Introduction

In June 2025, the Department of Telecommunications (“DoT”) released the Draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (“2025 Amendment”) for stakeholder comments. The amendments significantly expand the scope of the Telecommunications (Telecom Cyber Security) Rules, 2024 (“2024 Rules”), which were originally intended to secure India’s telecom networks and licensed service providers. The new draft proposes to regulate a broader set of businesses, including those that merely use telecom identifiers such as mobile numbers for user authentication or service delivery. This potentially brings a wide range of companies across various sectors, including fintech, e-commerce, logistics, and digital platforms, into the telecom cybersecurity compliance framework.

This note outlines the key features of the 2024 Rules, explains the fundamental changes proposed in the 2025 Amendment, and analyses how businesses may be affected. It also outlines practical steps companies should take to prepare and suggests refinements that could improve the proportionality and clarity of the final rules.

Revisiting the 2024 Rules: Intent and Scope

The 2024 Rules were issued under the Telecommunications Act, 2023, with the stated aim of enhancing the security and integrity of India’s telecommunications networks and services. In substance, they formed part of a broader regulatory shift towards embedding cybersecurity obligations within telecom licensing frameworks. This shift appeared to be driven not only by the increasing frequency and sophistication of cyber threats, but also by the expanding role of telecom infrastructure in enabling critical services, cross-sectoral digital operations, and national security functions.

A defining feature of the 2024 Rules was the breadth of its scope. The term “telecom cybersecurity” was not confined to technical safeguards alone, but extended to organisational policies, risk management frameworks, procedural controls, and assurance systems aimed at securing telecom networks, services, and associated assets. This holistic framing seemed intentional – providing the regulator with flexibility to respond to emerging vulnerabilities, including those arising from business practices, third-party arrangements, or non-networked systems. However, in practice, it risked extending regulatory exposure to a broader class of businesses whose operations intersected with telecom infrastructure, whether through technical integration, service-layer dependency, or contractual flow-downs from licensed operators.

The 2024 Rules were directed at licensed telecom service providers and authorised network operators, i.e., entities with operational control over telecom infrastructure. These entities were subject to a wide range of operational and governance requirements. They were required to appoint a Chief Telecommunication Security Officer, operate a 24×7 Security Operations Centre, implement layered information security controls, and conduct regular security audits. Cybersecurity incidents were to be reported to the Central Government within six hours of detection, followed by a detailed report within twenty-four hours outlining user impact, geographic reach, service disruption, and remedial actions taken. These reporting timelines reflected a regulatory expectation of real-time visibility and prompt escalation, though, it ran parallel to obligations under the CERT-In directions issued under the Information Technology Act, 2000.

The 2024 Rules also empowered the government to issue binding directions, including requests for access to telecom identifier-related data in the interest of national security. These powers were broadly framed and supported a centralised model of regulatory oversight. The 2024 Rules marked a significant evolution in India’s telecom regulatory landscape. While they were initially limited in scope to core licensees, they laid the foundation for a more expansive and assertive cybersecurity regime.

The 2025 Amendment

Introduction of TIUEs

The 2025 Amendment proposes a significant expansion of the regulatory perimeter by introducing a new category of regulated entities: Telecommunication Identifier User Entities (“TIUEs”). A TIUE is defined as any person who uses telecom identifiers for the purpose of identifying users or delivering services. While neither the 2024 Rules nor the 2025 Amendment expressly defines telecom identifiers, the term is generally understood to include mobile numbers, SIM information, and IMEI data. A wide range of digital service providers may fall within scope. For instance, businesses that use mobile numbers to register users, deliver OTPs, or link customer accounts may be treated as TIUEs.

This approach signifies a clear departure from the 2024 framework, which mainly concentrated on entities with operational control over telecom infrastructure. The 2025 Amendment shifts the regulatory focus to service-layer actors who depend on telecom identifiers, expanding the understanding of telecom-related cyber risks to include misuse, identity fraud, and unauthorised access at the user interface level. The obligations imposed on TIUEs under the draft Amendment are narrower than those that apply to licensed service providers. Instead of comprehensive cybersecurity governance requirements, the emphasis is on identifier validation and fraud prevention. This distinction acknowledges the different roles and risk profiles of network operators compared to application-layer service providers.

A Centralised MNV Platform

A central feature of the proposed compliance architecture for TIUEs is the creation of the Mobile Number Validation (“MNV”) platform. This government-operated, centralised database allows businesses to verify whether a mobile number is in fact registered to the user presenting it. The 2025 Amendment authorises the DoT to issue binding directions to TIUEs, including mandates to integrate with the MNV platform and, where necessary, to suspend services associated with telecom identifiers flagged for suspected fraud or misuse.

Use of the MNV platform may be either voluntary or directed by the Government. Validation requests incur a per-query fee: INR 3 for voluntary use and INR 1.50 where use is mandated. While modest on a per-transaction basis, the financial and operational burden could become significant for high-volume digital platforms, particularly if MNV use becomes effectively compulsory across sectors.
Although presented as an anti-fraud measure, the introduction of a centralised identifier validation requirement raises significant questions about proportionality, due process, and the adequacy of procedural safeguards. It also prompts concerns about overlap with existing frameworks, especially for regulated entities in sectors such as banking and insurance that already perform customer verification under KYC norms. The absence of clear fallback mechanisms for failed validations, sector-specific exemptions, or interoperability guidance further increases compliance uncertainty.

The 2025 Amendment thus signals an attempt to extend identity assurance and fraud mitigation into the realm of telecom regulation. However, by doing so through the classification of TIUEs, without clear boundaries on telecom oversight, it establishes a horizontal compliance obligation across diverse industry sectors. This raises valid concerns about the coherence of India’s regulatory framework, as well as the practical readiness of digital service providers to operate within telecom-style enforcement models.

The 2025 Amendment: How Does it Affect Businesses?

Expansive Scope

The expansive definition of a TIUE could potentially include any business using mobile numbers for authentication, communication, or service delivery. This encompasses a diverse range of entities, including banks, fintech platforms, ride-hailing apps, OTT platforms, and e-commerce companies. Other entities, such as schools, housing societies, and membership-based programs, unlikely to fall under traditional DoT jurisdiction, may find themselves regulated under the 2025 Amendment.

This may confuse businesses that do not traditionally consider themselves as telecom stakeholders. The draft does not set a minimum transaction threshold or user base size to distinguish between enterprise-level digital businesses and smaller platforms or applications. This might lead to excessive compliance burdens for smaller or lower-risk entities that use mobile numbers in the normal course of business.

Compliance Challenges

TIUEs required to integrate with the MNV platform may face disruptions to existing user experiences. This is particularly relevant for digital businesses that prioritise seamless user interfaces and optimised customer journeys as part of their growth strategy. Integration may necessitate the development of new APIs or the modification of existing ones. Businesses may also need to adjust onboarding and login flows, introduce multi-factor authentication, or redesign user interfaces and backend authentication logic to align with government specifications. In practice, verifying user identifiers could introduce delays or increase the risk of error during registration or login. These issues may lead to longer wait times, user drop-offs, or reduced engagement, especially in contexts where speed and convenience are critical to retention.

Such technical challenges are especially significant for high-volume platforms such as e-commerce marketplaces, payment providers, or banking apps, where frictionless user interaction directly affects revenue. Even short delays during checkout or login can result in abandoned transactions and lost conversions. While MNV integration offers benefits in terms of fraud reduction and regulatory alignment, businesses must allocate adequate resources and plan implementation carefully to mitigate operational risk and safeguard user experience.

Another key consideration involves the risk of mismatches, i.e., instances where the mobile number used for authentication does not correspond to the person attempting to access the service. This may occur in situations involving shared SIM usage (such as family accounts in rural areas), guardians managing mobile-linked accounts for minors, or employees using corporate numbers for personal services. Such mismatches could trigger erroneous denial of service, creating barriers to access. The resulting user frustration could affect customer retention, brand perception, and service reliability, particularly in time-sensitive use cases such as healthcare, banking, or travel.

The Way Forward for Businesses

Assess Organisational Exposure to Telecom Identifiers

Businesses should begin by evaluating whether, and to what extent, their systems depend on telecom identifiers such as mobile numbers, SIM data, or IMEIs. This includes identifying where such identifiers are used in processes like user authentication, service delivery, account linkage, or device management. It is important to distinguish between critical dependencies and incidental use, as this will inform the scale and urgency of compliance planning.

Map User Journeys and Technical Workflows

Once dependencies are identified, organisations should map specific user journeys and technical workflows that may be affected by MNV-related compliance. These may include onboarding procedures, OTP-based login systems, account recovery mechanisms, and device provisioning flows. Assessing how and where MNV integration fits into these processes will help identify necessary software updates, interface redesigns, and backend modifications.

Review Overlaps with Existing Regulatory Frameworks

Businesses should conduct a compliance review to compare the draft TIUE obligations with existing legal requirements under data protection, KYC, and cybersecurity laws (such as those issued by RBI, SEBI, IRDAI, or CERT-In). Where overlaps exist, companies should aim to harmonise internal frameworks and streamline compliance activities. Areas such as customer verification, implementation of government directives, and ongoing due diligence should receive particular attention.

Plan for Operational Readiness

Organisations should start building internal readiness across technical, financial, and procedural dimensions. This includes evaluating the feasibility of integrating with the MNV platform, assessing the potential financial impact of per-query validation fees, and reviewing whether internal systems and workflows can absorb the operational load. Businesses should also begin updating their governance documents, including privacy policies, standard operating procedures, and user-facing terms, to reflect anticipated obligations. Finally, internal teams must be prepared through appropriate training, so that implementation, once required, can proceed without significant disruption. A phased internal roadmap can support smoother adoption and allow for course correction as further regulatory clarity emerges.

Regulatory Overlap and Conclusion

Many TIUEs are already subject to oversight by sectoral regulators such as the Reserve Bank of India, Securities and Exchange Board of India, or the Insurance Regulatory and Development Authority of India. These entities typically operate under well-developed regulatory frameworks that include detailed requirements on KYC, data security, incident reporting, and risk management. The 2025 Amendment, however, introduces new telecom-specific compliance obligations without clarifying how these should interact with existing sectoral mandates. This lack of regulatory coordination creates uncertainty for compliance teams, particularly when conflicting obligations arise. For example, if a fintech platform receives contradictory directions from its primary regulator and the DoT regarding how to address an identifier mismatch during onboarding, it is unclear which obligation would prevail.

The draft framework also does not clearly address how it intends to interact with existing regimes under the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”), issued by the Telecom Regulatory Authority of India. The TCCCPR already requires entities that send commercial communications using telecom identifiers to register with access providers and upload header and content templates into a blockchain-based central database.

Given this context, if the principal aim of the 2025 Amendment is fraud mitigation through enhanced identifier validation, it is unclear why the TRAI under the existing TCCCPR framework is not the appropriate authority to implement such a mechanism. TRAI already regulates communications linked to identifiers, and its systems are widely integrated with telecom operators and service providers. Without clarity on the delineation of regulatory scope between the TCCCPR and the 2025 Amendment, particularly where powers over identifier-linked fraud and consumer communications are concerned, the 2025 Amendment risks being interpreted as overreach.

To conclude, the 2025 Amendment signals a significant recalibration of India’s telecom cybersecurity landscape. By extending regulatory obligations to a wide range of identifier-using businesses, the draft introduces a new and ambitious framework aimed at strengthening digital trust. However, unless the final rules are refined to clarify jurisdictional scope, harmonise with existing frameworks (including TCCCPR and sectoral KYC regimes), and offer implementation flexibility for already-compliant actors, the result may be a fragmented and burdensome compliance environment.