The Minister of Communication and Digital Affairs (“MoCD”) has enacted Regulation No. 7 of 2026 on the Registration of Telecommunications Service Customers through Cellular Mobile Networks (“MoCD Reg. 7/2026”), effective since 19 January 2026. This regulation strengthens the legal framework governing customer registration for telecommunications services via cellular mobile networks, and revokes the relevant provisions previously stipulated under Minister of Communication and Informatics (now MoCD) Regulation No. 5 of 2021 on Telecommunication Organization (“MoCI Reg. 5/2021”).

In light of the above, we outline below, the key provisions introduced and emphasized under MoCD Reg. 7/2026 for consideration by relevant parties and stakeholders in relation to the implementation and operation of telecommunications services through cellular mobile network systems, particularly Subscriber Identity Modules (“SIM”), in Indonesia.

 

1. KYC Information

Although MoCD Reg. 7/2026 is generally similar to MoCI Reg. 5/2021, it further classifies the scope of KYC required for the registration of telecommunications service customers. In particular, the registration of the telecommunications services now mandates the use of biometric data in the form of facial recognition. The regulation also introduces clearer provisions on the registration of underage individuals, namely individuals below 17 years of age, and unmarried customers, not adequately addressed under the previous framework of MoCI Reg. 5/2021.

The table below sets out a summary of the KYC requirements under MoCD Reg. 7/2026 for your ease of reference:

 

2. Customer Registration

MoCD Reg. 7/2026 has reformed the registration procedure specifically for self-registration. Now, customers may only register their numbers for telecommunications services through the telecommunication service provider’s application or website, followed by verification of the relevant number by way of SMS, email, a USSD media browser, or other available methods of the provider (Article 7 (1) of MoCD Reg. 7/2026).

The self-registration process shall follow the statutory procedure under Article 7 (2) of MoCD Reg. 7/2026, as follows:

  1. the customer sends the number to-be-registered through the telecommunication provider’s application or website;
  2. the telecommunication service provider sends an authorization code in the form of One-Time Password or other available verification methods to the customer’s number;
  3. the customer resends the authorization code, enters the NIK, and performs biometric verification in the form of facial recognition;
  4. the telecommunication service provider validates the obtained customer’s information; and
  5. once validated, the customer is granted access to and use of the number. However, if the information entered is not validated, the telecommunication service provider must require the customer to update their data with the Ministry of Population and Family Development.

 

3. Security Standards

Given the requirement for customers to provide their biometric data in the form of facial recognition in the registration process, MoCD Reg. 7/2026 requires telecommunication service providers to implement adequate safeguards by requiring them to:

  1. possess or cooperate with parties that have ISO/IEC 30107-3 certification on Presentation Attack Detection with resistance at level 2 or above as internationally recognized; and
  2. implement fraud prevention and management mechanism.

In addition, telecommunication service providers are required to hold information security certification of, at least, ISO 27001 in respect of the management and retention of customer data. Telecommunication service providers must also report the implementation of the ISO 27001 compliance audits to the Director General of Digital Ecosystem (“DGoDE”) of MoCD (Article 13 (5) and (6) of MoCD Reg. 7/2026).

 

4. Misuse Prevention and Measures

In addition to maintaining the existing maximum limit of three registered numbers per customer as governed under MoCI Reg. 5/2021, MoCD Reg. 7/2026 introduces a mechanism to address the misuse of customer numbers and identification data.

Under Article 15 of MoCD Reg. 7/2026, customers are entitled to request verification of their registered numbers to the telecommunication service providers to determine whether their personal data has been used by unrecognized or unauthorized numbers. Where such circumstances are identified, customers have the right to report the issue and request the blocking of the relevant numbers. Upon receipt of such a report, the telecommunication service provider is required to notify the user of the relevant number to carry out re-registration within 1 x 24 hours.

If the re-registration is not completed within the timeframe, the provider must deactivate the relevant number. In such circumstances, the telecommunication service provider has no obligation to compensate the customer for such deactivation.

 

5. Corporate and Employees

MoCD Reg. 7/2026 governs the basis for the use of telecommunications services by business entities and organizations. Article 19 (1) of MoCD Reg. 7/2026 provides that numbers used by the personnel of business entities and organizations must be registered using the identity of the relevant personnel.

However, in specific operations, such as: (i) Machine-to-Machine (M2M) and/or Internet of Things (IoT); (ii) testing and/or detecting violations by telecommunication service providers; or (iii) other specific needs of business entities and organizations, the relevant numbers must be registered using the identity data of the relevant responsible personnel, for example, directors or heads, rather than the employees’ identities (Article 19 (2) of MoCD Reg. 7/2026).

 

6. Supervisory and Periodic Report

Supervisory measures for the implementation of telecommunications services have been expanded under MoCD Reg. 7/2026 compared with those under MoCI Reg. 5/2021. In addition to the existing requirement to submit quarterly reports to DGoDE on active prepaid and postpaid customers, telecommunication service providers are now required to submit data on numbers that have been re-registered or deactivated on the same quarterly basis (Article 25 (2) of MoCD Reg. 7/2026).

The reporting obligation to DGoDE generally remains consistent, with telecommunications service providers required to submit customer data by category. Pursuant to Article 25 (3) and (4) of MoCD Reg. 7/2026, such reporting is as follows:

  1. Individual Customers: providers must submit (i) the identity data of the customer; carrying out the registration; and (ii) the corresponding customer’s numbers.
  2. Business Entity and Organization Customers: providers must submit (i) the identity of the relevant responsible individual, legal entity, business entity, and/or organization carrying out the registration; (ii) the corresponding customer numbers; and (iii) the purpose of the use.

 

7. Administrative Sanctions

Telecommunication service provider that fails to comply with the guideline is subject to administrative sanctions in the form of: (i) written warnings; and/or (ii) temporary suspension of business activity. The imposition of sanctions under MoCD Reg. 7/2026 follows a tiered approach, whereby sanctions are applied progressively from the first up to the third written warnings, followed by temporary suspension for continued non-compliance, with each stage of written warning imposed at an interval of 7 working days (Article 28 (4) of MoCD Reg. 7/2026).

 

8. Implementation

Notwithstanding that the regulation has been in effect since 19 January 2026, MoCD Reg. 7/2026 provides a grace period for telecommunication service providers to align with the new guideline. In particular, the regulation grants a period of 6 months for telecommunication service providers to comply with the updated self-registration procedure (Article 32 (a) of MoCD Reg. 7/2026). Accordingly, these providers are expected to fully align their self-registration mechanism by 19 July 2026.

 

Concluding Remarks

MoCD Reg. 7/2026 marks a significant development in Indonesia’s regulatory framework on telecommunication users by introducing a more rigorous customer registration regime centred on facial-recognition-based verification, stronger data security requirements, and enhanced supervisory measures. Although the regulation builds on the framework previously established under MoCI Reg. 5/2021, it also reflects a clearer and more disciplined compliance approach requiring telecommunication service providers to review not only their registration procedures, but also their broader operational, technological, and governance readiness. In this regard, the transition period provided under the regulation should be treated as an important window for providers and other relevant stakeholders to assess the adequacy of their existing systems and ensure timely alignment with the new legal requirements.

 

 

Disclaimer: The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their circumstances.