Mexico is considered a global pioneer in tax technology, largely through its robust e-invoicing system, CFDI (Comprobante Fiscal Digital por Internet), first mandated in 2011.
However, as the digital economy matures, transaction schemes evolves and the tax stakes of these transactions rise, the SAT, Mexico’s tax authority (Servicio de Administración Tributaria) is moving beyond the simple collection of invoices data.
With Rule 2.9.2, published on December 2025 and implementing article 30-B of the Federal Tax Code [↗︎], digital service providers and marketplace platforms must allow SAT direct and real-time access to the information that permits verification of the proper fulfillment of tax obligations.
The implementation, in a very short time, of Rule 2.9.21 marks a historical pivot, cementing Mexico’s status as a frontrunner by shifting from a traditional “reporting-based” model to a more intrusive “access-based” system.
Objectives and implementation timeline
The SAT’s primary objective is to strengthen its capacity to combat VAT fraud and more globally tax fraud within the rapidly expanding digital economy.
With this new obligation, digital service providers and marketplace platforms must grant SAT a direct and real-time access to various type of data, including transactions details, pricing and VAT breakdowns, payment methods, receipt identifiers, seller information, tax IDs, …
This deeper level of obligation ensures that the information submitted via traditional e-invoicing obligation (CFDIs) matches the platform’s internal transactional reality, ensuring that all digital sales are fully reported and, of course, correctly taxed.
The implementation of Rule 2.9.21 follows a strict calendar for 2026:
- April 1, 2026 – Rule 2.9.21 officially took effect: Platforms must ensure all transaction data is processed and accessible to the SAT no later than the day after a sale occurs.
- April 30, 2026 – Final deadline: Platforms must submit their “Notice of Access” (via “Ficha 168/CFF”), which includes providing the SAT with direct login credentials and a technical manual for their database environment.
Who is concerned?
The mandate targets, at least for now, Digital Service Providers and Intermediation Platforms, such as Marketplaces, operating in Mexico, including foreign companies:
- Direct Service Providers: This includes SaaS companies, cloud storage, streaming services (music/video), online gaming, and distance learning platforms.
- Marketplaces (Intermediaries): Platforms that connect third-party sellers with buyers, such as e-commerce giants, ride-sharing apps, food delivery services, and short-term lodging platforms.
Main technical challenges raised
The implementation of this additional obligation presents 3 majors challenges for platforms concerned:
- First, the SAT has not yet published any technical documentation such as a specific API or database template. This lack of documentation forces platforms to build highly flexible systems capable of adapting as the authority’s expectations crystallize through 2026.
- Second, this is a critical data segregation challenge. Platforms must implement and secure a dedicated compliance environment, effectively a “read-only” data warehouse, to ensure the SAT can only access the specific tax data required by law.
- Finally, the necessary information is often siloed across disconnected systems. Stitching this data together with next-day availability requires complex orchestration to ensure that what the SAT sees is accurate, complete, and fully reconciled.
By moving beyong electronic invoicing, and implementing these unprecedented technical obligations to combat tax fraud, the SAT is raising the administrative burden for companies participating in the Mexican digital economy.
