What should companies know about Mexico's digital identity reforms?

The new framework consists of five instruments, including:

• The General Population Law, reformed to establish the Unique Population Registry Code (CURP) with biometric data as a national identification document.
• The General Law on Forced Disappearance, which imposes new obligations to collaborate with authorities in locating individuals.
• The Law on the National Investigation and Intelligence System, which regulates public sector access to security information, including company databases.
• The National Law for the Elimination of Bureaucratic Procedures, which creates new guidelines for digital transformation and administrative simplification.
• The Federal Telecommunications and Broadcasting Law, reformed to strengthen identity verification on mobile lines.

These reforms have a direct impact on companies not only because of the obligation to adopt new authentication and identity validation mechanisms, but also because of the requirement to connect and collaborate with public sector platforms on security and human rights issues. In particular, they impose adjustments on the following fronts:

1. Mandatory biometric CURP as a source of identity.

The CURP becomes the single source of identity for all individuals. By incorporating fingerprints and photographs, it becomes the mandatory National Identification Document. Now any company that provides any kind of services or procedures, must accept the biometric CURP, in physical or digital version, as a valid identification document.

2. MX Llave as a digital authentication mechanism.

Any company that requires digital identity authentication must accept the MX Llave as the official mechanism. This is directly linked to the CURP and will function as a means of authentication and single sign-on to access government platforms.

3. Connection with the Unified Identity Platform (PUI) and the National Intelligence Centre (CNI).

Companies will have to adapt their systems to connect with the PUI, which serves as a primary source of consultation in real time. This will be mandatory for any company that manages records or databases of people whose consultation is necessary for the investigation, search, location and identification of missing or disappeared individuals. The use of the PUI will be conditioned to the prior existence of an investigation folder or single search folio and will be limited exclusively to data related to the missing individual.

4. Immediate access to databases in cases of disappearance.

Companies that manage biometric data or any other identifying data must allow prosecutors' offices, search commissions and other competent authorities to immediately consult such information contained in their records, databases or systems, exclusively for the purposes of searching, locating and identifying missing individuals, in coordination with the corresponding investigation.

5. Facilitate access to images obtained by remote technologies.

Companies that generate or have access to images or measurements captured by satellites, unmanned aircraft or other technologies must allow their consultation with the competent authorities, exclusively for the search, location and identification of missing individuals.

6. Agreements with the CNI for interconnection.

Companies must be able to sign agreements with the CNI through which temporary or permanent access to their systems or records is allowed, only when it is useful information for the prevention or investigation of crimes related to public security or criminal proceedings.

7. Delivery of source code in public contracts.

Companies that develop software for public institutions must deliver the source code and the corresponding licenses, if agreed, to integrate them into the National Repository of Public Technology, in order to guarantee the technological autonomy of the public sector.

8. Identity verification in activation of mobile lines.

Companies that are concessionaires or marketers of mobile services must verify that each line is associated to an individual with a valid CURP or a company identified with its RFC, as a mandatory authentication and identification measure.

In light of the scope of the reforms, our team offers the following quick list to ensure that companies comply with the new regulation:

1. Implement identification and digital authentication in internal processes to accept the biometric CURP and the MX Llave as valid means, applying them in all forms, systems, onboarding processes and digital services.

Likewise, in the case of telecommunications companies, ensure that all lines are linked to CURP, in the case of individuals, or RFC, in the case of legal entities.

2. Update terms and conditions of service, privacy policies, and legal notices to reflect new obligations regarding authentication, connectivity, use of biometrics, and collaboration with authorities.

3. Adapt the technological architecture to guarantee connectivity with official platforms (Single Identity Platform, Central Intelligence Platform, among others).

4. Strengthen data protection and security, establish technical and organizational measures to protect biometric data, including security by design, encryption, segmentation, access controls, traceability, and reinforce data protection programs with impact assessments.

5. Define protocols for access to data by authorities, clear and auditable procedures to meet requirements from prosecutors' offices, search commissions or the CNI, ensuring legality, data minimization, compliance records, and include specific protocols for the disappearance of individuals.

6. Incorporate a human rights approach, review internal protocols to ensure that all collaboration with authorities complies with national and international standards of fundamental rights.

7. Train key personnel, train IT, legal, compliance, attention to authorities and public procurement teams on the new tools, legal obligations and technical processes derived from the regulatory framework.

8. Review and adapt contracts with authorities or third parties involving connectivity, software or data; include compliance clauses, delivery of information, licenses and comply with the obligation to deliver source code when applicable.

9. Perform compliance audits to identify risks, adjust procedures, and ensure the correct implementation of obligations related to digital identity, connectivity and data protection.

The new legal framework, mandatory from October 2025, represents a structural change in the way companies manage digital identity and information. This environment requires concrete actions to ensure regulatory compliance, operational continuity and the protection of personal data. At Hogan Lovells we have the experience and knowledge to support you in implementing these new requirements, minimizing risks and strengthening confidence in your operations.

Authored by Guillermo Larrea and Victoria Villagómez.