On May 29, 2026, Indonesia's Communications and Digital Ministry (Komdigi) confirmed that its mandatory biometric SIM registration system is ready for a July 1 launch. Under Ministerial Regulation No. 7 of 2026, issued January 22, every new mobile number must be tied to a citizen's NIK national identity number and verified through facial recognition before activation, with users capped at three lines per operator and existing numbers slated for re-registration. Trials already ran across Java, Sumatra, and Kalimantan with Telkomsel, Indosat, and XLSmart.
This is not a distant Asia-Pacific story for Egyptian readers. Egypt operates one of the region's more developed SIM-and-device registration regimes, and Jakarta's leap from identity-linked to biometric registration is precisely the upgrade Egyptian regulators will be asked to consider next. The Indonesian model is worth studying closely—not as a template to copy, but as a cautionary preview.
The case for the mandate is real
It would be dishonest to dismiss Indonesia's reasoning as mere control instinct. The government points to genuine harm: Indonesian authorities, citing the national Anti-Scam Centre, reported cybercrime-linked losses of Rp9.5 trillion (roughly US$580 million) as of April 2026, much of it driven by scammers who acquire SIMs anonymously to run phishing, spam, and fraud operations (Tempo). When a phone number is the entry point to banking apps, government services, and one-time passwords, knowing who holds it is a legitimate public-safety interest. Egypt faces the same scam economy, and the same logic underpins its existing rules.
The strongest version of the pro-biometric argument is that identity documents can be forged or borrowed, while a face cannot. Indonesia's regulation even requires the facial-recognition module to meet a minimum accuracy of 95% and obliges operators to give users a portal to see and block numbers registered under their identity (CAICT regulatory summary). On paper, that is a fraud-prevention feature, not just a surveillance one.
Where proportionality breaks down
The problem is that the marginal security gain is small and the marginal risk is permanent. As Indonesian cybersecurity researcher Niken Dwi Wahyu Cahyani noted, biometric registration "addresses only one part of the problem—verifying a user's identity when a SIM card is registered." Most scams happen after a legitimate registration, through social engineering, malware, and phishing that no facial scan at the point of sale can prevent. Facial matching is itself spoofable with photos, deepfakes, or stolen ID selfies. You collect the most sensitive data category imaginable to close a narrow gap that determined criminals route around.
And the data does not stay theoretical. Indonesia's own NIK database has been breached repeatedly over the past decade; those leaked numbers are exactly why the government now says it must "reconfirm" identities biometrically. Adding faces to that pipeline does not fix the underlying leakiness—it raises the stakes of the next breach. A password can be reset. A national ID number is hard to change. A face cannot be reissued at all.
Egypt should hold its current line
Egypt's existing framework is instructive because it is already strict without being biometric. Under the National Telecom Regulatory Authority's rules, every customer must present an original national ID in person, and each person may hold a maximum of 10 voice lines and 5 data lines per operator (NTRA). Egypt layered on device-level control in 2025: since January 1, 2025, every handset's IMEI must be registered through the NTRA Digital Service Platform before a SIM will activate (Approve-IT/NTRA guidance).
That is already a comprehensive traceability stack—identity, line caps, and device binding—achieved without compelling 110 million citizens to surrender face templates to telecom operators. The accountability problem SIM registration is meant to solve is substantially addressed. Adding facial recognition would deliver little additional fraud deterrence while creating a centralized biometric honeypot governed by Egypt's still-maturing Personal Data Protection Law (Law No. 151 of 2020), whose executive regulations have been slow to fully operationalize enforcement.
The proportionate path
A pro-innovation telecom policy does not mean anonymous SIMs. It means matching the intrusiveness of a mandate to the harm it actually prevents, and refusing to normalize irreversible data collection for incremental gains. Indonesia's three-lines-per-operator cap is a sensible, low-cost fraud lever—tighter than Egypt's 10-and-5 limits—and worth examining on its own. But the biometric layer is the part Egypt should decline.
If Cairo wants to strengthen its regime, the better moves are sharper line caps, faster breach-notification rules, independent audits of the existing NTRA and Dukcapil-style databases, and real penalties for operators who mishandle the ID data they already hold. Those measures raise the cost of fraud without building a facial database that, once breached, can never be made safe again. Indonesia is about to run that experiment for the rest of us. Egypt should watch the results before signing up.