PUIhoteles
ESEN Get started
PUI compliance
Connection to the PUI LawIdentity captureGuest registry
How it works
Query modelConnected to R2Security & encryption
For your hotel
No technical teamLlaveMX & e.firmaCompliance dashboard
By lodging type
HotelsHostelsMotelsAirbnb & short rentals
By situation
Hotels in Mexico CitySole proprietorSmall lodging
Compare
PUIhoteles vs ConectaPUIPUIhoteles vs PUIMexicovs Build it yourself
Learn
What is the PUI LawThe fine for not complyingBlogHelp center
Company
AboutContact
Pricing Get started
Legal analysis · PUI Law

The PUI Law for lawyers: framework, obligated parties and penalty

Legal analysis of lodging establishments’ obligation under the Single Identity Platform (PUI), derived from Mexico’s General Law on the Forced Disappearance of Persons (LGMDFP). Regulatory framework, obligated parties, the penalty regime of Article 43 Bis, the difference in liability between an individual and a company, and the regulatory status as of June 2026, with citations to article and date of publication in the Official Gazette (DOF).

Get startedCreate your demo

Regulatory framework: where the obligation comes from

The PUI (Single Identity Platform) is neither a fiscal instrument nor a tourism regulation. Its legal basis is the General Law on the Forced Disappearance of Persons, Disappearance Committed by Private Parties and the National Search System (LGMDFP), reformed in July 2025. Its sole legal purpose is to assist in locating people reported as missing; any other reading (revenue or tourism oversight) is foreign to the purpose of the rule.

The substantive obligation is set out in Article 12 Bis of the LGMDFP, which requires lodging establishments to keep a record of their guests’ identity and to make it available to the system. The corresponding penalty regime is in Article 43 Bis. Operation rests with the Ministry of the Interior, through the National Population Registry (RENAPO) and the National Search Commission, with technical support from the Agency for Digital Transformation and Telecommunications.

The implementing rules have been published in stages in the Official Gazette: the Guidelines on 27 November 2025 and Technical Manual v1.0 on 23 January 2026. The Operations Manual of the National Personal Identification Service (SNIP) remains pending publication as of the date of this analysis, which has direct effects on the full enforceability of interconnection, as detailed below.

The analysis in four axes

The four findings that structure any opinion on this matter.

Nature and source

A public-order obligation derived from the LGMDFP (Art. 12 Bis), not from fiscal or tourism law. Purpose: the search for persons.

Subjective universality

The obligated party is every lodging establishment, with no distinction of size or legal form (individual or company).

Penalty regime

Art. 43 Bis: a fine of 10,000 to 20,000 UMA per infraction. With the 2026 UMA at $117.31, the range is $1,173,100 to $2,346,200 MXN.

Regulatory status

Guidelines and Technical Manual already published; the SNIP Operations Manual pending. Registration is already mandatory; full interconnection awaits that manual.

Obligated parties: subjective scope with no size exemptions

The subjective scope of the obligation is deliberately broad. The rule sets no thresholds of installed capacity, room count or revenue that would exclude smaller establishments. Consequently, chain hotels, boutique hotels, hostels, motels, inns, cabins and short-stay rentals are all covered, regardless of their tax formality.

For advisory purposes it is worth noting that the obligation arises from the material fact of providing lodging for consideration, not from registration in state tourism registries nor from the commercial form under which the establishment operates. An informal operator does not fall outside the rule by reason of its informality alone; if anything, it adds the PUI’s administrative contingency to its own irregular status.

It is also important to distinguish the federal PUI regime from the local regimes that coexist in some states. Certain jurisdictions impose additional duties of guest registration, retention of identification documents or video surveillance based on local commercial-establishment or tourism legislation. Those regimes neither replace nor absorb the federal obligation; they run in parallel and must be assessed separately.

Penalty regime and elements of liability

The components the opinion must weigh to quantify and attribute administrative liability.

Amount of the fine

From 10,000 to 20,000 UMA under Art. 43 Bis. The conversion to pesos is updated with the year’s UMA value (2026: $117.31 per unit).

Per infraction

The penalty is set per infraction and not as a single annual fine, which matters when estimating the establishment’s aggregate exposure.

Individual

The owner answers directly with their own assets. The absence of an interposed company concentrates the risk on the individual.

Company

The company is the center of administrative imputation; the analysis must weigh the position of directors and documented due diligence.

Nature of the data

The record concerns personal data (identity), which adds a data-protection compliance axis to the PUI obligation.

Burden of proof

A defense against a request rests on documentary evidence of the record and the interconnection; that proof should be built in advance.

Individual versus company: where liability rests

The distinction between an individual and a company is decisive in assigning the center of imputation. When the establishment operates as an individual, the owner is the obligated party and answers directly; there is no corporate veil to moderate the patrimonial exposure. This is the most common situation among small operators and therefore the one of greatest practical sensitivity.

When a company operates the establishment, the company is the obligated party and the center of administrative imputation. The opinion must then weigh the position of the directors and the existence of internal compliance policies, as well as the traceability of due diligence, without that by itself shifting liability onto the company or excluding it as to those who exercise management.

In both cases, the element that best mitigates risk is evidence: an orderly identity record, retained under security measures and backed by a functional interconnection where that is enforceable. The typical professional recommendation is to build and retain that evidence from the outset, precisely because the regime penalizes omission and rewards traceable compliance.

Regulatory status as of June 2026 and its effect on enforceability

The regulatory timeline published in the DOF and its consequence for advisory work.

  1. LGMDFP reform — July 2025Creates the substantive obligation of Art. 12 Bis and the penalty of Art. 43 Bis. From here on, the duty to register exists.
  2. Guidelines — 27 November 2025Develops the platform’s operating rules and the terms of compliance.
  3. Technical Manual v1.0 — 23 January 2026Defines the technical how of interconnection: JWT authentication, AES-256-GCM encryption, SHA3-256 hashing and TLS transport.
  4. SNIP Operations Manual — pendingIts publication opens 45 business days to request access. Full interconnection becomes enforceable once published; identity registration already is.

Frequent legal questions about the PUI Law

What is the exact legal basis of the obligation?
Article 12 Bis of the LGMDFP requires lodging establishments to register their guests’ identity; Article 43 Bis sets the penalty. The reform incorporating them was published in the DOF in July 2025. The purpose is to locate missing persons, not to raise revenue.
Who are the obligated parties?
Every lodging establishment, with no distinction of size or legal form. Hotels, hostels, motels, inns, cabins and short-stay rentals are all covered, whether operated by an individual or a company, regardless of tax formality.
How is the Article 43 Bis fine quantified?
From 10,000 to 20,000 UMA. The conversion to pesos uses the year’s UMA value; with the 2026 UMA at $117.31 the range is $1,173,100 to $2,346,200 MXN. The penalty is set per infraction.
Does liability change if the establishment is an individual or a company?
The center of imputation changes. An individual answers directly with their own assets; for a company the company is the obligated party and the analysis must weigh the directors’ position and documented due diligence. In both cases the record evidence is the main element of defense.
Is interconnection already enforceable or not yet?
Identity registration is already mandatory. Full interconnection depends on the SNIP Operations Manual, pending publication as of June 2026; its publication opens a 45-business-day window to request access. Technical Manual v1.0 (23 January 2026) already defines the technical requirements.
Does the PUI replace local guest registries?
No. The federal PUI obligation runs in parallel to any local commercial-establishment or tourism regimes in each state. Each regime must be assessed separately; complying with one does not evidence compliance with the other.
How does PUIhoteles support a firm advising lodgings?
PUIhoteles is a certified connector, connected to R2 OS in real time, that captures identity at check-in, keeps an exportable registry as evidence and handles interconnection where enforceable. Its cost is $4,350 MXN setup and $930 MXN per month (plus VAT), with no lock-in, making it easy to offer clients an auditable path to compliance.

Put PUIhoteles to work for you

Get started