top of page

C&M E-Alert: Draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025

  • Writer: Karan Singh Chandhiok
    Karan Singh Chandhiok
  • Aug 12
  • 4 min read
ree

The Department of Telecommunications under the Ministry of Communications released the Draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (“Draft Rules”) on June 24, 2025. The Draft Rules, seek to amend the Telecommunications (Telecom Cyber Security) Rules, 2024 (“Cyber Security Rules”), proposing major amendments to India's telecom cybersecurity framework. These Draft Rules aim to further enhance digital security by extending regulatory oversight beyond traditional telecom operators to include non-licensed entities that use Telecommunication Identifiers (“TIs”) for customer verification and service delivery.

SALIENT FEATURES OF THE DRAFT RULES:

Scope and Applicability

While the Cyber Security Rules mainly applied to licensees (entities holding telecom licenses under the Indian Telegraph Act, 1885) and authorised Telecom Entities (“TEs”), the Draft Rules, seek to extend the scope of the Cyber Security Rules to the newly introduced category called Telecommunication Identifier User Entities (“TIUEs”). TIUEs include any person or entity, other than TEs, that uses TIs such as mobile numbers for customer identification or service delivery. The definition of TIUE’s seems to have been left broad, to potentially cover digital platforms ranging from fintech apps and e-commerce platforms to local businesses using mobile numbers for customer verification or delivery services.

Mobile Number Validation Platform

Under the Draft Rules, the government plans to establish a centralised Mobile Number Validation Platform (“MNV Platform”) to enable real-time validation of TIs. This system allows TIUE’s and TE’s to verify whether TIs provided by the users really relate to legitimate users who claim to be using it in the licensee’s or telecom operator’s databases. The platform aims to prevent fraud by eliminating the use of temporary, virtual, or burner phone numbers for account creation and service access.


The Draft Rules also establish a tiered pricing model for validation requests from the MNV Portal. While Government departments/authorities are not subject to any fee, requests by TIUE’s pursuant to a government/authorised agency direction will be charged at ₹1.50 per request (₹0.50 retained by government, ₹1.00 to telecom operator) and private TIUE voluntary requests will be charged at ₹3.00 per request (₹1.00 retained by government, ₹2.00 to telecom operator).

Enhanced Government Powers and Data Access

The Central Government will be able to seek data related to TIs directly from TIUEs and direct them to provide such data through digital means for processing and storage expanding government surveillance capabilities to entities beyond traditional telecom operators.


The Cyber Security Rules empowered the Central Government to temporarily suspend the use of TIs without prior notice when deemed necessary for public interest by directing telecom operators to halt TI usage. The Draft Rules further extend this power by enabling the Central Government to direct the TIUEs to temporarily suspend the use of the relevant TIs for identification of its users, or for delivery of services. The Central Government may share lists of suspended or restricted identifiers across different service providers which pose a security risk, requiring TIUEs to prohibit or limit the use of these listed identifiers for customer identification or service delivery.

IMEI Database and Device Controls

The Central Government will maintain a comprehensive centralised database of tampered, cloned, or restricted International Mobile Equipment Identity (“IMEI”) numbers. This database serves as a central repository for tracking compromised telecommunication equipment and preventing their circulation in the market.


Entities involved in buying or selling of used telecommunication equipment must access the IMEI database before completing transactions and ensure they do not undertake any sale or purchase of any telecommunication device bearing IMEI number that is specified in such database as maintained by the Central Government. This requirement aims to prevent trafficking in telecommunication equipment with compromised IMEI.


The Draft Rules further requires the telecommunications equipment manufacturers to ensure that they do assign new telecommunication equipment being manufactured or imported in India with IMEI numbers already active on Indian networks.

CONCLUSION

The Draft Rules represents a comprehensive attempt to regulate the intersection of telecommunications and digital services. While being aimed at combating fraud and enhancing cybersecurity, the proposed framework has led to significant industry concern about potential regulatory overreach, with the Draft Rules exceeding the scope of the Telecommunications Act, 2023, by attempting to regulate TIUEs that fall under other regulatory frameworks, including the Information Technology Act, 2000 and the rules made thereunder, etc, thereby requiring them to comply with the same cybersecurity standards and data security protocols as licensed telecom operators, including incident reporting, data sharing with government agencies, and adherence to government-issued directions and standards.

If finalised in its current state, the Draft Rules will fundamentally alter how digital platforms authenticate users and interact with India's telecommunications infrastructure, requiring such platforms to substantially change their authentication systems and potential integration requirements with government-operated validation platforms.

Additionally, the Draft Rules raise concerns about user privacy, particularly due to the government's enhanced surveillance powers and the potential for mass surveillance through the MNV Platform. Furthermore, the mandatory TI verification requirement, with verification fees exponentially higher than current OTP costs, platforms handling large transaction volumes especially startups and MSMEs, may face economically unsustainable compliance expenses.

 

 

 

Should you have any queries or comments on this alert please visit our LinkedIn page. You may also contact the authors below.


ree

 
 
 

Comments


bottom of page