QR Code Requirements for E-Invoices: ZATCA Compliance Guide



How Can I Ensure My QR Code is ZATCA-Compliant to Avoid Penalties?

A compliant Phase 2 (Integration Phase) QR code is mandatory for all invoices and must be generated using Tag-Length-Value (TLV) encoding in Base64 format. To remain compliant, your QR code must include nine specific data fields, including digital signatures and cryptographic hashes, and maintain a minimum size of 2x2 cm to avoid penalties ranging from SAR 5,000 to SAR 50,000.

In this guide, you will learn:

• Technical Specifications: The core differences between standard QR codes and encrypted ZATCA data structures.
• The Mandatory Checklist: A deep dive into the nine essential fields required for Phase 2 and how to automate them.
• Penalty Prevention: An analysis of ZATCA’s fine structure and how to safeguard your business from common rejection errors.
• Wave 24 Readiness: A roadmap for businesses with revenues over SAR 375,000 to meet the 2026 deadline.
• Choosing the Right Software: How Wafeq accounting software automates compliance, removing the technical burden from your team.

What Makes ZATCA's QR Code Different From Regular QR Codes?

You can't just create a QR code using any online generator.

ZATCA's electronic invoice QR code is a data structure that contains encrypted invoice information. It uses something called Tag-Length-Value encoding. Each piece of information has a specific tag, a defined length, and the actual value.

The QR code gets encoded in Base64 format and can contain up to 500 characters. This ensures it works with standard barcode readers while still packing in all the transaction details ZATCA needs to verify your invoice.

Saudi Arabia processed over 8.2 billion electronic invoices in 2025, a 64 percent jump from the previous year. That's a massive number showing how widespread this system has become.

The Nine Essential Fields Your QR Code Must Include

Every compliant electronic invoice QR code needs exactly nine pieces of information.

The first five fields are straightforward:

• Your seller name as it appears in ZATCA's records
• Your VAT registration number
• The exact timestamp when you issued the invoice
• The total invoice amount, including VAT
• The total VAT amount you're charging

These five fields were enough during Phase 1, which started in December 2021.

Phase 2, which kicked off in January 2023, added four more cryptographic elements:

• The SHA-256 hash of your XML invoice
• The ECDSA signature of that hash
• Your ECDSA public key
• ZATCA's cryptographic stamp signature

These additions transformed the QR code from a simple reference tool into a security tool. If anyone tries to modify your invoice after you've issued it, the hash values won't match, and the whole thing fails.

Understanding Phase 1 vs Phase 2 Requirements

The difference between Phase 1 and Phase 2 is bigger than most businesses initially realized.

Phase 1 was the Generation Phase. It required you to create electronic invoices using compliant systems, but you didn't have to connect directly to ZATCA's platform. QR codes were optional for business-to-business invoices and only mandatory for consumer invoices.

Phase 2 changed everything. Now called the Integration Phase, it requires real-time connectivity with ZATCA's Fatoora platform through APIs. Every B2B invoice needs clearance from ZATCA before you can send it to your buyer. B2C invoices must be reported within 24 hours.

The QR code became mandatory for all invoice types in Phase 2, not just simplified tax invoices.

ZATCA rolled out Phase 2 in waves based on company revenue. Wave 24, announced in April 2026 and effective June 30, 2026, targets businesses with VAT-taxable revenues over SAR 375,000. Even smaller businesses now fall under the stricter requirements.

How to Generate a ZATCA-Compliant QR Code

Here's where many businesses trip up. You can't use generic QR code generators from Google. Those services encode your text as regular characters, not in the TLV format ZATCA requires.

The proper process:

1. Get a Cryptographic Stamp Identifier from ZATCA (your digital certificate that proves your invoices are real)
2. Prepare each field in UTF-8 character encoding.
3. Give each field its tag number, the length of its data, and the actual data value.
4. Put all nine tag-length-value sets together without any spaces or separators.
5. Convert this complete sequence to Base64 encoding.
6. Pass it to a QR code generation library.

The technical complexity explains why most businesses use ZATCA-certified e-invoicing software instead of building their own systems. The cost of getting it wrong far exceeds the investment in proper software.

Where and How to Display Your QR Code on Invoices?

The QR code needs to be clearly visible and easy to scan.

For digital invoices in PDF or XML format, position the QR code in a clear spot, typically in the lower section of the invoice. Don't place it where text or images might block scanning.

For printed invoices, whether from thermal printers at your point of sale or regular office printers, the QR code must be at least 2 by 2 centimeters. Anything smaller creates scanning problems for customers using their phones.

ZATCA doesn't specify an exact position, but the code should be easy to spot. Many businesses put it near the seller information or total amounts—makes sense when you think about where people naturally look.

The visual quality matters too. The contrast between the black squares and white background needs to be sharp enough for reliable scanning in typical lighting conditions.

Common Mistakes That Get Invoices Rejected

Several errors show up repeatedly in rejected invoices.

• The most common problem is using regular QR code generators instead of proper TLV encoding. These codes look correct, but fail when ZATCA's system tries to validate them.

• Another common issue involves XML formatting errors: - Missing mandatory fields. - Incorrect VAT classifications. - VAT registration numbers that don't match ZATCA's database format.

• Hash calculation problems cause plenty of rejections, too. If the cryptographic hash in your QR code doesn't match the actual invoice XML, the system immediately flags it.
• Invoice sequencing errors happen when businesses fail to maintain proper numbering or don't correctly calculate the Previous Invoice Hash that links each invoice to the one before it. ZATCA requires an unbroken chain that prevents tampering.
• System integration failures represent deeper problems. Many legacy systems weren't designed for real-time API communication with government platforms, leading to invoices being printed before ZATCA validation completes.

The Real Cost of Non-Compliance

ZATCA's penalty structure is serious.

• Missing QR codes on simplified tax invoices start at SAR 10,000. Incorrect QR codes that don't include all required fields or use the wrong encoding trigger SAR 5,000 penalties.
• Trying to modify invoices after you've submitted them to ZATCA can hit you with penalties up to SAR 50,000, plus potential criminal charges, since that's considered tax fraud.
• The penalties grow with repeated violations. You might get a warning for your first mistake, but violations within twelve months can reach SAR 40,000.

Beyond direct fines, non-compliance can suspend your business operations or revoke your tax registration entirely.

• For small businesses where Phase 2 setup costs run between SAR 3,000 and SAR 7,000, the financial case for compliance is clear. One penalty for missing QR codes exceeds your entire setup budget.

B2B vs B2C: Different Rules for Different Transactions

ZATCA treats business-to-business and business-to-consumer transactions differently.

For B2B invoices:

• You need comprehensive buyer information, including business name, address, and VAT registration number.
• These invoices require real-time clearance from ZATCA before you can send them to your buyer.

For B2C invoices:

• Buyer information is optional since you're dealing with individual consumers.
• No real-time clearance needed.
• Must be reported to ZATCA within 24 hours through a different API endpoint.

The QR code requirements stay the same for both transaction types in Phase 2. Both need all nine fields, including the cryptographic elements.

If your business handles both B2B and B2C transactions, your invoicing system needs logic to identify which type each invoice is and route it through the correct submission pathway.

Practical Implementation: What Actually Works

Looking at successful implementations reveals clear patterns.

Large enterprises that succeeded:

• Invested in comprehensive system audits.
• Engaged qualified implementation vendors.
• Allocated realistic budgets for infrastructure upgrades and staff training.

A major Saudi delivery company processing over 100,000 daily transactions rebuilt its entire invoicing infrastructure to integrate with Fatoora in real time. Their main lesson? Most failures came from not paying enough attention to specification details, not from technical impossibility.

Medium-sized businesses that did well:

• Engaged ZATCA-qualified solution providers rather than trying to build custom systems
• Off-the-shelf solutions delivered faster compliance and lower total costs than internal development

Small businesses found:

• The first months of Phase 2 required substantial manual oversight.
• Things got easier as they built operational experience.
• Having vendor support for technical aspects while focusing on business logic validation made a significant difference.

Choosing the Right E-Invoicing Software

Your software choice directly impacts your compliance success. Look for solutions that have these features:

• ZATCA-certified (tested and approved by the authority)
• Can generate proper TLV-encoded QR codes with all cryptographic elements.
• Integrate smoothly with your existing accounting systems.
• Don't require manual re-entry of data or maintaining parallel systems.

Cloud-based solutions have become popular among Saudi businesses, especially SMEs. They don't require major infrastructure investment, updates happen automatically, and you can scale capacity as your business grows.

According to market research, Saudi Arabia's e-invoicing software market reached USD 165 million in 2025 and is projected to hit USD 595.6 million by 2034. That growth reflects both mandatory compliance and real efficiency benefits businesses are discovering.

About 35% of companies in Saudi Arabia have integrated AI into their billing processes as of 2024, with 45% planning implementation within two years. AI-powered compliance monitoring can catch errors before submission to ZATCA.

How to Verify QR Codes Are Working Correctly

ZATCA provides mobile applications for iOS and Android that let anyone scan and verify invoice QR codes.

When you scan a compliant QR code, the app confirms several things instantly:

• The invoice exists in ZATCA's central system.
• The cryptographic signatures are valid.
• The embedded data matches what's printed on the invoice.
• The invoice hasn't been modified.

This verification typically takes 2 to 5 seconds.

For Phase 2 invoices, the Cryptographic Stamp Hash plays a key role. The app checks this hash against ZATCA's database to confirm the invoice cleared through the government platform.

If someone modifies an invoice after receiving ZATCA's stamp, the hash won't match anymore, and the verification immediately fails. This makes invoices effectively tamper-evident.

You should regularly test your invoices by scanning the QR codes yourself. Don't wait for customers or auditors to discover problems.

What Wave 24 Means for Small Businesses

Wave 24 represents the most significant expansion of Phase 2 requirements to date.

Effective June 30, 2026, any business with VAT-taxable revenues over SAR 375,000 during 2022, 2023, or 2024 must comply with Phase 2 integration requirements. This brings hundreds of thousands of small and medium businesses into the Phase 2 system.

If you're in Wave 24, you have until June 30, 2026, to complete your integration. That might sound like plenty of time, but implementation typically takes 3 to 6 months when you factor in:

• Software selection
• System testing
• Staff training
• Debugging

The good news is that later-wave businesses benefit from more mature software solutions, clearer implementation guidelines, and lessons learned from earlier implementers.

ZATCA has extended fine exemption initiatives multiple times. The most recent extension runs through June 30, 2025, allowing businesses to fix non-compliance without facing historical penalties.

But these grace periods won't last forever. Once they expire, full enforcement begins.

The Technical Side: Understanding TLV Encoding

Tag-Length-Value encoding is how ZATCA structures data inside QR codes.

Each piece of information gets three components:

• The tag: A number from 1 to 9 that identifies what kind of data it is
• The length: How many bytes the data takes up
• The value: The actual data

All nine TLV triplets get put directly together with no spaces, commas, or other separators. This creates a continuous byte sequence that then gets converted to Base64.

The precision matters because even small deviations from the specification cause validation failures.

Many developers initially underestimate the complexity here. UTF-8 encoding handles Arabic characters differently from English; byte length calculations can be tricky, and cryptographic operations require exact implementation.

This technical complexity is why most businesses rely on specialized libraries or qualified solution providers rather than implementing everything from scratch.

Security Features That Make QR Codes Tamper-Proof

The cryptographic elements in Phase 2 QR codes create multiple layers of security.

• The SHA-256 hash is a mathematical fingerprint of your entire invoice. Change even one character in the invoice, and the hash becomes completely different. This makes it immediately obvious if someone tries to alter the document.
• The ECDSA signature proves that your business's private cryptographic key signed this specific invoice. It's mathematically linked to the hash, so it only validates if both the hash is correct and the signature matches your public key.
• The public key allows anyone to verify your signature without needing access to your private key. This uses asymmetric cryptography, where signing and verifying use different keys.
• ZATCA's cryptographic stamp adds another layer. When you submit B2B invoices for clearance, ZATCA adds its own signature using the government's private key. This creates a chain of trust from your business through ZATCA to the final recipient.

These security features prevent common fraud scenarios:

• Creating fake invoices
• Modifying amounts after issuance
• Impersonating legitimate businesses

Regional Context: How Saudi Arabia Compares to the UAE

Understanding different regional approaches helps put ZATCA's requirements in perspective.

Saudi Arabia uses a centralized clearance model through Fatoora. Every B2B invoice must be cleared and stamped by the government before reaching the buyer.

The UAE is taking a different approach with a decentralized Peppol 5-corner model. Accredited service providers handle invoice routing between trading partners, rather than all invoices going through government systems.

The technical standards differ, too:

• Saudi Arabia: Requires XML UBL 2.1 format with ZATCA-specific extensions.
• UAE: Uses Peppol PINT AE standards.

QR code requirements also differ. Saudi Arabia mandates TLV-encoded QR codes specific to its system, while the UAE aligns with international Peppol network conventions.

For businesses operating across Gulf Cooperation Council countries, these differences mean maintaining separate invoicing processes for each area. A Saudi invoice format won't automatically satisfy UAE requirements and vice versa.

Future Trends in E-Invoicing and QR Codes

Several developments are shaping the future of electronic invoicing in Saudi Arabia.

• The progressive expansion through waves means that by mid-2026, the vast majority of Saudi businesses will operate under Phase 2 requirements. E-invoicing compliance will shift from a special practice to a baseline expectation.
• Artificial intelligence integration is speeding up. Advanced systems can now scan QR codes at scale, validate compliance patterns automatically, and flag unusual patterns for review. This creates more efficient audit mechanisms than manual validation.
• Some businesses are exploring blockchain technology as a potential enhancement. Distributed ledger systems could provide additional security layers and create even stronger audit trails.
• Integration with digital payment systems represents another frontier. QR codes might eventually link directly to payment processing, allowing customers to scan an invoice barcode and immediately initiate payment without manual data entry.
• ZATCA continues refining specifications based on implementation experience. While the core architecture appears stable, specific requirements may change to address practical challenges discovered during rollout.

Making Your Implementation Successful

Success with Phase 2 compliance requires a structured approach.

1. Start by confirming your wave assignment through direct communication with ZATCA. Don't assume anything about your deadline.
2. Evaluate e-invoicing software carefully. Look for solutions that are ZATCA-certified, capable of proper TLV encoding, integrate smoothly with accounting systems, and don't require manual re-entry.
3. Budget adequately for implementation. The SAR 3,000 to SAR 7,000 range covers basic setup for small businesses, but complex scenarios might require more investment.
4. Train your staff comprehensively. Technical system operation is just one piece. Your team needs to understand requirements, verification, and new processes.
5. Consider AI-powered compliance monitoring that validates invoices against ZATCA requirements before submission. This prevents expensive rejections and helps identify systematic errors early.
6. Use ZATCA's sandbox environment extensively for testing before going live. This free resource lets you identify problems without risking real invoices or penalties.
7. Plan for ongoing maintenance. Cryptographic certificates expire, specifications change, and systems need updates. Compliance isn't a one-time project—it's an ongoing commitment.

FAQs about QR Code Requirements for E-Invoices in Saudi Arabia

What happens if my QR code is too small on a printed invoice?

If your QR code is smaller than 2 by 2 centimeters, customers may have difficulty scanning it with their phones. This can lead to verification failures during field audits or consumer checks. While ZATCA doesn't specify a maximum size, codes below the minimum dimension create practical scanning problems that could result in non-compliance penalties of SAR 5,000 per invoice if the code isn't clearly visible or scannable.

Can I use a free online QR code generator for ZATCA compliance?

No, regular online QR code generators won't work for ZATCA compliance. They encode text as arbitrary characters rather than in the required Tag-Length-Value format with proper cryptographic elements. These generic generators create codes that look correct visually but fail ZATCA's validation systems, resulting in invoice rejection and potential penalties.

Do B2C invoices need the same QR code as B2B invoices in Phase 2?

Yes, both business-to-business and business-to-consumer invoices require the same nine-field QR code structure in Phase 2, including all cryptographic elements. The difference lies in the submission process, not the QR code itself—B2B invoices need real-time clearance while B2C invoices are reported within 24 hours.

How long does ZATCA's QR code verification take when someone scans it?

ZATCA's mobile verification app typically completes the validation process within 2 to 5 seconds. It checks that the invoice exists in the central system, validates cryptographic signatures, confirms data consistency, and verifies that the invoice hasn't been tampered with after issuance.

What's the most common reason invoices get rejected by ZATCA?

The most frequent rejection reason is incorrect QR code encoding, where businesses use generic QR code services instead of implementing proper TLV structure. This results in codes that appear valid but lack the specific format and cryptographic integrity ZATCA's system requires for validation.

If I'm in Wave 24, when exactly must I be compliant?

Businesses included in Wave 24—those with VAT-taxable revenues over SAR 375,000 during 2022, 2023, or 2024—must complete Phase 2 integration by June 30, 2026. This means your systems must be generating compliant QR codes and successfully submitting invoices to ZATCA's platform by that deadline.

Can I modify an invoice after ZATCA has stamped it?

No, attempting to modify invoices after ZATCA submission is strictly prohibited and can result in penalties up to SAR 50,000 plus potential criminal charges. The cryptographic hash and signatures make any modifications immediately detectable, and modifications are considered attempted tax fraud.

Do the penalties apply per invoice or per business?

Penalties apply per invoice for violations like missing or incorrect QR codes. This means if you issue 100 non-compliant invoices, you face potential penalties for each one, which can quickly create exposure exceeding SAR 500,000 for businesses with high invoice volumes.