In our previous thought leadership article, we explored why identity verification at SIM and eSIM purchase has become a strategic control point for fraud prevention, compliance resilience, and ecosystem trust. This guide builds on that foundation and translates the strategy into regulatory reality.

For compliance and product owners at mobile operators, MVNOs, and wholesale number providers, the key question is not whether identity verification matters. The question is what level of identity verification is required, in which jurisdictions, and under which legal frameworks.

This document provides a practical regional overview of SIM registration and identity verification obligations, grouped into three broad regulatory models, no ID verification, basic identification, and full KYC level requirements.

Three Regulatory Models for SIM Registration

1. No Mandatory Identity Verification

In a limited number of markets, prepaid SIM cards can still be purchased without mandatory identity verification. These markets are shrinking due to fraud and national security concerns.

Examples historically have included parts of North America and certain smaller jurisdictions. In the United States, there is no federal law mandating identity verification for prepaid SIM purchase. However, carriers often apply internal risk controls and fraud detection measures.

Even in markets without formal requirements, operators face indirect pressure through AML obligations, fraud liability exposure, and contractual requirements from banks and digital platforms that rely on phone numbers.

2. Basic Identification Requirement

Under this model, the purchaser must provide identifying information, typically name and address, sometimes validated against an ID document. The verification depth may vary.

Examples include:

• United Kingdom, prepaid SIM registration requirements implemented through operator license conditions and regulatory oversight by Ofcom.
• Netherlands, mandatory registration under national telecommunications law.
• Sweden and Finland, where ID checks are required for prepaid activation.

In these markets, identity verification is generally tied to telecom regulation rather than full AML KYC frameworks. However, digital onboarding standards and data protection obligations apply.

3. Full KYC Level Requirements

In many countries, SIM registration is aligned with national security legislation or anti fraud frameworks that require document level verification and sometimes biometric confirmation.

Examples include:

• Germany, mandatory ID verification for prepaid SIMs under the Telecommunications Act.
• France, identification obligations under the Postal and Electronic Communications Code.
• Italy, SIM registration under national public security laws.
• India, strict KYC requirements including document verification under Department of Telecommunications regulations.
• United Arab Emirates and Saudi Arabia, biometric linked SIM registration frameworks.

In these jurisdictions, remote onboarding must meet specific evidentiary standards, often requiring document validation and face to document matching.

Europe, Regulatory Framework Overview

Europe presents a layered regulatory environment. SIM registration obligations arise primarily from national telecom and public security laws. However, broader European Union frameworks influence implementation standards.

European Union Level Framework

At EU level, there is no single regulation that mandates SIM registration across all Member States. However, several instruments shape the compliance landscape:

• European Electronic Communications Code, Directive 2018 1972, establishes the framework for telecom services and national regulatory authority oversight.
• General Data Protection Regulation, Regulation 2016 679, governs processing of identity data and biometric information.
• eIDAS Regulation, Regulation 910 2014 and its updated framework, defines trust services and electronic identification standards.
• AMLD 5 and AMLD 6, which influence identity verification expectations where telecom services intersect with financial services risk.

Operators must therefore balance telecom registration obligations with data protection and biometric processing restrictions.

United Kingdom

The UK does not impose a statutory nationwide SIM registration law in the same way as some EU countries. However, operators are subject to license conditions and security obligations under the Communications Act 2003 and oversight by Ofcom.

Additionally, data processing for identity verification must comply with the UK GDPR and Data Protection Act 2018.

In practice, many operators apply identity verification for prepaid activation, particularly for online flows, to mitigate fraud and law enforcement exposure.

Germany

Germany enforces mandatory identification for prepaid SIM activation under the Telecommunications Act, Telekommunikationsgesetz. Since 2017, customers must present a valid identification document before activation.

Remote identification is permitted but must meet defined verification standards. Biometric face matching and video identification have been widely adopted to comply with these obligations.

Data protection requirements fall under GDPR and the Federal Data Protection Act.

France

France requires identification of prepaid SIM purchasers under the Code des postes et des communications électroniques.

Operators must collect and retain verified customer identity information. Biometric verification is permitted subject to GDPR constraints and proportionality.

Italy

Italy mandates SIM registration under public security legislation, including provisions derived from anti terrorism laws and enforced via the Electronic Communications Code.

Identification is required before activation, and operators must retain customer identity records for defined periods.

Benelux

Netherlands requires prepaid SIM registration under national telecommunications legislation.

Belgium mandates identification under the Belgian Electronic Communications Act, strengthened in recent years to combat terrorism and fraud.

Luxembourg also requires SIM registration aligned with national telecom law.

Nordics

Sweden requires prepaid SIM registration under the Electronic Communications Act.

Finland requires identification under national telecom law.

Denmark has mandatory registration requirements tied to telecom regulation.

Norway, while not an EU member, requires identification under national electronic communications legislation.

Asia Pacific

India

India enforces one of the strictest SIM KYC regimes globally under Department of Telecommunications regulations. Aadhaar based biometric verification has been used extensively, although subject to evolving judicial guidance.

Singapore

Mandatory SIM registration under the Telecommunications Act, enforced by the Infocomm Media Development Authority.

Australia

Mandatory identification under the Telecommunications Act 1997 and related regulations. Identity must be verified before activation.

Middle East and Africa

Many countries in this region have adopted strict SIM registration regimes tied to national security policy.

• United Arab Emirates, mandatory Emirates ID verification.
• Saudi Arabia, biometric SIM registration under Communications and Information Technology Commission rules.
• Nigeria and South Africa, national SIM registration frameworks tied to telecom regulators.

North America

United States

No federal prepaid SIM registration requirement. However, operators may apply internal KYC controls. Lawful intercept and fraud exposure drive increasing interest in stronger onboarding.

Canada

No nationwide prepaid registration requirement, though carriers may apply internal verification policies.

Operational Implications for Compliance and Product Teams

The regulatory trend is clear. More jurisdictions are moving toward mandatory SIM registration, higher evidentiary standards, and closer scrutiny of remote onboarding processes.

For online SIM and eSIM flows, this creates three imperatives:

1. Map regulatory category by country, no IDV, basic ID, or full KYC.
2. Align onboarding assurance level to the strictest applicable requirement in cross border offerings.
3. Design identity verification architecture that meets telecom law, GDPR, and biometric processing constraints.

This is where the technology strategy described in our previous article becomes operationally critical. Risk based identity verification, combining document validation, face matching, and liveness detection, enables operators to meet both regulatory obligations and fraud prevention objectives.

Decentralized biometric architectures further reduce data protection risk while preserving compliance strength, particularly in GDPR sensitive jurisdictions.

In the table below is a summary of the regional examples provided in this article.

Region	Country	Requirement level	Typical checks for online SIM or eSIM	Notes
Europe	United Kingdom	Basic to risk based	Customer details, often ID capture for higher risk	No single nationwide SIM KYC law, operators apply controls via security obligations and internal policy
Europe	Germany	Full KYC	ID document verification, face match, liveness, video ID allowed	Mandatory prepaid identification before activation
Europe	France	Full KYC	Identity collection, ID verification, optional biometric step up	Prepaid identification and retention obligations
Europe	Italy	Full KYC	ID verification before activation	Registration obligations tied to public security and telecom rules
Europe	Netherlands	Basic ID	Registration, often ID document check depending on channel	Mandatory prepaid registration
Europe	Belgium	Basic to full	Registration, ID verification commonly required	Strengthened rules to reduce terrorism and fraud abuse
Europe	Luxembourg	Basic ID	Registration, ID checks depending on operator process	Registration required under national telecom framework
Nordics	Sweden	Basic ID	Registration, ID verification for prepaid activation	Mandatory prepaid registration
Nordics	Finland	Basic ID	Registration, ID verification for activation	Mandatory identification for prepaid
Nordics	Denmark	Basic ID	Registration, ID verification commonly applied	Registration requirement under telecom rules
Nordics	Norway	Basic ID	Registration, ID verification commonly applied	Not EU, similar mandatory registration approach
Asia Pacific	India	Full KYC	ID verification, strong KYC processes, biometrics often used in practice	Strict national KYC framework for SIM issuance
Asia Pacific	Singapore	Full KYC	ID verification before activation	Mandatory registration and verification
Asia Pacific	Australia	Full KYC	ID verification before activation	Mandatory verification for prepaid activation
Middle East	United Arab Emirates	Full KYC	National ID verification, strong onboarding controls	Typically ID linked to SIM activation
Middle East	Saudi Arabia	Full KYC	ID verification, biometrics used in some onboarding flows	Strict registration regime
Africa	Nigeria	Full KYC	National identity registration, SIM registration verification	Strict enforcement periods, registration emphasized for security
Africa	South Africa	Full KYC	ID verification and address details for activation	Mandatory registration framework
North America	United States	No mandatory IDV	Varies by carrier, often risk based checks	No federal prepaid SIM registration law, internal controls common for fraud
North America	Canada	No mandatory IDV	Varies by carrier, risk based checks	No nationwide prepaid registration requirement

Conclusion, Compliance as Competitive Advantage

Identity verification for SIM and eSIM purchase is no longer a narrow regulatory exercise. It is an infrastructure level trust control shaped by telecom law, national security policy, data protection regulation, and fraud economics.

Operators and wholesale providers that proactively design for regulatory diversity, rather than react to it, will reduce enforcement risk, strengthen partner trust, and enable scalable digital distribution.

The future of mobile connectivity is digital, instant, and global. Its foundation must be verifiable identity.