GCC markets unified

Phase 2

ZATCA compliance level

Jul 2026

UAE voluntary pilot

100%

Validation coverage

GCC E-Invoicing Landscape

The Gulf Cooperation Council is moving faster on digital tax transformation than any other region in the world. Saudi Arabia led the charge with ZATCA's FATOORA platform in late 2021. The UAE's Federal Tax Authority announced its own mandatory e-invoicing framework in 2025, with a voluntary pilot beginning July 1, 2026 and mandatory e-invoicing for large taxpayers from January 1, 2027. Together, these two markets represent the vast majority of GCC GDP — and for businesses operating across both, compliance means navigating two fundamentally different systems.

The challenge isn't simply “supporting two countries.” Saudi's ZATCA uses a bespoke UBL 2.1 profile with cryptographic stamping and mandatory QR codes. The UAE's FTA builds on Peppol BIS Billing 3.0 with UAE-specific business rules and TRN validation. The XML schemas are different. The clearance models differ. The validation rules overlap in some places and diverge sharply in others.

Why the GCC Matters for Global Businesses

$2.2T+ combined GDP

Saudi and UAE represent the GCC's economic powerhouses

55,000+ cross-border entities

Businesses operating in both Saudi and UAE simultaneously

VAT harmonization

Both countries adopted 5% VAT (Saudi raised to 15% in 2020)

Digital-first mandates

Paper invoices phased out — digital is the only legal format

For enterprises with operations in both Riyadh and Dubai — or companies selling into both markets from abroad — building two separate compliance integrations is costly, fragile, and unnecessary. InvoStaq was purpose-built to solve exactly this: one API that speaks both ZATCA and FTA natively.

Saudi ZATCA Deep Dive

Saudi Arabia's Zakat, Tax and Customs Authority launched the FATOORA e-invoicing platform in three deliberate phases. Understanding these phases is critical because each one adds technical requirements that compound on the previous:

Phase 1 — Generation (December 4, 2021)

All VAT-registered taxpayers in Saudi Arabia were required to generate e-invoices in a structured electronic format. Paper and PDF invoices became legally invalid. E-invoices had to include mandatory fields: seller/buyer details, VAT registration numbers, line items with VAT breakdowns, and a machine-readable QR code. This phase was about creating the digital infrastructure — no government clearance was required yet.

Phase 2 — Integration (January 1, 2023+)

The integration phase is the game-changer. Businesses must connect to ZATCA's FATOORA platform via API and submit every B2B invoice for real-time clearance before it can be shared with the buyer. Each invoice receives a cryptographic stamp — a digital signature using X.509 certificates issued by ZATCA. A UUID is assigned, and a QR code containing the seller's name, VAT number, timestamp, invoice total, VAT amount, and the digital signature hash is embedded. Only cleared invoices are legally valid.

Phase 3 — Enforcement (2025–2026)

Full penalty enforcement with fines starting at SAR 50,000 per violation. ZATCA audits integration quality, XML schema compliance, and cryptographic integrity. Businesses that fail to submit invoices through FATOORA face both financial penalties and potential suspension of their VAT registration. Automated monitoring detects gaps in real-time reporting.

ZATCA QR Code & Cryptographic Stamping

Every ZATCA-compliant invoice must embed a QR code encoded in TLV (Tag-Length-Value) format containing six mandatory fields: seller name, VAT registration number, timestamp (ISO 8601), invoice total (with VAT), VAT amount, and the XML digital signature hash. The cryptographic stamp uses X.509 certificates issued by ZATCA's own Certificate Authority. InvoStaq handles the entire signing chain — from CSR generation to stamp embedding — automatically for every invoice submitted through the API.

The technical requirements for ZATCA Phase 2 are among the most demanding in the world. The UBL 2.1 XML must include ZATCA-specific extensions — custom fields for the previous invoice hash (creating a tamper-evident chain), the invoice counter, and the cryptographic stamp itself. Schema validation is strict: even a misplaced namespace or incorrect decimal precision triggers rejection. InvoStaq's validation engine runs 380+ ZATCA-specific rules before submission, catching errors before they reach FATOORA.

UAE FTA Requirements

The UAE Federal Tax Authority announced its mandatory e-invoicing framework in 2025, building on the global Peppol standard rather than developing a bespoke system like Saudi Arabia. This is a fundamentally different architectural approach — and it means businesses operating in both countries need to support two distinct technical stacks.

Peppol BIS 3.0 Framework

The UAE adopted Peppol as its foundational e-invoicing framework. Invoices must conform to the Peppol BIS Billing 3.0 specification with a UAE-specific Country Implementation Specification (CIUS) overlay that adds mandatory UAE fields and business rules.

TRN Validation

Every invoice must include validated Tax Registration Numbers for both the supplier and buyer. The FTA validates TRNs against its registry in real-time — an invalid or expired TRN triggers immediate rejection of the invoice.

Phased Rollout

July 1, 2026: voluntary pilot. July 31, 2026: large taxpayers (≥ AED 50M) must appoint ASP. January 1, 2027: large taxpayers mandatory. March 31, 2027: other taxpayers appoint ASP. July 1, 2027: all other taxpayers mandatory. October 1, 2027: B2G mandatory. 7-year archiving required.

Accredited Service Providers

Businesses must use FTA-accredited e-invoicing service providers (like InvoStaq) to submit invoices. The accreditation process validates technical capability, data security, and ongoing compliance maintenance.

The UAE's decision to adopt Peppol is strategically significant. It aligns the country with the European B2G e-invoicing standard, making cross-border invoicing with EU trading partners more seamless. However, it also means the UAE's technical requirements diverge sharply from Saudi Arabia's ZATCA system — different XML schemas, different validation rules, different delivery networks. A business operating in both markets can't simply reuse its ZATCA integration for UAE compliance.

UAE Mandate Timeline

2025 Q3FTA publishes detailed technical specifications and CIUS documentation

2025 Q4Service provider accreditation begins — InvoStaq submits for early approval

Jul 1, 2026Voluntary adoption / pilot programme begins

Jul 31, 2026Large taxpayers (≥ AED 50M) must appoint an Accredited Service Provider

Jan 1, 2027Large taxpayers — mandatory e-invoicing

Mar 31, 2027Other taxpayers must appoint an Accredited Service Provider

Jul 1, 2027All other taxpayers — mandatory e-invoicing

Oct 1, 2027B2G e-invoicing mandatory

Unified Integration

Here's what makes InvoStaq's approach fundamentally different: instead of asking you to build two connectors — one for ZATCA's FATOORA API and one for the UAE FTA's Peppol-based ecosystem — InvoStaq provides a single REST API that handles both systems transparently. Your ERP sends one standardized invoice payload. InvoStaq determines the destination market, applies the correct schema transformation, validates against the appropriate rules engine, handles cryptographic stamping (for ZATCA), routes to the correct network, and returns a unified response.

Schema Auto-Conversion

Send UBL, JSON, or any supported format. InvoStaq converts to ZATCA's UBL 2.1 + extensions for Saudi invoices, and Peppol BIS 3.0 + UAE CIUS for UAE invoices. Zero format knowledge required from your ERP team.

Dual Validation Engine

380+ ZATCA-specific rules and 200+ UAE FTA rules run in parallel. Your invoice is validated against the correct ruleset based on destination country — before submission. Errors are returned with plain-English explanations.

Cryptographic Stamping

ZATCA requires X.509 certificate signing and hash chaining. The UAE does not require digital signatures or QR codes on invoices. InvoStaq manages ZATCA's entire crypto lifecycle and handles UAE Peppol 5-corner CTC routing automatically.

QR Code Generation

ZATCA mandates QR codes with TLV-encoded data (seller, VAT number, timestamp, totals, signature hash). InvoStaq generates the QR code, encodes it in base64, and embeds it into the invoice XML — all within the API call.

Network Routing

Saudi invoices route to FATOORA for pre-clearance. UAE invoices route through the Peppol network to the FTA endpoint. InvoStaq handles network selection, authentication, and delivery confirmation for both systems.

Unified Status Tracking

A single dashboard shows compliance status for both markets. Track submission success rates, clearance times, validation errors, and penalty risk — across Saudi and UAE operations — in one view.

One API — Both Markets

POST /api/v1/invoices/submit
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

{
  "invoice": "<base64-encoded-ubl-xml>",
  "destination_country": "SA",  // or "AE" for UAE
  "format": "auto-detect",
  "routing": "automatic"
}

// For Saudi Arabia (SA), InvoStaq automatically:
// 1. Validates against 380+ ZATCA Phase 2 rules
// 2. Converts to UBL 2.1 + ZATCA extensions
// 3. Signs with X.509 certificate (cryptographic stamp)
// 4. Generates QR code (TLV-encoded, base64)
// 5. Submits to FATOORA for pre-clearance
// 6. Returns clearance ID + stamped XML

// For UAE (AE), InvoStaq automatically:
// 1. Validates against 200+ FTA business rules
// 2. Converts to Peppol BIS 3.0 + UAE CIUS
// 3. Validates TRNs against FTA registry
// 4. Routes through Peppol network to FTA
// 5. Returns delivery confirmation + status

// Response (Saudi example)
{
  "status": "cleared",
  "country": "SA",
  "format_used": "UBL_2.1_ZATCA",
  "network": "FATOORA",
  "clearance_id": "SA-ZATCA-2026-0041892",
  "crypto_stamp": "applied",
  "qr_code": "embedded",
  "processing_time": "0.8s",
  "validations_passed": 384
}

The key insight is that your ERP integration doesn't change based on the destination country. The same API endpoint, the same authentication, the same response structure. InvoStaq abstracts away the massive complexity difference between ZATCA's cryptographic pre-clearance model and the UAE's Peppol 5-corner CTC model. Your development team builds one connector, tests it once, and deploys it for both markets.

ZATCA Phase 2 cryptographic stamping → handled automatically, no X.509 management on your side

UAE FTA TRN validation → real-time check against FTA registry before submission

QR code generation → TLV encoding, base64 conversion, and XML embedding for Saudi invoices

Peppol routing → five-corner CTC model delivery for UAE invoices through certified Access Point

Hash chaining → previous invoice hash embedded for ZATCA tamper-evidence requirements

Dual sandbox environments → test Saudi and UAE invoices independently before go-live

Unified error responses → plain-English explanations regardless of which system rejected

Implementation Guide

Deploying dual-market GCC compliance doesn't require two separate projects. InvoStaq's implementation methodology covers both ZATCA and UAE FTA in a single 5-week sprint, with parallel sandbox validation for each market:

GCC Compliance AssessmentWeek 1

We audit your current invoice data model against both ZATCA and UAE FTA requirements simultaneously. For ZATCA, this means verifying UBL 2.1 field coverage, cryptographic certificate readiness, and QR code data availability. For UAE FTA, we check Peppol BIS 3.0 compatibility, TRN validity, and UAE CIUS-specific field mapping. The output is a unified gap analysis covering both markets.

Dual Rules ConfigurationWeek 2

InvoStaq's rules engine is configured with your business context for both markets. Saudi configuration includes your ZATCA Organization Unit identifier, VAT registration number, previous invoice hash chain initialization, and X.509 certificate provisioning. UAE configuration includes your TRN, Peppol participant ID, and UAE-specific business rule parameters. Both profiles are linked to your single API key.

Single API IntegrationWeek 3

Your development team implements one API connector to InvoStaq. The same endpoint handles both Saudi and UAE invoices — the destination_country field in the payload is the only difference. We provide SDKs for ABAP (SAP), PL/SQL (Oracle), C# (Dynamics 365), Python (Odoo), and REST (any platform). API integration typically takes 3–5 developer days.

Dual Sandbox TestingWeek 4

We run your actual invoice data through InvoStaq's sandbox against both ZATCA's test environment and the UAE FTA's staging platform. You see exactly how each invoice transforms, validates, signs (for Saudi), and routes — for both markets. Common issues caught at this stage: decimal precision mismatches, missing TRN fields for UAE, incorrect hash chain initialization for ZATCA.

Go-Live — Both MarketsWeek 5

We activate production submissions for both Saudi and UAE simultaneously. Real-time monitoring tracks clearance rates, validation success, crypto stamp integrity, and Peppol delivery confirmations. Your dashboard shows unified compliance metrics across both GCC markets from day one. SLA: 99.9% API uptime, sub-second clearance for ZATCA, and guaranteed Peppol delivery for UAE.

Future GCC Expansion — Built In

Bahrain, Oman, Kuwait, and Qatar are all expected to announce their own e-invoicing mandates within the next 18–24 months, following the Saudi and UAE playbook. When they do, InvoStaq's architecture supports new GCC market activation within 48 hours — no new API integration, no new code on your side. Your single connector scales across the entire GCC automatically. Early adopters who solve Saudi + UAE first will be positioned to add new GCC markets with zero additional development effort.

The difference between a business that treats ZATCA and UAE FTA as two separate compliance projects and one that uses InvoStaq's unified approach is stark. Two separate integrations mean two development teams, two maintenance cycles, two sets of cryptographic certificate management, and two points of failure. InvoStaq collapses all of that into one integration that works for both markets — today — and scales to additional GCC countries as their mandates activate.

For Businesses in Saudi Arabia

ZATCA Phase 2 integration with FATOORA platform

X.509 certificate management and renewal

QR code generation with TLV encoding

Hash chain maintenance for invoice tamper-evidence

380+ ZATCA validation rules pre-submission

For Businesses in the UAE

Peppol BIS 3.0 with UAE CIUS compliance

TRN validation against FTA registry

Accredited service provider routing

UAE-specific business rules enforcement

200+ FTA validation rules pre-submission

Your finance team shouldn't be maintaining two parallel compliance stacks. Your developers shouldn't be learning two different XML schemas and two different clearance protocols. Your compliance officers shouldn't be tracking two separate penalty regimes and two sets of mandate timelines. InvoStaq unifies the entire GCC e-invoicing landscape into a single managed service — so your team can focus on business growth while compliance runs on autopilot.

Conquer the GCC Market

One integration covers Saudi Arabia's ZATCA and the UAE's FTA — with automatic expansion to Bahrain, Oman, Kuwait, and Qatar as their mandates activate. Zero compliance risk, zero duplicate work.

Book a GCC Compliance Call Our Services

One ERP, 14 Countries, 14 Different Tax Laws Spain Verifactu: Everything You Need to Know

Back to all articles

ZATCA + UAE FTA: One Integration, Two Markets, Zero Compliance Risk.