ZATCA Compliance

ZATCA-Approved E-Invoicing Software for Saudi Arabia: What the List Really Means

Why ZATCA certifies deployments, not ERP brands — and what that means for your Phase 2 procurement decision.

iWesabe Editorial TeamJune 4, 20268 min read

ZATCA Phase 2 Wave rollouts are tightening the net around more Saudi businesses each quarter, and procurement teams are searching for a definitive "approved software list" — a ZATCA registry of vetted ERP brand names they can consult before choosing a system. That registry does not exist. ZATCA certifies the specific e-invoicing solution of a specific business entity, not ERP product lines. Understanding this distinction is the difference between a compliant go-live and a B2B clearance failure on day one.

This guide explains the certification mechanics — the three-stage CSID process, the six technical requirements that Phase 2 mandates, where Odoo stands in this certification model, and a four-step framework for verifying any vendor's compliance claim before you sign a contract.

What does 'ZATCA-approved' actually mean for e-invoicing software?

ZATCA does not maintain a registry of approved ERP brands. What ZATCA evaluates and certifies is the specific e-invoicing solution — the exact configuration of a specific business entity. The certification binds a Taxpayer Identification Number (TIN) to a specific device and solution configuration, not to an ERP product line. A buyer cannot look up "Odoo" or any other system on a ZATCA whitelist and rely on that lookup as proof of compliance for their own entity.

The three-stage ZATCA Phase 2 certification process
StageWhat happensWho manages it
OnboardingRegister the device/solution on ZATCA's Fatoora portal and generate the Cryptographic Stamp Identifier request (CSR)Implementation partner
Compliance CSID (CCSID)Submit minimum 10 test invoices (standard, debit note, credit note, simplified) to ZATCA's sandbox. ZATCA issues the CCSID on passingImplementation partner + ZATCA sandbox
Production CSID (PCSID)Onboard to the production Fatoora portal, submit live invoices, ZATCA confirms live clearance — this is the definitive compliance proofImplementation partner + ZATCA production

What technical requirements must e-invoicing software meet for ZATCA Phase 2?

ZATCA's technical specification for Phase 2 mandates six specific capabilities. Any e-invoicing solution — whether embedded in an ERP or standalone — must implement all six to pass the Compliance CSID process. These are the objective criteria to audit when evaluating a vendor's Phase 2 readiness claim.

ZATCA Phase 2 — six mandatory technical requirements
RequirementTechnical standardWhat it means for your system
UBL 2.1 XML structureISO/IEC 19845:2015Invoice data must be structured in Universal Business Language 2.1 XML — the native format ZATCA's Fatoora portal parses for both clearance and reporting
Cryptographic stamp (ECDSA)ZATCA Technical Spec v3.0Every invoice must carry a digital signature using Elliptic Curve Digital Signature Algorithm — proves the invoice was not tampered with after generation
UUID per invoiceRFC 4122Each invoice must carry a universally unique identifier — enables ZATCA to cross-reference clearance requests without collisions across the entire Fatoora system
QR code (TLV format)ZATCA QR code specSimplified invoices (B2C) must carry a QR code encoding seller name, VAT number, date, totals, and cryptographic stamp in Tag-Length-Value binary format
Clearance / reporting APIZATCA API v2B2B invoices are cleared via API before issuance; B2C invoices are reported within 24 hours. The system must handle both flows and manage ZATCA API authentication tokens
7-year electronic archiveVAT Implementing Regulations Art. 66Signed XML invoices must be retained in full for 7 years and producible on ZATCA request — the archive must store the signed XML, not just a PDF rendering

See how Odoo handles ZATCA Phase 2 for Saudi Arabia

iWesabe's ZATCA Phase 2 implementation for Odoo covers all six technical requirements — Compliance CSID through Production CSID for your Wave.

Explore Odoo ZATCA Phase 2WhatsApp

Does Odoo qualify for ZATCA Phase 2 — and what does iWesabe's track record show?

Odoo 16, 17, and 18 ship with two Saudi-specific modules in the standard distribution: l10n_sa (Saudi localisation — VAT, chart of accounts, TIN) and l10n_sa_edi (electronic invoicing — UBL 2.1 XML generation, ECDSA stamping, UUID, TLV QR code, and the ZATCA clearance/reporting API). No third-party add-on is required. These modules implement all six Phase 2 technical requirements in the table above as part of the core Odoo distribution.

iWesabe has completed ZATCA Phase 2 Compliance CSID and Production CSID processes for Saudi clients across manufacturing, distribution, retail, and professional services — in multiple Wave batches. Each go-live involved ZATCA sandbox onboarding, compliance invoice testing, CCSID issuance, and production clearance confirmation for the client's specific TIN and entity.

What should you look for beyond ZATCA certification when choosing an e-invoicing system?

Passing ZATCA certification is the minimum bar, not the complete evaluation. A solution that clears the Compliance CSID process may still carry operational risk if it was not built to handle live Saudi invoicing at scale. Five criteria worth adding to your vendor evaluation:

  • Wave-specific implementation references — "Phase 2 capable" is a vendor claim; a completed Production CSID for a client in your specific Wave is evidence.
  • Rejection diagnostic capability — can the team diagnose B2B clearance rejections by ZATCA error code (XML structure, ECDSA stamp, ICV sequence, customer classification, VAT mismatch)?
  • ZATCA API downtime handling — ZATCA's Fatoora portal has planned and unplanned downtime. Does the system queue invoices locally and retry, or does an outage freeze your entire accounts-receivable workflow?
  • 7-year archive design — is the signed XML archive built into the ERP storage layer, or is it bolted on to a third-party system that requires a separate maintenance contract?
  • Phase 3 upgrade path — ZATCA has indicated scope expansion is coming. Ask specifically how the vendor manages compliance updates between Phase releases without requiring a full re-implementation.

How to verify a software vendor's ZATCA compliance claim before you commit

Once you have identified a candidate system, these four steps convert a vendor's compliance claim into verifiable evidence before you sign a contract:

  1. Request the Compliance CSID documentation for a reference client in your Wave — not a generic "we are Phase 2 ready" slide deck. The CCSID document identifies the TIN, solution configuration, and Wave batch.
  2. Ask for the first-pass B2B clearance acceptance rate for that reference client in live production. A well-configured Odoo + ZATCA implementation should achieve ≥99% first-pass acceptance; anything below 95% in steady state signals misconfiguration.
  3. Request two or three callable references from clients who completed Production CSID in the same Wave you are entering — ask specifically about the certification timeline, ZATCA sandbox interactions, and post-go-live rejection rates.
  4. Run a sandbox proof-of-concept before signing — credible implementation partners will demonstrate end-to-end ZATCA clearance in the sandbox environment as part of the pre-sales process. A partner who declines is signalling that their Phase 2 implementation is not production-tested.

Need a partner with a ZATCA Phase 2 track record in your Wave?

iWesabe holds Best Partner MENA 2023, Highest Revenue KSA 2022/2023, and Top Revenue Achiever KSA 2023/2024. See the full credentials and Phase 2 delivery record.

See iWesabe's ZATCA credentialsWhatsApp

The "ZATCA-approved software list" question has a more specific answer than most buyers expect — certification is per-deployment, not per-brand. The six technical requirements, the three-stage CSID process, and the five beyond-compliance criteria above are the working evaluation framework for any Saudi e-invoicing procurement decision.

iWesabe has implemented ZATCA Phase 2 on Odoo for Saudi enterprises across manufacturing, distribution, retail, and professional services. If you are in an active Wave window or planning a ZATCA-compliant go-live, a 60-minute call is sufficient to assess your Wave timeline and current system readiness.

Book a ZATCA Phase 2 readiness call

Tell us your Wave, entity count, and current system — we will give you a clear timeline and next steps in 60 minutes.

WhatsApp

Frequently Asked Questions

Is there an official ZATCA-approved ERP software list?
ZATCA does not publish a whitelist of approved ERP brand names. What ZATCA certifies is the specific e-invoicing solution configuration of a specific business via a Compliance CSID (sandbox testing) and a Production CSID (live clearance). A buyer cannot look up an ERP brand on a ZATCA registry — they must verify that their implementation partner has completed the Compliance → Production CSID process for their specific entity and Wave.
How do I know if my current ERP is ZATCA Phase 2 compliant?
Request the Production CSID certificate your implementation partner obtained for your specific entity — this is the definitive proof. If no Production CSID exists for your entity, the ERP is not yet live for Phase 2 regardless of what the vendor claims. A Compliance CSID means the system passed sandbox tests; a Production CSID means it is cleared for live B2B invoicing on ZATCA's Fatoora portal.
What is the difference between Compliance CSID and Production CSID?
Compliance CSID (CCSID) is issued after the e-invoicing solution passes ZATCA's sandbox testing — minimum 10 invoices covering standard, debit note, credit note, and simplified invoice types. Production CSID (PCSID) is issued after the business onboards to the production environment and ZATCA confirms the solution is generating valid signed invoices in live mode. You need both; the Compliance CSID is a prerequisite, not a final clearance.
Can Odoo pass ZATCA Phase 2 certification in Saudi Arabia?
Yes. Odoo 16, 17, and 18 include the l10n_sa (Saudi localisation) and l10n_sa_edi (e-invoicing EDI) modules as part of the standard distribution. These modules implement UBL 2.1 XML invoice generation, cryptographic ECDSA stamping, UUID, QR code in TLV format, and the ZATCA clearance/reporting API — covering all six Phase 2 technical requirements. iWesabe has completed Compliance CSID and Production CSID for Saudi clients in multiple Wave batches using this stack.
What happens if my ERP fails ZATCA clearance for a B2B invoice?
A B2B clearance rejection means ZATCA has rejected the invoice XML — the invoice cannot be legally used for Saudi VAT purposes until it clears. The rejection comes with a ZATCA error code that identifies the failure reason: structural XML error, cryptographic stamp failure, ICV sequence mismatch, customer classification error, or VAT calculation mismatch. Each error type has a specific remediation path. The operational impact is an invoice stuck in pending status; depending on the payment terms in play, this can delay accounts-receivable settlement. A well-configured Odoo + ZATCA implementation should achieve ≥99% first-pass clearance acceptance.
How long does ZATCA Phase 2 certification take for a new Odoo deployment?
For a single-entity Saudi business using Odoo with the Saudi localisation stack, the Compliance CSID + Production CSID certification process typically takes 2–4 weeks elapsed: 1 week ZATCA sandbox onboarding and credential setup, 1 week compliance invoice testing (minimum 10 invoices, multiple types), ZATCA review and CCSID issuance (3–7 business days ZATCA processing), then Production CSID onboarding (1–3 days). The timeline assumes Odoo is already configured with the correct VAT registration, TIN, and Saudi chart of accounts — a greenfield deployment adds 4–6 weeks of configuration before the certification process begins.
iWesabe Editorial Team

iWesabe Editorial Team

Practitioner insights on Odoo ERP, ZATCA compliance, and Saudi enterprise digital operations — written by iWesabe's consulting, finance, and engineering teams.

About iWesabe

Related Articles

ZATCA Compliance

ZATCA Wave 24: The 30 June 2026 SME Compliance Deadline — What You Must Do Now

SAR 375,000 threshold, 20-day window, Fatoora go-live checklist, and how Odoo-powered Saudi businesses can complete Phase 2 Integration before the deadline.

ZATCA Compliance

Odoo ERP for ZATCA Phase 2 e-Invoicing: The 2026 Compliance Playbook for Saudi Arabia

Wave schedule, Fatoora clearance mechanics, XML + cryptographic stamp, production CSID path, rejection diagnostics, and the audit-defence chain that keeps Saudi businesses ZATCA-clean.

VAT Compliance

VAT Compliance in Saudi Arabia with Odoo ERP: The 2026 Operating Model

Tax-code matrix, monthly vs quarterly return workflow, audit-defence KPIs, and the edge cases (zero-rated, exempt, reverse charge, group VAT, capital goods, bad debt) that decide whether your VAT posture survives a ZATCA inspection.