South Africa’s digital ID system is moving from concept to regulation, with Home Affairs Minister Leon Schreiber publishing draft rules that would allow citizens to carry a smartphone-based identity credential and, crucially, open the door for banks, telecoms and other trusted entities to help enrol users. The proposal marks one of the biggest shifts yet in how South Africans may prove who they are in the years ahead, and it has immediately raised questions about access, privacy and the role of the private sector.
The draft amendments to the Identification Regulations of 1998 were gazetted on Monday for public comment, with the consultation period running until 6 June 2026. At the centre of the proposal is a new digital credential delivered through a mobile app called MyMzansi, which would sit alongside the country’s existing smart ID card rather than replace it.
That detail matters. The draft makes clear that the digital version would be optional, and no South African would be forced to obtain it in order to continue using a valid physical ID. In a country where millions still rely heavily on paper and card-based documents, that safeguard is likely to be a key part of the public debate.
Under the proposals, anyone aged 16 and older would apply at an accredited enrolment point. That category is broad: it includes Home Affairs offices, South African foreign missions, ports of entry, branches or premises of accredited trusted entities, and even mobile enrolment units operated by the department. The intention appears to be to make the system available far beyond standard government counters.
The enrolment process itself would be highly technical. It would require documentary verification, checks against the population register, biometric deduplication, facial and fingerprint capture, liveness detection and verification of a mobile number and email address. Applicants would also need to provide proof of residence, complete device binding so the credential is tied to a specific phone, and pass an automated fraud assessment.
South Africa’s digital ID system and the rise of trusted entities
One of the most important parts of the draft is the creation of a class of organisations known as trusted entities. These would be institutions with a legal obligation to verify identity for specific functions such as anti-money laundering compliance, telecoms access control, social benefits administration, licensing, tax administration and law enforcement.
In practical terms, this means banks, mobile operators, SARS and the SAPS could all fall within scope, depending on their statutory role and whether they are accredited by the director-general of Home Affairs. For the private sector, that could mean a more direct role in identity verification than South Africans are used to seeing.
The regulations go a step further in allowing a verified relationship to be recorded between a person and an accredited trusted entity. Once that relationship exists, the entity could receive near real-time updates when relevant details in the population register change. That could help reduce the burden on citizens who currently have to inform multiple institutions individually when they move or change contact details.
For example, if a person updates their address, a bank or cellphone provider could be notified automatically, but only if the change falls within the categories that entity is allowed to hold under its data-sharing agreement. The draft also makes it clear that the Protection of Personal Information Act (POPIA) would override the regulations where there is any conflict.
The system would not be a free-for-all. The draft says trusted entities would be prohibited from using identity data for data commercialisation, open-ended intelligence gathering, profiling or broad searching. Each access would have to be necessary and proportionate to a specific statutory function, and audit logs of register access would have to be kept for at least seven years.
There are also explicit guardrails around policing and national security. Regulation 32(4) states that nothing in the draft authorises the release of population register information to law-enforcement or security bodies unless another law allows it, including where that law requires judicial authorisation, a warrant or a court order.
That provision is likely to be closely watched by privacy advocates, especially given the sensitivity around biometrics and register access. The draft also criminalises a range of misuse, including enrolling under a false identity, presenting another person’s credential, tampering with a credential, bypassing liveness detection and misusing population register data. Offenders could face a fine or up to two years in prison.
The digital credential itself would be built with cryptographic protections and signed using asymmetric cryptography, including elliptic-curve methods. Biometric templates would be stored in encrypted form in the population register, according to the draft.
The credential could be presented using near-field communication, Bluetooth, QR code or any other secure method the director-general may approve. It would have a validity period of five years, and holders would be notified 90 days before expiry through the MyMzansi app. Renewal would take place through facial biometric verification.
Importantly, the draft also says a credential would lapse if the holder had not undergone any in-person enrolment or in-person verification at an accredited trusted entity in the previous 10 years. That suggests the state wants a continued link between digital identity and face-to-face verification, even in a more digital environment.
Home Affairs has also built in a cost rule. Standard in-person enrolment would be free at government offices and available at private enrolment points at no additional cost beyond prescribed identity document fees. The director-general would be required to ensure enrolment is available in every municipality as soon as reasonably possible after the regulations come into force.
Schreiber says the draft is designed to lay the foundation for a world-class digital identity system and to support the broader push to deliver what he calls “Home Affairs @ home”. In a statement on Tuesday, he said the department is working with the Presidency to help digitise government services more widely.
At the same time, the draft acknowledges a reality that cannot be ignored in South Africa: not everyone has a smartphone, reliable data or the skills to use digital services easily. It says the system must be implemented in a way that does not unreasonably exclude people who do not own suitable devices or who need assistance to use digital channels.
That clause will matter in the real world. South Africa remains a country of deep digital inequality, and any identity system that leans too heavily on smartphones risks leaving vulnerable people behind unless the rollout is carefully managed. As we have seen with other government digital projects, the question is not only whether the technology works, but whether it works for ordinary people in municipalities, rural areas and township communities.
The draft regulations now open the door to a major public debate about the future of identity in South Africa. Supporters will point to convenience, fraud reduction and faster service delivery. Critics will almost certainly focus on surveillance risks, private-sector access and the danger of excluding people without digital tools. Our view is that the final rules will need to balance innovation with hard constitutional safeguards if South Africa’s digital ID system is to win public trust.
Written submissions on the draft must be sent to the chief director for legal services at Home Affairs by 6 June 2026. The regulations will only take effect on a date later fixed by the minister, but this week’s gazetting makes one thing clear: South Africa’s next chapter in identity management is now officially underway.