Most teams don’t. We almost didn’t. Here is everything we learned before it cost us.
A client called me about a water services marketplace. Good project. Clear scope. We were deep in the architecture conversation when he said it, almost as an afterthought:
“We’ll need ZATCA compliance, of course.”
Of course.
The way you say it when you assume everyone in the room already knows. The way you order tea without explaining what tea is.
I smiled. Said yes. Kept moving.
That was almost a very expensive mistake.
What ZATCA actually is
This is not a checkbox. It is a compliance regime with teeth.
ZATCA, the Zakat, Tax and Customs Authority of Saudi Arabia, launched its e-invoicing mandate in two phases. Phase 1 was the floor: generate and store compliant electronic invoices. Every VAT-registered business. December 2021. No exceptions.
Phase 2 is where the architecture lives.
Phase 2 requires real-time integration with ZATCA’s Fatoora platform. Every invoice your system generates must be cryptographically signed, stamped with a hash chain linking it to the previous invoice, cleared by ZATCA in real time for B2B transactions, and reported within 24 hours for B2C. The invoice is not valid until ZATCA says it is valid. Your system does not decide. ZATCA decides.
And Phase 2 does not apply to everyone at once. It cascades.
The wave table
Twenty-two waves. One revenue threshold at a time.
ZATCA releases Phase 2 in waves, targeting companies by annual revenue. The largest first. Then smaller. Then smaller still. Currently reaching down to SAR 375,000 in annual revenue. Here is the cascade that nobody publishes in one clean place:
| Wave | Revenue threshold | Integration deadline |
|---|---|---|
| 1 | SAR 3 billion+ | January 2023 |
| 2 | SAR 500 million+ | July 2023 |
| 3 | SAR 250 million+ | October 2023 |
| 4 | SAR 150 million+ | November 2023 |
| 5 | SAR 100 million+ | December 2023 |
| 6 | SAR 70 million+ | January 2024 |
| 7 | SAR 50 million+ | February 2024 |
| 8 | SAR 40 million+ | March 2024 |
| 9 | SAR 30 million+ | June 2024 |
| 10 | SAR 25 million+ | October 2024 |
| 11 | SAR 15 million+ | November 2024 |
| 12 | SAR 10 million+ | December 2024 |
| 13 | SAR 7 million+ | January 2025 |
| 14 | SAR 5 million+ | February 2025 |
| 15 | SAR 4 million+ | March 2025 |
| 16 | SAR 3 million+ | April 2025 |
| 17 | SAR 2 million+ | May 2025 |
| 18 | SAR 1.5 million+ | June 2025 |
| 19 | SAR 1 million+ | July 2025 |
| 20 | SAR 750,000+ | August 2025 |
| 21 | SAR 500,000+ | September 2025 |
| 22 | SAR 375,000+ | October 2025 |
Read that again. SAR 375,000 in annual revenue. That is a small business. That is your client’s client. That is the platform you are building for. ZATCA is not a large enterprise problem anymore. It is everyone’s problem. Including yours.
The architecture mistake
We almost built what we should have integrated.
When the water services client said “ZATCA compliance,” our first instinct was to scope it as a feature. Hash the invoice. Sign it. Build the clearance flow. Write the API integration ourselves.
That is the wrong instinct. And we caught it before it cost us.
Here is what we missed in that first instinct: ZATCA does not just want compliant invoices. ZATCA wants invoices generated by a certified solution provider. Building it yourself, from scratch, on a fixed budget, for a marketplace going live next quarter, is not compliance. It is a liability.
There are ZATCA-approved third-party solutions. Certified providers who have already done the cryptographic work, the hash chain implementation, the real-time Fatoora API integration, the invoice lifecycle state machine. They have been audited. They are compliant by definition.
Your job, as the architect, is not to rebuild that. Your job is to design the system that sits around it. The data model that feeds it correctly. The invoice state machine that never sends an uncleared document downstream. The failure handling for when ZATCA clearance times out at 2am.
That is where the real engineering lives. Not in reinventing what is already certified.
On a budget project, ZATCA is not a feature you build. It is a certified integration you architect around.
What this means for you
The question is not if. The question is which wave.
When your next client says “we need ZATCA compliance,” your first question is not “what does that involve.” You already know what it involves. Your first question is: what is their current annual revenue, and which wave are they in, or approaching?
Because the architecture changes. A Wave 1 enterprise needs clearance mode, real-time, no exceptions. A Wave 20 small business may still be in reporting mode. The integration depth differs. The certified provider you recommend differs. The timeline pressure differs.
The second question is: are they building something that will grow. Because a platform at SAR 400,000 today is a Wave 22 problem today and a Wave 19 problem in eighteen months if it performs. Build for the ceiling, not the floor you’re standing on.
The third question, the one nobody asks: who on your team is touching the invoice generation logic. Because that person needs to understand that every invoice is a cryptographic artifact, not a PDF. It has a UUID. It has a hash linking it to the invoice before it. It has a lifecycle: generated, signed, submitted, cleared, stored. Interrupt that chain and the invoice does not exist in ZATCA’s eyes, regardless of what your database says.
The client who said “of course” did not know what he was asking for. That is not a criticism. It is the nature of compliance: the people who need it most are often the furthest from understanding it.
Our job is not to nod and keep moving. Our job is to stop, tell the truth about what this requires, and build something that does not fail quietly at 2am when ZATCA’s clearance endpoint returns a 400.
That is the difference between a team that delivers software and a team that delivers trust.
Written by Zaid Munir
Founder and CEO of Scytalelabs, an enterprise blockchain and AI consultancy operating across Pakistan and the GCC.