Pursuant to Section 2 of Schedule 58 of the "ANC Guidelines on Registration", providers of value-added network application services are required to deliver such services via a service node located within Timor-Leste or through a local access node that is connected to the public telecommunications network. This regulatory stipulation affects the provision of the following categories of services:
- Online information and database services;
- Online information and data processing services;
- Voice information services;
- Electronic broking services;
- Electronic auction services;
- Electronic transaction services, including but not limited to online commerce and online reservation systems;
- Remote computing services;
- Online gaming services;
- Mailbox services, encompassing voice mailboxes, facsimile mailboxes, email mailboxes, and multimedia mailboxes;
- Electronic data interchange services;
- Store-and-retrieve file transfer services;
- Value-added data and messaging services that facilitate end-to-end data transmission by incorporating one or more of the following value-added functionalities: deferred delivery, multi-addressing, content conversion, format conversion, code and protocol conversion, processing of control information (e.g., destination addressing), or any other transformation that enhances, diversifies, or restructures the information delivered to users.

Timor-Leste has not joined any agreement with binding commitments to open transfers of data across borders.

Timor-Leste does not yet possess a comprehensive legal framework for personal data protection. However, sector-specific regulations are in place. The legal framework addressing money laundering—namely, Law No. 17/2011 on the Legal Regime Covering the Prevention of and Combat against Money Laundering and the Financing of Terrorism, as amended by Law No. 5/2013—includes provisions on the processing of personal data for client identification purposes. Additionally, Law No. 20/2004 on the National Health System enshrines the right to privacy within both public and private healthcare sectors. Beyond these sectoral statutes, Decree-Law No. 19/2009, which promulgates the Penal Code, establishes criminal sanctions for breaches of privacy, including unlawful intrusions, violations of confidentiality, and the unauthorised interception of correspondence or telecommunications. In addition, the Constitution of Timor-Leste, in effect since May 2002, affirms the fundamental right to privacy under Art. 36. Art. 38 further addresses the protection of personal data, granting citizens the right to access their data, to be informed of the purposes for which it was collected, and stipulating requirements for obtaining consent in relation to the processing of certain categories of personal data.

Pursuant to Art. 6 of Government Decree No. 9/2008, telecom operators are required to retain user identification data—either electronically or in physical form—for a minimum duration of five years from the date of contract conclusion. In addition, Art. 7.4 stipulates that traffic data must be preserved for at least one year from the date of its generation. According to Art. 2, the term "operator" refers to any concessionaire or licensee that provides mobile telecommunications services via a subscription contract, utilising a SIM card.

In accordance with the schedules outlined in Annex I of the "ANC Guidelines on Registration", registrants of telecommunications services, including those providing international simple resale services, resale of leased circuit services, public internet access services, virtual private network services, managed data network services, mobile virtual network operations, IP telephony services, and satellite mobile telephone or data services, are required to maintain a register documenting the particulars of their subscribers. This register must be preserved by the registrant for a minimum duration of 12 calendar months following the termination of services to the respective subscriber. In addition, registrants of IP telephony services and satellite mobile telephone or data services shall maintain call detail records (CDRs) of all calls made and received via the service, insofar as such services are operated and/or provided within the territory of Timor-Leste, for a period of no less than 12 calendar months. Also, registrants of machine-to-machine (M2M) services are required to maintain a register containing complete and accurate records of all SIM cards utilised in connection with the provision of M2M services. These records must include, at a minimum, the international mobile subscriber identity (IMSI) number and the mobile subscriber integrated services digital network number (MSISDN) associated with each SIM card. The register shall be retained by the registrant for a period of not less than 12 calendar months from the date of termination of the M2M services to the subscriber.

In accordance with Section 5.5 of the "Guidelines on the Registration of SIM Cards for Prepaid Mobile Services", the National Communications Authority is empowered to request from any service provider offering prepaid mobile services the complete set of both physical and electronic subscriber’s registration records. These records must be submitted within 24 hours of receipt of such a request, in the format and through the means as may be prescribed by the Authority from time to time. The provision does not stipulate the necessity of a court order for such a request. The data required during the registration process includes the subscriber’s full name, residential address, and the type and number of the identification document presented.

In accordance with the schedules outlined in Annex I of the "ANC Guidelines on Registration", registrants of telecommunications services, including those providing international simple resale services, resale of leased circuit services, public internet access services, virtual private network services, managed data network services, mobile virtual network operations, IP telephony services, satellite mobile telephone or data services, and mobile communications on aircraft, are required to maintain a register containing records of their subscribers and their particulars. This register shall be made available for inspection by authorised government agencies of Timor-Leste, with no requirement for a court order.

A basic legal framework on intermediary liability for copyright infringement is absent in Timor-Leste's law and jurisprudence.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Timor-Leste's law and jurisprudence.

Pursuant to Art. 4 of Government Decree No. 9/2008, contracts for mobile telecommunications services involving SIM cards must include verified identification of the user. For natural persons, this entails the presentation of a current identity document bearing a photograph. In the case of legal entities, identification must be established through a registration certificate or an equivalent document attesting to the company’s legal existence. Foreign users are reportedly required to present a valid passport at the time of purchase. Additionally, under Art. 6.1, service providers are required to retain user identification data, in either physical or electronic form, for a minimum of five years following the conclusion of the contract.

The Government holds shares in the telecommunications company Timor Telecom. In 2023, the State became the company’s largest shareholder, increasing its ownership from 20.6% to 77.6%.

Art. 37 of Decree-Law No. 15/2012 stipulates the requirement for accounting separation for telecommunications operators possessing significant market power (SMP). No obligation pertaining to functional separation has been identified.

Pursuant to Art. 30 of Decree-Law No. 15/2012 (last amended in September 2024), any individual or entity intending to provide telecommunications services or operate a telecommunications network is required to register with the National Communications Authority. In addition, under Art. 61, the utilisation of radio-frequency spectrum or the operation of radio equipment is prohibited without the appropriate licensing. Although no restriction has been inditified in the country’s telecommunications legislation, it has been reported that there is a minimum capital requirement for obtaining a telecommunications licence.

Timor-Leste has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that TradeInvest is responsible for the initial review of foreign investment applications, which are subsequently submitted to the Private Investment Commission for comprehensive analysis and evaluation. The Executive Director of TradeInvest serves as the Chair of the Private Investment Commission, which comprises Directors-General or their equivalents from the pertinent government ministries. Proposed investments are assessed with regard to their economic costs and benefits, as well as the financial and operational capacity of the investor. TradeInvest is authorised to issue investment certificates for projects approved by the Private Investment Commission with a value of less than USD 20 million. Projects exceeding this threshold require the approval of the Council of Ministers.