A background note can be accessed here: 
                              India Extends Telecom Cyber Security Rules

Shubhika Saluja: Deputy Director, Broadband India Forum

SDG 9: Industry, Innovation and Infrastructure

Institutions: Telecom Regulatory Authority of India

           Same issue, different lens: explore the companion commentary

Is the new definition of Telecommunication Identifier User Entities (TIUEs) clear and proportionate, or could it draw too many non-telecom services into regulation?

The definition of TIUE is the same as that mentioned in the Draft Amendment Rules issued in June 2025, to which several organizations and stakeholders raised concerns, many also seeking clarity on the legislative intent behind introducing such an entity which was originally not envisaged under the Telecom Act. The definition is extremely broad and brings within its ambit the entire digital services ecosystem -- including banks, payment apps, OTTs, fintech, insurance, ride-hailing, gaming, edtech, food delivery, streaming, and even physical retail outlets, simply because they use telecom identifiers (e.g. mobile numbers). By extending to virtually every entity that uses a telecom identifier, the definition appears disproportionate to the objective it seeks to achieve.

How might the extended obligations affect compliance costs, innovation, or competition, particularly for start-ups?

The compliance burdens introduced under the amended provisions in Rule 3(1)(aa), 4(3), 5(6), 5(8), and also under Rule 7A (ref. to the MNV platform) definitely add to the compliance costs, especially when similar requirements for data collection/ sharing, and suspension and blocking of telecom identifiers are already provided for under the IT Act’s relevant provisions and Rules, especially for TIUEs which qualify as “intermediaries”. Amendment Rules create parallel obligations and could impact innovation and reduce the uptake of mobile numbers used to identify customers, which may ultimately affect the adoption of digital services in the economy.

These costs of compliance are not only heavy for start-ups but for larger entities as well, especially given the number of parallel obligations they are already required to meet. This has direct implications on ease of doing business, and creates a lack of trust in the process of rule-making when the government does not sufficiently account for the concerns of the industry and other stakeholders. Moreover these Amendment Rules do not have the safeguards present in the current regulations under the IT Act (e.g. procedural guidelines, review mechanisms, etc.).

Are the proposed mobile number and IMEI verification measures practical and effective in curbing fraud and spoofing?

The provisions relating to mobile number validation and IMEI verification do not demonstrate a direct relation to the objective of ensuring telecom cyber security. It is not clear how validating whether a mobile number belongs to a concerned user further ensures security of the telecom services and networks. Even for IMEI verification, government already has the Indian Counterfeited Device Registration (ICDR) system which performs validation of IMEI numbers and prevents the assignment of any IMEI already in use in telecommunication networks in India. The Amendments, therefore seem duplicative and may not be more effective in curbing fraud and spoofing.

These provisions appear divorced from operational reality as they do not account for instances where multiple users may share a single mobile number/device, nor the burden placed on telecom resellers who would be required to verify each sale or purchase against the IMEI database. These provisions could, in the worst case, hinder the legitimate use of telecom services by lawful users by blocking the use of their mobile number if it is not validated correctly, or discourage consumers from purchasing second-hand equipment due to the operational implications for the second-hand smartphone market.

Do these rules risk overreach in terms of privacy or data protection, and how do they align with the Digital Personal Data Protection Act, 2023?

There are privacy and data protection concerns which arise from ambiguity in the Rules, specifically the one relating to MNV platform. There is no clarity on what information would be accessible via the MNV and what would be returned to TIUEs -- whether a TIUE querying the MNV platform will simply receive a “yes/no” confirmation of a number’s validity or whether additional subscriber information (or KYC data) will be returned, nor on how the government will decide which TIUEs may access the MNV platform? The vague drafting leaves room for arbitrary executive action and could lead to misuse, with the possibility of excessive data exposure, including access to KYC data held by telecom operators. Given there are no specific safeguards, this could lead to large-scale sharing of personal data between private companies, telecom providers, and the government, without users’ knowledge or consent.

Author: