNative via `l10n_sa_edi`Custom invoice lines + AR descriptions must validate cleanly
Cryptographic stamp (ECDSA, PKI)Native — handles CSR / CSID / signingPKI key rotation policy, sandbox-to-production cut-over discipline
QR code with TLV-encoded payloadNative — generates on every invoiceBilingual Arabic-first invoice template; QR positioning per ZATCA spec
Clearance (B2B) vs Reporting (B2C)Native — submits to correct endpointCustomer classification rules at the partner master; no manual flag
Archival, 7-year retentionNative to host (Odoo.sh) / configured (self-hosted)Off-host immutable storage for the cleared-invoice XML + response
VAT return reconciliationNative via standard tax reportTax-code defaults at product master, B2C zero-rated edge cases

Need a ZATCA Phase 2 production-readiness review for your Odoo?

iWesabe will audit your `l10n_sa_edi` configuration, partner classification, tax codes, and PKI posture — sized to your invoice volume.

What is the CSID production-cutover path, and how does Odoo handle it?

Every Phase 2 deployment moves through three identity-related artefacts: the CSR (Certificate Signing Request), the Compliance CSID (sandbox), and the Production CSID (live). Confusing the sandbox and production CSIDs is the most common cause of "my invoices stopped clearing after we went live" tickets.

  1. Generate the CSR inside Odoo. `l10n_sa_edi` exposes the CSR generation form — fill VAT number, CR number, legal name (Arabic + English), business industry, invoice-type flags. The Arabic legal name must match the CR exactly; mismatches cause sandbox rejection.
  2. Submit CSR to the ZATCA sandbox; receive the Compliance CSID. This certificate is for testing only — Odoo signs sandbox invoices with it. Verify cleared-invoice round-trips end-to-end before requesting the production CSID.
  3. Pass the Compliance Checks. ZATCA requires demonstrably-clean sandbox runs (standard invoice, credit note, debit note, prepayment) before issuing the Production CSID. Skipping a check type because "we don't use it" still blocks issuance.
  4. Request and install the Production CSID. Cut over Odoo's signing path to the production certificate, switch the API endpoint, and run a small first-day cleared-invoice batch with finance + IT watching. Roll the team off sandbox access on day one to avoid accidental dual-use.

When ZATCA rejects an invoice, where do you look first?

Production rejections cluster into five repeating patterns. A Saudi-grade support partner can name the root cause from the ZATCA response payload within minutes; offshore teams routinely take half a day on the same ticket. The five patterns:

  • Schema-level rejection. XML fails UBL 2.1 + Saudi extension validation. Usually a free-text field containing a forbidden character or a missing mandatory field on a customised invoice line. Fix at the Odoo template or field-validation level.
  • VAT calculation mismatch. Header VAT amount ≠ sum of line-level VAT amounts. Caused by rounding configuration drift between Odoo and the validation engine. Fix at tax-rounding precedence.
  • Cryptographic stamp failure. Signing path is using a stale or wrong CSID — usually the post-go-live "we switched but invoices stopped clearing" pattern. Fix by re-pointing Odoo at the production CSID and clearing the in-memory cache.
  • Customer classification error. A B2B customer is flagged as B2C (or vice versa), so the wrong endpoint and the wrong model (clearance vs reporting) get used. Fix at the partner master, not the invoice.
  • Out-of-sequence invoice number. ZATCA expects a strictly monotonic sequence per ICV (Invoice Counter Value); gaps or duplicates fail. Caused by manual journal corrections in Odoo bypassing the sequence module. Fix by enforcing the sequence and locking direct journal access for the AR clerks.

Hit a ZATCA rejection you can't resolve?

iWesabe runs Saudi-hours incident response — first response inside 15 minutes for P1 ZATCA rejections, median resolution under 4 hours.

What audit-defence posture does ZATCA inspection expect?

ZATCA inspectors do not ask whether your XML validates — your live submissions already proved that. They ask for evidence that the cleared chain is intact across multiple filing cycles. Four KPIs anchor that evidence; every Saudi Odoo deployment iWesabe runs reports against these monthly.

100%
Cleared-invoice UUID-to-Fatoora reconciliation rate
≥ 99.5%
First-time clearance acceptance
7 yrs
Cleared XML + ZATCA response retention
≤ 24 hrs
B2C reporting submission window

What does the ZATCA penalty schedule look like, and where does Odoo posture matter most?

ZATCA publishes a tiered penalty schedule for Phase 2 non-compliance, escalating from warning to material financial penalty. Three areas drive the bulk of real-world penalties: failure to issue a cleared invoice for a B2B transaction, failure to report a B2C invoice within 24 hours, and material data discrepancies between cleared XML and the VAT return. A clean Odoo configuration eliminates the first two structurally and gives finance the reconciliation evidence to defend the third in audit.

Odoo ZATCA Phase 2 compliance in 2026 is no longer about whether the platform can submit cleared invoices — it can. The question is whether the configuration discipline, the CSID production path, the rejection-diagnostics playbook, and the four-KPI audit-defence chain are all in place across multiple filing cycles. The combinations above are the working shape of a Saudi Odoo deployment that survives ZATCA inspection without remediation cost.

iWesabe has shipped Phase 2 production across multiple ZATCA waves in Saudi enterprises spanning construction, retail, manufacturing, distribution, and services. A 60-minute readiness review walks through your `l10n_sa_edi` configuration, partner classification, PKI posture, and reconciliation discipline — written summary inside 48 hours.

Book a 60-minute ZATCA Phase 2 production review

We will walk through your Odoo localisation, CSID posture, rejection log, and reconciliation chain — and send a written defence summary inside 48 hours.

WhatsApp

Frequently Asked Questions

Does Odoo support ZATCA Phase 2 out of the box?
Yes — the `l10n_sa` and `l10n_sa_edi` localisation modules cover the Phase 2 technical chain: UBL 2.1 XML with Saudi extensions, ECDSA cryptographic stamp, QR code with TLV-encoded payload, clearance (B2B) and reporting (B2C) endpoints. What Odoo does not do automatically is correct configuration discipline — partner classification, tax-rounding rules, invoice-sequence integrity, CSID lifecycle, and reconciliation cron. Roughly 80% of real-world ZATCA incidents stem from configuration gaps, not platform gaps. A Saudi Gold Partner ships the configuration alongside the platform; offshore implementations often skip it.
What's the difference between Phase 1 and Phase 2 e-invoicing?
Phase 1 (Generation) requires VAT-registered businesses to issue compliant e-invoices with QR codes and store them digitally — no real-time integration with ZATCA. Phase 2 (Integration) adds the cryptographic stamp, structured XML in UBL 2.1 + Saudi extensions, and real-time interaction with ZATCA's Fatoora portal. Phase 2 has two models: B2B invoices run the clearance model (cleared by ZATCA before delivery to the buyer); B2C invoices run the reporting model (issued first, reported to ZATCA within 24 hours). Phase 1 has been mandatory since December 2021; Phase 2 has been rolling out in waves by VAT-revenue threshold since January 2023.
How does Odoo handle the cryptographic stamp and CSID lifecycle?
Odoo's Saudi localisation generates the CSR (Certificate Signing Request) inside the platform, submits it to ZATCA for the Compliance CSID (sandbox), runs the four required Compliance Checks (standard invoice, credit note, debit note, prepayment), then requests and installs the Production CSID for live signing. Every cleared invoice gets ECDSA-signed with the active CSID; the signature is embedded in the XML and verified by ZATCA on clearance. Most go-live incidents come from rushing the sandbox checks or leaving Odoo pointed at the Compliance CSID after switching to production — both are configuration discipline, not platform limitations.
What is the most common reason ZATCA rejects an Odoo invoice in production?
Five patterns dominate. Schema rejection (UBL/Saudi-extension validation fails, often free-text fields with forbidden characters). VAT calculation mismatch (header VAT ≠ sum of line VAT, caused by rounding drift). Cryptographic stamp failure (wrong or stale CSID, usually the post-cutover "invoices stopped clearing" pattern). Customer classification error (B2B flagged as B2C or vice versa, wrong endpoint used). Out-of-sequence invoice number (ICV gaps from manual journal corrections bypassing the sequence). A Saudi-grade support partner names the pattern from the ZATCA response payload in minutes; iWesabe ships P1 SLA at ≤ 15-minute first response and median ≤ 4-hour resolution for rejection incidents.
What audit evidence does ZATCA expect us to keep?
Four artefacts cover the audit-defence chain: (1) every cleared invoice's XML + ZATCA response, retained 7 years in immutable storage; (2) a UUID-to-Fatoora reconciliation log proving every cleared Odoo invoice matches Fatoora — nightly job, monthly summary; (3) the CSID lifecycle log (CSR generation, Compliance CSID, Production CSID, any rotations); (4) the VAT return reconciliation against cleared totals per filing period. iWesabe ships the reconciliation cron and reporting templates as default with every Saudi Odoo deployment — it is the single cheapest evidence to produce and the most expensive to construct after the fact.
Are penalties for ZATCA Phase 2 non-compliance material?
Yes. ZATCA publishes a tiered penalty schedule escalating from warnings to material financial penalty per violation. The three highest-volume penalty causes are failure to issue a cleared invoice for a B2B transaction (clearance-model violation), failure to report a B2C invoice within the 24-hour window (reporting-model violation), and material data discrepancies between cleared XML and the VAT return at filing time. A clean Odoo configuration with discipline around partner classification, sequence integrity, and nightly reconciliation eliminates the first two structurally and gives finance the evidence to defend the third. The cost of getting the configuration right is a small fraction of the cost of accumulated penalties over a year.
iWesabe Editorial Team

iWesabe Editorial Team

Practitioner insights on Odoo ERP, ZATCA compliance, and Saudi enterprise digital operations — written by iWesabe's consulting, finance, and engineering teams.

About iWesabe

Related Articles

Explore Related Solutions