Tax compliance has been moving toward real time for years. E-invoicing mandates now exist in dozens of countries, and Mexico's own CFDI ecosystem is one of the most mature. But what Mexico is doing with Rule 2.9.21 is something different.
Under Rule 2.9.21 of the Miscellaneous Tax Resolution 2026, implementing Article 30-B of the Federal Tax Code, digital service providers and marketplace platforms must give SAT (Servicio de Administración Tributaria, Mexico’s tax authority) permanent, online access to their transaction data. Not a new filing. Not a new invoice format. A standing, always-on system, interface, or application where SAT can log in and query a defined dataset on an ongoing basis.
For a closer look at the initial release and what’s changed since, see our previous blog, Mexico’s Real Time Access Mandate for Digital Platforms.
What Rule 2.9.21 requires from digital service providers and platforms
There are two key dates:
- April 1, 2026: The obligation takes effect, from which point transaction data must be captured and made available.
- April 30, 2026: In-scope platforms must submit a formal written notice (via Ficha 168/CFF) providing SAT with login credentials and a technical manual explaining how to use the access interface.
The data SAT expects to see depends on your business model, but the principle is the same for everyone: Granular, transaction-level records, searchable, available no later than the calendar day after the transaction occurs, and retained for up to five years.
Digital service providers
For direct digital service providers (such as streaming, SaaS, digital content, online clubs, distance learning), the core requirement is a transaction-level dataset covering service type, price breakdowns including VAT, payment method, and receipt identifiers, including CFDI folio where applicable, for each transaction with recipients in Mexico.
Marketplace and platforms
For marketplace and intermediation platforms (such as accommodation, ride-hailing, ecommerce), there is an additional layer. Beyond the transaction data, SAT wants to see who is selling through your platform: Seller identity, tax IDs, payout accounts, transaction base amounts, and withholding details broken down by ISR, VAT, and IEPS. For lodging, property addresses are required. For goods, import flags and customs duties where applicable.
In short, SAT wants a clear, queryable picture of what happened on your platform and who was on each side of it.
3 key challenges of Mexico’s real-time data access requirement
On paper, providing data access doesn’t sound dramatic. In practice, it introduces a set of challenges that most platforms have not had to solve before.
1. Evolving guidance
It is a high-level regulation, and guidance will evolve. Unlike a traditional e-invoicing mandate, SAT has not published a rigid API schema or detailed technical specification. The rule says platforms must provide access via a "system, interface, or application." That is broad by design, which means your implementation needs to be flexible enough to adapt as expectations crystallise.
2. Data architecture requires careful planning
It is an architecture problem as much as a data problem. The obligation is to provide SAT with access to a specific, defined dataset through a system, interface, or application. Designing that environment so it serves the right data with the right controls and audit trails takes thoughtful engineering. Getting this right early avoids painful rework later.
3. Siloed systems disconnect data
The data often does not live in one place. Transaction amounts sit in billing. Payment methods sit in payments. Seller Know Your Customer (KYC) data sits somewhere else. Receipt identifiers might come from your invoicing vendor. Stitching this together daily, accurately, at scale, with next-day availability is non-trivial.
How Fonoa supports compliance with Mexico’s data access mandate
This is where our existing presence in Mexico matters. Fonoa already operates as an e-invoicing (CFDI) and withholding document solution for digital platforms in the Mexican market.
We handle CFDI issuance and withholding certificate generation for some of the world's largest platforms. That means we already work with the data, the entities, the tax logic, and the regulatory cadence involved.
The real-time data access mandate is a natural extension of that infrastructure. Our approach rests on a three core principles:
1. A dedicated compliance environment
We provide SAT with access through an interface purpose-built for this obligation, hosting the required dataset in a separate database. This isolated environment is critical because it ensures the tax authority can only see data specifically related to the mandate, without accessing your core infrastructure.
2. Flexibility
Because the regulation is high-level and will likely evolve, the system is designed to adapt to field changes, new expectations, or clarifications without requiring platforms to re-architect.
3. Data flows into the system via API or CSV upload
For platforms with a high frequency of transactions, we recommend an API integration to ensure optimal accuracy and timeliness. Once ingested, data is stored in a dedicated environment, processed, and made available to SAT.
How to prepare for Mexico’s real-time data access mandate
Whether you are a direct digital service provider or a marketplace, there are a few things worth thinking through now, if you have not already.
Who’s in scope under Rule 2.9.21
The obligation under Rule 2.9.21 applies to taxpayers providing digital services as defined in Article 18-B of the Mexican VAT Law. That article establishes a specific list of what qualifies as a digital service. If your business falls within these categories and you have recipients in Mexico, the rule applies to you:
- Downloading or accessing multimedia content (images, video, music, games, online news, and similar)
- Intermediation between third-party suppliers and consumers of goods or services
- Online clubs and dating platforms
- Distance learning, testing, or exercises
These must be provided through applications or digital content via the internet or another network, be fundamentally automated (with minimal or no human intervention), and be provided for a fee.
Marketplace rules: Intermediation and additional reporting requirements
Rule 2.9.21 splits its requirements into two sections. The first applies to every in-scope platform and covers the transaction-level dataset for services delivered to recipients in Mexico. The second applies specifically to intermediation platforms and adds a seller transparency layer: who sells through the platform, their tax identifiers, payout details, and transaction-level withholding breakdowns.
It is important to assess whether your platform provides digital intermediation services, as defined under Article 18-B, Section II of the VAT Law, and to which sides of the market. Also note that the data points in this second section significantly overlap with what platforms already report in withholding documents and the monthly informative declaration, but here the obligation is at the individual transaction level rather than in aggregate.
Key takeaways for digital platforms operating in Mexico
Mexico's data access rule is unlike anything most digital platforms have dealt with before. It is not a filing. It is not an invoice format. It is a permanent, always-on window into your transaction data, and the deadlines are:
- April 1 for data capture
- April 30 for SAT access credentials
The platforms that handle this well will be the ones that treat it as a design problem, not just a compliance checkbox. Invest in a dedicated compliance environment. Build auditability from day one. Choose infrastructure flexible enough to evolve as the regulation matures.
If you want to discuss how this applies to your platform, or explore how Fonoa can help, reach out to us. We are happy to talk it through.
Frequently asked questions about Mexico’s real-time data access mandate
What is Mexico’s real-time data access mandate under Rule 2.9.21?
Mexico’s real-time data access mandate requires digital service providers and marketplace platforms to give the tax authority (SAT) continuous, online access to their transaction data. Instead of submitting periodic filings, businesses must provide a system, interface, or application where SAT can log in and query transaction-level data on an ongoing basis.
Who needs to comply with Rule 2.9.21?
Rule 2.9.21 applies to taxpayers providing digital services under Article 18-B of the Mexican VAT Law. This includes businesses offering streaming, SaaS, digital content, online platforms, and marketplaces facilitating transactions between third parties, where services are provided to recipients in Mexico.
When does Mexico’s real-time data access requirement come into effect?
The requirement takes effect on April 1, 2026, when platforms must begin capturing and making transaction data available. By April 30, 2026, businesses must provide SAT with access credentials and documentation explaining how to use the system.
What data must be shared with SAT?
Businesses must provide granular, transaction-level data, including service details, pricing and VAT breakdowns, payment methods, and receipt identifiers. Marketplace platforms must also provide seller information, tax IDs, payout details, and withholding data, including ISR, VAT, and IEPS where applicable.
How is this different from e-invoicing (CFDI) requirements?
Unlike e-invoicing, which requires issuing structured invoices for individual transactions, Rule 2.9.21 requires continuous system access. SAT can directly query transaction data through a live interface, rather than receiving documents or periodic reports.
Do marketplace platforms have additional obligations?
Yes. In addition to transaction-level data, marketplace platforms must provide detailed information about sellers using their platform. This includes identity, tax identifiers, payout accounts, and transaction-level withholding information, making seller transparency a key requirement.
How quickly must transaction data be available?
Transaction data must be available no later than the calendar day after the transaction occurs. This creates a near real-time reporting requirement, meaning systems must be able to process and expose accurate data on a daily basis.
When is a transaction considered to occur for compliance?
Rule 2.9.21 requires data to be available no later than the day after the transaction takes place, but it does not explicitly define the moment a transaction is considered to occur.
For direct digital service providers, a reasonable interpretation is that the transaction arises at the point of payment collection, consistent with the general VAT treatment of digital services under Article 18-B.
For marketplace platforms acting as intermediaries, the relevant moment may be when the platform collects the price and VAT on behalf of the seller or service provider, in line with the withholding obligations established under Article 18-J, Section II of the VAT Law.
These interpretations are not settled; the RMF does not provide a specific definition for this triggering event. Platforms should assess their own transaction flows and consider seeking guidance on which moment best aligns with their obligations.
What challenges do businesses face with this mandate?
The main challenges include consolidating data from multiple systems, building a secure and accessible interface for SAT, ensuring data accuracy at scale, and maintaining flexibility as technical guidance evolves. It is both a data integration and system architecture challenge.
Does SAT provide a standard API or technical specification?
No. The regulation is high-level and does not define a specific API or schema. Businesses must provide access through a “system, interface, or application,” which means implementation approaches may vary and need to remain adaptable.
How should businesses prepare for compliance?
Businesses should confirm whether they are in scope, map required data across internal systems, define when transactions are considered to occur, and begin designing a dedicated compliance environment that can securely provide SAT with access to the required dataset.
What happens if a business does not comply?
Article 30-B of the Federal Tax Code explicitly states that failure to comply with the real-time data access obligation may result in the temporary blocking of access to the digital service in Mexico, carried out through concessionaires of public telecommunications networks.
