Government Mandates the Use of Biometrics and ISO Standards in Telecommunications Subscriber Registration under the Minister of Communication and Digital Regulation Number 7 of 2026
Introduction
On January 19, 2026, the Ministry of Communication and Digital issued Minister of Communication and Digital Regulation Number 7 of 2026 on Registration of Telecommunications Service Subscribers through Cellular Mobile Networks ("Regulation 7/2026"). Regulation 7/2026 governs the implementation of telecommunications subscriber registration by placing the validity of subscriber identities as the basis for the use of cellular mobile network services.
Based on its Considerations, Regulation 7/2026 establishes the use of biometric population data and the application of Know Your Customer ("KYC") principles in the subscriber registration process. The regulation further directs Telecommunications Service Providers to ensure the use of correct and entitled subscriber identities and to prevent the misuse of Subscriber Numbers for unlawful acts.
Comparison
Regulation 7/2026 repeals and declares invalid the provisions of Articles 153 to 175 as well as Annex XII, Annex XIII, and Annex XIX letter C in Minister of Communication and Informatics Regulation Number 5 of 2021 on Telecommunications Implementation ("Regulation 5/2021"). The following table compares Regulation 7/2026 and Regulation 5/2021:
| Aspect | Regulation 7/2026 | Regulation 5/2021 |
| Indonesian Citizen (WNI) Identity Validation Method |
Mandates the use of NIK and Biometric Population Data in the form of face recognition. Exception: For prospective WNI subscribers under 17 years of age and unmarried (who do not yet possess an electronic KTP), registration uses the NIK of the prospective subscriber as well as the NIK and facial biometric data of the Head of Family as listed on the Family Card. |
Used NIK and Family Card (KK) Number as the registration basis. The use of biometric population data was not governed as a registration requirement. |
| Technology Standards & Anti-Fraud | Providers must possess and/or cooperate with parties possessing ISO/IEC 30107-3 certification on Presentation Attack Detection (PAD) with Level 2 or higher resistance and implement fraud prevention mechanisms. | Did not regulate the obligation for ISO/IEC 30107-3 certification or the implementation of liveness detection mechanisms in the registration process. |
| Corporate & Employee Registration | Numbers used by employees must be registered using the identity of each employee, whereas numbers for M2M, IoT, or legal entities are registered using the identity of the business entity person-in-charge. Both registration types must be performed at outlets. | Did not detail the separation of registration for numbers used by employees and numbers for business entities or machine purposes. |
| Information Data Security | Providers must hold ISO 27001 certification and report audit results of compliance with such standards periodically to the Director General. | Regulated the obligation for subscriber data protection, but did not establish the obligation to report audit results of information security standard compliance periodically to the Director General. |
| Blocking Sanctions (SLA) | Providers must send notifications and deactivate (permanently deactivate) Subscriber Numbers known or indicated to use fake, incorrect, or unauthorized identities if re-registration is not performed within a 1 x 24 hour period. | Blocking and deactivation of numbers were performed based on requests or reports, without specific handling timeframes. |
Key Provisions
Obligation to Apply KYC and ISO-Standardized Biometric Infrastructure
Regulation 7/2026 mandates Telecommunications Service Providers to apply Know Your Customer (KYC) principles and establish risk management policies and procedures related to the application of such principles. For Indonesian Citizen (WNI) subscribers, Article 3 stipulates that the registration process uses the Population Identification Number (NIK) and biometric population data in the form of face recognition. The technical provisions for registration implementation as listed in Annex I regulate the technology requirements that must be met by Telecommunications Service Providers, including:
-
the implementation of liveness detection mechanisms in the biometric matching process;
-
possession of and/or cooperation with parties holding ISO/IEC 30107-3 certification on Presentation Attack Detection (PAD) with Level 2 or higher resistance recognized internationally; and
-
fulfillment of a facial similarity threshold of at least 95% (ninety-five percent).
Employment Compliance and Corporate Asset Registration
Article 19 of the Regulation governs the use of identities in registering Subscriber Numbers purchased or provided by legal entities, non-legal business entities, and/or other organizations. This provision distinguishes registration mechanisms based on the intended use of the number as follows:
-
Use by employees or members: Subscriber Numbers used by employees or members must be registered using the identity of each respective employee or member.
-
Use for specific operations: Subscriber Numbers used for Machine-to-Machine (M2M), Internet of Things (IoT), testing, or specific needs of legal entities, non-legal business entities, and/or other organizations are registered using the population identity of the business entity person-in-charge.
-
Registration mechanism: Registration of Subscriber Numbers for the purposes referred to above must be performed at Telecommunications Service Provider outlets in accordance with applicable registration procedures.
Personal Data Security Management and ISO 27001 Compliance Audit
Article 13 of the Regulation governs the obligations of Telecommunications Service Providers regarding subscriber data management and protection. Telecommunications Service Providers must store data of subscribers actively subscribing to telecommunications services and store data of subscribers who are no longer active for at least 3 (three) months since the subscriber ceased subscription. In managing subscriber data, Regulation 7/2026 establishes the following obligations:
-
Telecommunications Service Providers must possess information security certification of at least ISO 27001.
-
Telecommunications Service Providers must report the implementation of ISO 27001 compliance audits to the Director General periodically.
-
Telecommunications Service Providers must maintain the confidentiality of subscriber data and/or identities, unless data submission is performed based on statutory provisions.
Distributor Supply Chain Control and Product Labeling
Regulation 7/2026 regulates the distribution of Starter Packs only in an inactive state for all telecommunications services, except for registration access purposes as stipulated in Article 2 paragraph (4), and such obligation applies to every person selling Starter Packs, including distributors, agents, outlets, sellers, and/or individuals. Violations of the provision on distributing Starter Packs in an inactive state are subject to administrative sanctions in accordance with applicable regulations. Furthermore, the obligation to include a warning on prepaid Starter Pack packaging, whether produced physically or non-physically (eSIM), is established in Article 21 with the requirement for capital letters of at least 10 points reading:
“UNTUK KENYAMANAN DAN KEAMANAN ANDA, REGISTRASIKAN KARTU PRABAYAR MENGGUNAKAN IDENTITAS YANG BENAR DAN BERHAK”
(FOR YOUR COMFORT AND SAFETY, REGISTER PREPAID CARDS USING CORRECT AND ENTITLED IDENTITIES)
Fraud Handling Mechanism and Tiered Administrative Sanctions
Regulation 7/2026 governs the procedures for handling the use of Subscriber Numbers indicated or proven to be misused for unlawful acts, as stipulated in Article 15, Article 16, and Article 17 as well as Annex II. Under this mechanism, Telecommunications Service Providers must follow up on reports of Subscriber Number misuse through the provided complaint system. In handling indications of Subscriber Number misuse, Regulation 7/2026 establishes the following provisions:
-
Subscriber Number Blocking: Telecommunications Service Providers block Subscriber Numbers reported or indicated to be misused no later than 1 × 24 hours after receiving report notification through the complaint system, as stipulated in Article 15 and Annex II.
-
Subscriber Number Deactivation: Telecommunications Service Providers send notifications to Subscriber Number users to perform re-registration or clarification and deactivate the Subscriber Number if there is no follow-up within a 1 × 24 hour period, in accordance with the provisions of Article 15 and Article 16.
-
Administrative Sanctions: Violations of registration obligations, KYC application, fulfillment of technology and information security standards, and reporting obligations are subject to tiered administrative sanctions ranging from written warnings to temporary suspension of business activities as stipulated in Articles 27 through 31 and Annex IV.
Periodic Reporting Obligations and Real-Time Data Integration
Provisions regarding reporting and subscriber data provision to support supervisory functions and data accuracy are governed in Article 25 and Article 26. Through these regulations, Telecommunications Service Providers must fulfill the following administrative obligations:
-
Periodic Reports: Telecommunications Service Providers submit reports to the Director General every 3 (three) months separating individual Telecommunications Service Subscriber data and Telecommunications Service Subscriber data for legal entities, non-legal business entities, and/or other organizations.
-
Business Entity Subscriber Report Content: Reports on Telecommunications Service Subscriber data for legal entities, non-legal business entities, and/or other organizations must contain at least the identity of the person-in-charge, the Subscriber Number used, and the intended use of the Subscriber Number.
-
Real-Time Data Integration: Telecommunications Service Providers provide an active Telecommunications Service Subscriber data center connected directly (real-time) with the Ministry's registration monitoring system.
Transitional Provisions
The transitional provisions in Article 32 govern the adjustment period for Telecommunications Service Providers in implementing subscriber registration. Telecommunications Service Providers must adjust their self-registration mechanisms to the provisions of Regulation 7/2026 no later than 6 (six) months from the date of promulgation, i.e., January 19, 2026, and during such period, self-registration may still be performed using NIK and Family Card Numbers. Subscriber Numbers lawfully registered prior to the entry into force of Regulation 7/2026 remain valid and may continue to be used without any re-registration obligation.
Closing
Regulation 7/2026 regulates telecommunications subscriber registration through cellular mobile networks by placing subscriber identity validity as the basis for service usage, through the application of Know Your Customer (KYC) principles based on facial recognition biometric population data, fulfillment of attack detection technology standards per ISO/IEC 30107-3, and subscriber data management and protection based on ISO 27001 information security standards. This regulation also covers the separation of Subscriber Number usage by legal entities and organizations. The Regulation mandates that the registration of numbers used by employees be performed using the identity of each individual, whereas registration of numbers for specific operational purposes (including Machine-to-Machine/M2M and Internet of Things/IoT) uses the population identity of the business entity person-in-charge. Both registration types must be performed through Telecommunications Service Provider outlets.
Furthermore, Regulation 7/2026 establishes the obligation to distribute Starter Packs in an inactive state, the inclusion of warnings on prepaid Starter Pack packaging, mechanisms for handling Subscriber Number misuse with specific handling time limits, tiered administrative sanctions for violations of registration obligations, technology standards, data security, and reporting, as well as the obligation to submit periodic reports and provide an active subscriber data center connected in real-time with the Ministry's monitoring system. As a transitional provision, Regulation 7/2026 provides an adjustment period of 6 (six) months from the date of promulgation and affirms that Subscriber Numbers lawfully registered before this regulation took effect may continue to be used without a re-registration obligation.
What is
Veritask is an integrated AI-powered legal platform that helps with regulatory research, document preparation, and compliance management in one dashboard.
Berlangganan untuk menerima email mingguan gratis berisi analisis hukum terbaru.
