Table of Contents
In October 2025, the Department of Telecommunications (DoT) formally notified the Telecommunications (Telecom Cyber Security) Amendment Rules, 2024 (hereafter “Amendment Rules”) under the telecommunications Act, 2023.These amendments extend cybersecurity obligations beyond traditional telecom licensees to include entities that use telecom identifiers (mobile numbers, IMEIs) for service delivery, introduce a Mobile Number Validation (MNV) platform, enhance device identification checks and empower the Government with stronger intervention tools. This article analyses the Amendment Rules’ key features, their legal and policy implications, and the challenges they present for stakeholders in India’s telecom ecosystem.
1. Background & Legal Context
India’s telecom regulatory architecture has undergone a rapid transformation. In late 2023, Parliament passed the Telecommunications Act, 2023 (Act No. 44 of 2023) which, inter alia, provides a legal basis for the Government to enact rules to “enhance and maintain the security of telecommunication networks and services.” In November 2024, the DoT notified the original Telecommunications (Telecom Cyber Security) Rules, 2024 (the “Cyber-Security Rules”) which applied primarily to licensed telecom network operators and infrastructure. The Amendment Rules of 2025 build on this framework, prompted by a surge in tele-fraud, SIM-spoofing, device-cloning, and impersonation using mobile identifiers.
2.1. Expansion of “Telecommunication Identifier User Entity” (TIUE) A new category
TIUE — is defined to capture entities (other than licensees) that use telecom identifiers (mobile numbers, IMEIs, SIMs) for provisioning or identifying users. Many digital platforms (payments apps, OTT services, fintech) become subject to these obligations.
2.2. Mobile Number Validation (MNV) Platform
Rule 7A introduces a centralized MNV platform. TIUEs (and licensees) must validate whether a telecom identifier corresponds to the user claimed in the records of a telecom licensee. Requests may be voluntary or on Government direction; per-request fee is indicated (e.g., ₹1.50 or ₹3 per request in the draft) in early versions.
2.3. IMEI & Device Tracking Obligations
The amendments strengthen requirements on device manufacturers/importers: no reuse of duplicate IMEIs, maintenance of a national database of tampered or black-listed IMEIs, mandatory checks when selling used devices, and services such as payments apps must ensure device authenticity.
2.4. Government’s Enhanced Powers & Suspension Mechanisms
The Government is empowered to direct immediate suspension or disconnection of identifiers (SIMs, numbers) where misuse is suspected, without prior notice, in public interest. TIUEs must comply with directions to suspend identifiers or user access.
2.5. Coverage beyond Traditional Telecom Licensees
In effect, the scope extends from telecom network operators to “application-layer” users of telecom identifiers. Digital services that rely on mobile numbers for KYC, OTPs, authentication are now drawn into the regulatory ambit.
3. Legal & Policy Implications
3.1. Cyber-fraud & Telecom Integrity Given
the scale of identity-theft, SIM-swap fraud and OTP-based scams, the MNV platform and identifier-validation regime are significant tools to curb misuse of telecom identifiers and strengthen consumer trust. The amendments signal recognition that telecom cybersecurity is not only network-layer but identifier-layer.
3.2. Regulatory Footprint Expansion
The inclusion of TIUEs means burdens on many digital platforms, fintech players, OTT services– previously outside telecom licensing obligations. This regulatory expansion may increase compliance costs and elevate cross-sector oversight.
3.3. Data Privacy & Due Process Concerns
The rules grant broad powers for identifier-validation, immediate suspension of services, and data requests from TIUEs. Without clear safeguards, these raise risks of over-reach, wrongful denial of services, and clashes with rights to privacy and due process.
3.4. Device Cloning & Used Market Mandatory
IMEI-checks for used devices and a national tampered IMEI database aim to crack down on cloned/stolen phones. This will impact the second-hand device market and requires coordination with customs, importers, and e-waste frameworks.
3.5. Legal Enforceability & Standardisation
The Amendment Rules rely on the authority of the Telecommunications Act, 2023. But interoperability with data protection laws, sectoral regulations (banking, fintech) and clarity on dual-regulation remain areas for further alignment.
4. Challenges & Stakeholder Concerns
4.1. Broad Definition of TIUE
Critics argue that the TIUE definition is so expansive that many entities not genuinely involved in telecom operations will be regulated as TIUEs, creating regulatory overlap and undue burden.
4.2. MNV Platform Errors & Service
Disruption Validation mismatches may wrongly block legitimate users (shared SIMs, corporate accounts, ports), affecting service delivery. The cost model per-request and its impact on startups/MSMEs also raise concern.
4.3. Privacy & Surveillance
Risks Without independent review and transparent redress, identifier suspensions and mass-validation may infringe on privacy rights. The rules must blend cybersecurity aims with constitutional protections of privacy and freedom of expression.
4.4. Implementation Coordination Capacity & Inter-regulatory
Effective implementation depends on telecom operators, digital platforms, law-enforcement, and government systems synchronizing device-databases, validation services, and suspension frameworks. The evolving nature of telecom fraud requires agile institutional capacity.
5. Way Forward: Recommendations for Balanced Implementation Tiered Compliance:
Introduce risk-based obligations so that entities with major telecom-identifier-use bear heavier burdens, while smaller platforms have lighter compliance. Safe-Harbour Guarantees: For users who face wrongful suspension due to validation mismatches, provide guaranteed redressal pathways. Data-Protection Integration: Ensure that data exchange, validation platforms, IMEI-databases adhere to the Digital Personal Data Protection Act, 2023 (DPDP Act) principles of accuracy, purpose-limitation and minimality. Clear Governance & Oversight: Establish an independent oversight mechanism (perhaps under DoT or an inter-ministerial body) to review suspensions, preserve logs, and ensure proportionality of action. Stakeholder Engagement & Periodic Review: Regular consultation with telecom operators, OTT services, device ecosystem, consumer groups and privacy advocates; periodic review of the rules’ effectiveness and unintended consequences. Capacity Building: Invest in national IMEI-database infrastructure, equip second-hand device sector with verification tools, train law enforcement and regulatory staff, and ensure platforms integrate with validation ecosystems
6. Conclusion
The Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 represent a critical step in India’s journey toward strengthening telecom cybersecurity for the digital age. By expanding regulatory reach to telecom-identifier-users, introducing a validation platform and enhancing device-integrity frameworks, the Government has sent a clear signal: telecom cyber-risk cannot be confined to network operators alone. However, the true test lies in implementation. For the rules to be effective and rights-respecting, they must balance security imperatives with procedural fairness, data privacy and innovation friendly regulation. Stakeholder readiness, transparent governance and periodic review will determine whether these amendments deliver safer telecom services or inadvertently stifle digital participation. In sum, India has set a directionally correct course– but the journey toward a resilient, inclusive and rights-aligned telecom cyber ecosystem is only beginning.
