Blog

SMS Regulations by Country: Global Compliance Guide 2026

Written by Insights by Telerivet | Jul 5, 2026

Most SMS programs that fail internationally do not fail because someone broke a law. They fail because a team designed a workflow for one market, assumed the architecture transferred, and discovered too late that it did not. Two-way SMS is unavailable for standard A2P channels in six of the markets covered in this guide. Japan's major carriers aggressively filter URLs in SMS. Mexico replaces every branded sender name with a short code. The UAE mandates an "AD-" prefix on every promotional sender ID or the message fails. Vietnam requires the brand name to appear in the message body itself, not just in the sender field. None of these are obscure edge cases. They are the standard operating environment in those markets.

This guide covers international SMS compliance and operational architecture across 25 markets. It explains what varies by country, why the differences matter for program design, and how organizations running programs across multiple markets build messaging operations that work reliably in each one. Compliance determines whether the first message can be sent. Architecture determines whether the program actually works.

The markets covered here represent countries where Telerivet has published detailed compliance research, not the full extent of where Telerivet operates. Telerivet supports messaging across 150-plus countries, and the operators who benefit most from this cluster run programs spanning multiple markets simultaneously: field operations, logistics coordination, healthcare delivery, financial services, workforce management, hospitality, research, and humanitarian programs across Africa, Asia, Latin America, Europe, and beyond. SMS is the operational backbone for all of them. If your markets are not listed, the same principles apply. Reach out and we will work through the specifics with you.

The table below summarizes the single most consequential compliance fact and the key architectural variables for each market. Click any country name for the full implementation guide.

Country Two-way A2P Alpha Sender ID Registration Key constraint WhatsApp
Nigeria Required DND 2442 silent filtering Strong
Kenya Required Safaricom Mon/Thu schedule Strong
Tanzania Required TCRA monitoring expanded Oct 2024 Strong
Ghana Required No promotional SMS Sundays Strong
South Africa WASPA registration POPIA one-approach rule Strong
Rwanda Required No A2P two-way; design channel first Strong
Uganda Required No A2P two-way; DPPA criminal liability Strong
Zambia Required (MTN) MTN pre-registration required Strong
India 3-layer DLT One char mismatch = silent failure Strong
Bangladesh BTRC aggregator No two-way; masking terminology Moderate
Pakistan Partial Per carrier + PTA Telenor/Ufone use shortcodes Strong
Philippines Required Route quality critical for OTP Strong + Viber
Indonesia Komdigi-approved Grey routes systematically blocked Strong
Thailand Required Intl SMS flagged as scam since Oct 2025 Moderate
Vietnam Required Brand name required in body Moderate
Japan Partial Carrier URLs blocked; 70-char Unicode limit Moderate
Australia Required (ACMA) "Unverified" label if unregistered Strong
Canada Required (10DLC) Implied consent has expiry dates Moderate
United States Required (10DLC) TCPA per-message damages, no cap Moderate
United Kingdom No DUAA 2025 raised ICO penalty ceiling Very Strong
France No No 06/07 numbers; Sunday banned Very Strong
Germany No (per route) Competitors can sue; Abmahnung risk Very Strong
Netherlands No Mandatory opt-in; DNC registry abolished 2021 Very Strong
Mexico Required (REPEP) Alpha IDs replaced by short codes Strong
Brazil Required Up to 10-week short code provisioning Dominant
UAE Required AD- prefix mandatory; 20-25 day reg Strong

The five categories of business SMS and why they have different compliance profiles

Most global SMS compliance content treats all business messages the same. They are not the same. Regulators in almost every market distinguish between message types, and the compliance requirements, consent thresholds, and sending restrictions differ significantly by category. Understanding which category your program falls into is the first step before looking at any country-specific rule.

Promotional and marketing messages are campaign-driven communications whose primary purpose is to advertise, offer, or influence a commercial decision. These carry the highest consent bar in virtually every market and face the most restrictions on timing, content, and opt-out handling. Most global SMS compliance content is written for this category alone.

Transactional messages are triggered by a user action or an existing service relationship: OTPs, payment confirmations, booking confirmations, account alerts, order updates. The consent threshold is generally lower because the recipient initiated the interaction that triggered the message. Most markets treat transactional SMS differently from promotional content, often exempting it from sending-hour restrictions and DND registry filtering that apply to marketing programs.

Service messages sit between transactional and promotional: appointment reminders, delivery notifications, service status updates, care updates, subscription renewal notices. They arise from an ongoing relationship rather than a specific user action. Most regulators treat these similarly to transactional messages when they are genuinely service-related and do not include promotional offers.

Operational messages arise from an employment or contractor relationship rather than a consumer relationship: dispatch notifications, shift schedules, safety alerts, field coordination, logistics updates, welfare checks. These have a fundamentally different legal basis from consumer marketing. In most markets, the employment or contractor relationship establishes the basis on which the message can be sent, without the marketing consent architecture that applies to promotional programs.

Business continuity messages are emergency alerts, incident notifications, evacuation instructions, and safety-critical communications where delivery takes priority over commercial considerations. Most regulatory frameworks explicitly exempt these from the restrictions that govern marketing, precisely because blocking them in a crisis would be counterproductive.

For most operational programs, the compliance picture is substantially simpler than marketing guides imply, because the message category carries a lower regulatory burden from the outset.

The five dimensions that vary most by market

Across 25 markets, five dimensions produce the most consequential differences for multi-market program design.

Two-way SMS availability. Standard A2P SMS channels do not support inbound replies in Rwanda, Uganda, Bangladesh, Thailand, Vietnam, and Japan. This dimension catches programs most often because it requires redesigning workflows entirely, not just adjusting parameters. Failover logic, acknowledgment capture, and opt-out via reply all need alternative mechanisms in these markets. USSD and WhatsApp Business cover the interactive layer in many of these environments.

Sender ID behavior. In most markets, a registered alphanumeric sender ID displays your organization's name in the recipient's sender field. Mexico replaces all alphanumeric IDs with short codes, so no brand name appears at all. KDDI in Japan overwrites alphanumeric IDs to numbers for its subscribers. Vietnam requires the brand name in the message body regardless of the sender field. Message body design cannot be transferred unchanged from market to market.

Channel economics and the WhatsApp layer. WhatsApp is the world's most widely used messaging app and, for most international business programs, the natural companion to SMS. The practical architecture in most markets is SMS for guaranteed delivery and WhatsApp for richer engagement where recipients are reachable. Telerivet supports WhatsApp for Enterprise natively alongside SMS, which means both channels share the same consent records, suppression lists, and workflow logic. The channel does not determine the compliance architecture. The platform does.

Consent standard and data protection framework. Markets range from relatively permissive implied consent for B2B contacts in the UK and France, to strict explicit opt-in with documented timestamps in GDPR markets, South Africa's POPIA, and India's DPDP. Operational programs with an employment or service relationship basis generally face a simpler consent picture than consumer marketing programs in every market.

Penalty structure and enforcement posture. The UAE's ceiling of 400,000 AED per violation, the US TCPA's $500 to $1,500 per message with no aggregate cap, and South Africa's Information Regulator operating on a complaints-driven post-hoc model represent fundamentally different risk profiles. Understanding the enforcement posture of each market, not just the rule on paper, changes how urgently compliance architecture should be built before the first send.

The multichannel reality: SMS as the guaranteed layer

SMS reaches every mobile number regardless of what apps the recipient has installed, what data plan they are on, or whether they have internet connectivity. That guaranteed delivery property is what makes SMS the foundational layer for operational, transactional, and business continuity programs. It is not always the primary engagement channel, and it should not always be treated as one.

WhatsApp is the global default for rich business messaging where recipients are reachable through the app. For most international programs, WhatsApp through the Business API is the companion to SMS rather than a competitor: WhatsApp for richer messages where connectivity allows, SMS as the fallback that always arrives. Telerivet supports both on the same platform with shared workflows, which means the channel routing decision is a configuration, not an architectural rebuild.

For interactive workflows in markets where standard A2P SMS does not support replies, the Telerivet Android Gateway routes through a local SIM as P2P traffic, enabling genuine two-way SMS where the standard carrier infrastructure does not. This is the architecture used for field survey programs, PAYGo payment acknowledgment workflows, and welfare check systems in Rwanda, Uganda, Bangladesh, and other markets where A2P two-way is unavailable.

The knowledge base channel selection guide covers how to choose between SMS, WhatsApp, Viber, RCS, USSD, and voice for specific use cases and markets. Communication orchestration is what ties them together into a program that works.

SMS compliance and architecture by market

Sub-Saharan Africa

Nigeria — The DND 2442 system filters messages silently at the carrier level: messages show as sent on your platform while being blocked before delivery. Message type classification must match your sender ID category exactly, because transactional IDs do not deliver promotional content on most networks.

Kenya — Safaricom operates a Monday and Thursday submission schedule for promotional sender ID approval, the most carrier-specific timing constraint in the series. Promotional sender IDs must be numeric on Safaricom, meaning the same organization may need two registered IDs for different message categories.

Tanzania — TCRA's monitoring framework, expanded significantly from October 2024, makes grey route delivery increasingly unreliable across all operators. Sender ID registration is the prerequisite for reliable delivery, not optional optimization.

Ghana — No promotional SMS is permitted on Sundays, and MTN Ghana blocks unregistered or dynamic sender IDs rather than delivering them as numeric strings. Act 843 gives data subjects an explicit right to object to direct marketing that goes beyond a standard opt-out.

South Africa — POPIA's Section 69 permits exactly one unsolicited approach to a non-customer to request consent, after which further contact should cease unless consent is obtained through another lawful interaction. WASPA's Code of Conduct adds a Do Not Contact list, opt-out processing requirements, and a confirmation SMS obligation.

Rwanda — Standard A2P SMS does not support inbound replies on MTN Rwanda and Airtel Rwanda, making reply-based workflows unavailable through standard channels. Choose the interaction channel before designing the workflow: the channel determines the consent handling, acknowledgment architecture, and reporting from the outset.

Uganda — Uganda's July 2025 criminal conviction under the DPPA, the first in the country, established that individual officers may face personal criminal liability for operating without PDPO registration or processing data without consent. Standard A2P two-way SMS is unavailable, requiring the same pre-launch channel design decision as Rwanda.

Zambia — MTN Zambia requires sender IDs to be pre-registered and approved specifically on its network to display correctly for MTN subscribers. Two-way SMS is supported across Zambian networks, distinguishing Zambia from Rwanda and Uganda for programs requiring interactivity.

South Asia

India — India's three-layer DLT system scrubs message templates in real time against the registered version: a single unmatched character causes silent failure where the message shows as sent and never arrives. Template management is an ongoing operational discipline with the same stakes as the consent architecture, not a setup task.

Bangladesh — Bangladesh uses "masking SMS" for what other markets call alphanumeric sender ID, and misclassifying traffic between masking and non-masking is a common reason for route suspension. Standard A2P two-way SMS is unavailable, and all traffic must flow through BTRC-listed aggregators.

Pakistan — Telenor and Ufone route A2P through shortcodes, meaning the brand name visible to Jazz and Zong subscribers may not appear the same way on those networks. Pakistan's DNCR at shortcode 3627 must be verified before promotional sends, and two-way SMS is fully supported across Pakistani networks.

Southeast Asia

Philippines — NTC memorandum circulars and carrier-level enforcement require all commercial bulk SMS to carry a registered sender ID, with blocking of non-compliant traffic. Route quality through direct carrier relationships with Globe, Smart, and DITO matters significantly for OTP and transactional delivery where speed is the operational requirement.

Indonesia — All A2P SMS must route through Komdigi-approved aggregators, and grey route traffic is being systematically blocked as carriers upgrade their SMS firewalls. For programs experiencing delivery failures, the fix is provider replacement, not technical troubleshooting.

Thailand — Since October 2025, NBTC requires carriers to prepend an alert symbol to international-origin SMS before delivery, meaning the flag applies to all international traffic regardless of registration status, not just unregistered senders. Standard A2P two-way SMS is unavailable, and local routing is the practical architecture for programs where recipient trust in the sender is operationally important.

Vietnam — Since August 2024, every SMS sent in Vietnam must include the organization's brand name in the message body, matching the registered sender ID exactly, a requirement unique to Vietnam in this series. Standard A2P two-way SMS is unavailable.

East Asia

Japan — Japan's major carriers filter or block SMS containing URLs as part of anti-phishing measures far more aggressively than any other market in this series, which means programs designed for other markets need to be rebuilt for Japan before the first send. KDDI overwrites alphanumeric sender IDs for its subscribers, and Unicode encoding reduces messages from 160 to 70 characters per segment.

Oceania

Australia — ACMA's Sender ID Register went live July 1, 2026, making Australia one of the first markets globally to implement a government-operated verified sender ID system for SMS: messages from unregistered senders now arrive with an "Unverified" indicator. The Spam Act 2003 requires explicit consent and a functional unsubscribe mechanism in every commercial message.

North America

Canada — CASL is consistently ranked among the world's strictest anti-spam laws, with implied consent expiry periods of two years from a purchase and six months from a business inquiry. A2P long code numbers must be registered since March 2025, running in parallel with 10DLC requirements for programs spanning both the US and Canada.

United States — Every major carrier has blocked unregistered A2P traffic since February 2025, making 10DLC brand and campaign registration a hard prerequisite for delivery. The TCPA's per-message statutory damages with no aggregate cap make the US the highest-litigation-risk market in the series; see also the TCPA compliance checklist for operational programs.

Europe

United Kingdom — The Data (Use and Access) Act 2025 raised PECR penalty ceilings to £17.5 million or 4% of global annual turnover, aligning ICO enforcement power with UK GDPR. The PECR soft opt-in, which allows contacting individual existing customers without fresh consent for similar products, is narrower than most teams assume. Corporate subscribers sit outside the consent framework entirely under PECR, but that exemption applies to companies as subscribers, not to sole traders or individuals.

France — Commercial platforms cannot send marketing SMS from standard 06 or 07 mobile numbers since January 2023, requiring shortcodes or commercial-specific numbers. Promotional sends are prohibited between 8 PM and 10 AM, all day Sunday, and all day on French public holidays.

Germany — Germany is the only market in this series where competitors, not just regulators, can enforce against non-compliant marketing SMS: an unsolicited marketing message may trigger an Abmahnung, a formal cease-and-desist with associated legal costs. German courts have consistently treated double opt-in as the strongest way to demonstrate valid consent, and documentation of when consent was collected is the primary defense against both regulatory and competitor enforcement.

Netherlands — The Netherlands abolished its national do-not-call registry in 2021 in favor of an opt-in model for telemarketing, and ACM enforcement posture signals a consistent direction toward stricter consent standards across direct marketing channels. The broader Dutch regulatory direction is toward stricter consent requirements across all direct marketing channels, and ACM enforcement is active.

Latin America

Mexico — Alphanumeric sender IDs are replaced by short codes at delivery across major Mexican networks, meaning the brand name never appears in the sender field and must open every message body instead. REPEP, Mexico's national DNC registry, must be verified against contact lists before every promotional campaign.

Brazil — Sender ID provisioning can take up to ten weeks, the longest registration timeline in the series and the most common reason programs miss their Brazil launch date. Brazil spans three time zones, and promotional SMS must respect the 9 AM to 10 PM window in each recipient's local zone.

Middle East

United Arab Emirates — The "AD-" prefix is mandatory on every promotional sender ID since November 2020, and sender IDs without it will not be approved for promotional use. Registration takes up to 20 to 25 business days, and TDRA penalties can reach 400,000 AED per violation, among the highest in the series.

Why program architecture matters as much as compliance

Compliance documents what is legally required in each market. Architecture determines whether the program can actually deliver on that legal basis. The two most common failure modes in multi-market programs are treating compliance as a one-time setup task rather than an ongoing operational requirement, and treating SMS as the only channel when the program's audience is reachable through WhatsApp or other supported channels.

BYOC architecture is the structural answer to both failure modes. When consent records, suppression lists, delivery logs, and workflow logic sit in a platform layer above the connectivity, the compliance assets belong to the organization rather than to any specific carrier or provider. Adding a market means connecting a local-compliant route, not rebuilding the program. Changing providers means updating a connectivity configuration, not migrating a dataset. For organizations running programs in five markets on five separate platforms, the fragmentation cost is not just management overhead. It is the inability to verify, across a single audit, that every contact in every market has a valid documented consent basis and that every opt-out has been honored before the next send.

For development sector organizations, logistics companies, healthcare programs, financial services operators, and field operations teams running programs across multiple markets, the platform question and the compliance question have the same answer: a single communication orchestration layer that handles each market's requirements without requiring a separate system for each one.

Frequently asked questions

Which countries do not support two-way A2P SMS? Standard A2P SMS channels do not support inbound replies in Rwanda, Uganda, Bangladesh, Thailand, Vietnam, and Japan. In all six markets, this is a regulatory or carrier-level restriction on the A2P routing infrastructure, not simply a technical limitation of a specific provider. Programs requiring reply-based workflows in these markets should be designed around WhatsApp Business API where recipients are reachable through the app, or the Telerivet Android Gateway for SMS-based two-way routing via local SIM for appropriate use cases such as field surveys and low-volume operational workflows. Organizations should assess the local regulatory classification of P2P-routed traffic in each market before deploying this approach at scale.

What is the difference between transactional and promotional SMS for compliance purposes? Promotional SMS is any message whose primary purpose is to advertise, offer, or influence a commercial decision. It faces the highest consent requirements and the most timing and content restrictions in virtually every market. Transactional SMS is triggered by a user action or an existing service relationship. Most markets exempt transactional messages from DND registry filtering and sending-hour restrictions that apply to marketing programs. Operational and workforce messages carry a further-distinct compliance profile based on the employment or contractor relationship rather than a consumer consent basis.

Do international SMS compliance requirements apply to organizations based outside those countries? In most markets covered in this series, yes. Australia, South Africa, Uganda, Rwanda, Bangladesh, India, France, the UAE, and others have explicitly extraterritorial data protection laws that apply to any organization processing the personal data of their residents, regardless of where the sending organization is incorporated. Sender ID registration and carrier-level compliance requirements also apply to messages delivered to recipients in those countries regardless of sender location.

What happens if I send SMS to a market without registering a sender ID? The outcome varies by market. In Nigeria, messages may deliver but be silently filtered by DND logic. In India, messages fail entirely if templates are not DLT-registered. In the UAE, unregistered promotional sender IDs are blocked before delivery. In Australia since July 2026, unregistered sender messages arrive with an "Unverified" label. In Mexico, all alphanumeric IDs are replaced by short codes regardless of registration. The consistent pattern: unregistered delivery is either blocked, degraded, or undermines recipient trust in ways that damage deliverability and program effectiveness.

How does WhatsApp fit into a multi-market SMS compliance program? WhatsApp Business API operates under Meta's own business verification and template approval framework rather than national telecom SMS regulations, though GDPR, PDPA, and equivalent data protection laws apply to contact data regardless of channel. For most international programs, the practical architecture is SMS for guaranteed delivery of transactional and critical operational messages, and WhatsApp for Enterprise for richer engagement where recipients are reachable. Both channels share the same consent records, suppression lists, and workflow logic on Telerivet's platform, which means adding WhatsApp to an existing SMS program is a channel configuration rather than a parallel compliance exercise.

What should multi-market organizations prioritize when building a global SMS compliance architecture? Four things, in order. First, identify which message category your program falls into for each market, because operational and transactional programs have substantially simpler compliance architectures than marketing programs. Second, verify two-way availability in every market before designing interactive workflows. Third, ensure consent records, suppression lists, and delivery logs belong to your organization and sit above any specific connectivity provider. Fourth, register sender IDs in every market before the program launches, not as a post-launch task, because registration timelines range from two weeks in Kenya to up to ten weeks in Brazil, and a late-registered sender ID is an undeliverable program.

This article provides general operational information and should not be considered legal advice. Organizations should consult qualified legal or telecommunications professionals regarding their specific compliance obligations in each market where they operate.

Telerivet orchestrates automated two-way communication workflows across SMS, WhatsApp, USSD, Viber, voice, other channels in 150+ countries. Talk to our team about building a compliance-ready multi-market messaging program from one platform.