A background note can be accessed here: 
                               India Extends Telecom Cyber Security Rules

Priyesh Mishra: Edward S. Mason Fellow, Harvard Kennedy School

SDG 9: Industry, Innovation and Infrastructure

Institutions: Telecom Regulatory Authority of India

           Same issue, different lens: explore the companion commentary

Is the new definition of Telecommunication Identifier User Entities (TIUEs) clear and proportionate, or could it draw too many non-telecom services into regulation?

TIUE is defined so broadly that it risks capturing almost every digital service under its remit. This would create a parallel regulatory framework for digital services, essentially resulting in regulatory overreach that blurs the boundary between DoT’s telecom remit and MeitY’s digital-services domain.

The approach diverges from global best practice of risk-based regulatory frameworks. For instance, EU’s Network and Information Security (NIS) Directive uses a risk-based model, distinguishing “essential” (e.g. telecom service providers) from “important” (e.g. SaaS platforms) entities. It emphasises decentralized accountability, requiring platforms to manage their own risk, rather than mandating all entities, regardless of risk, to integrate with a single state platform.

How might the extended obligations affect compliance costs, innovation, or competition, particularly for start-ups?

The proposed Mobile Number Validation (MNV) platform may impose a significant financial and operational burden, particularly on start-ups. NASSCOM flagged that proposed per-lookup fees are 30–60 times higher than typical OTP costs, an untenable hike that could erode margins and deter innovation. Integration, audit, and latency requirements would disproportionately strain smaller entities, while larger firms could absorb costs more easily. Unless DoT adopts transparent fee structures and phased rollout, the framework could entrench incumbents and chill start-up activity, the very segment driving digital inclusion. We may want to look at US and Canada for reference, where regulators mandate telecom companies to deploy industry led protocols like STIR/SHAKEN for network security.

Are the proposed mobile number and IMEI verification measures practical and effective in curbing fraud and spoofing?

Both the MNV and IMEI-verification mechanisms aim to curb fraud but may prove less practical than global standards. The IMEI rule risks burdening India’s vast used-device market, forcing small resellers to query central databases, an approach experts call ineffective against the “burner phone” problem. The GSMA’s global IMEI repository, by contrast, enables operator-level blocking, which is far simpler and more scalable.

Moreover, MNV validates number–subscriber linkage but does not prevent caller-ID spoofing, its stated policy target. It is advisable to look at technological solutions like the STIR (Secure Telephone Identity Revisited)/SHAKEN (Signature-based Handling of Asserted information using toKENs) protocol, a cryptographic trust framework that authenticates calls at the network layer. This ensures that the caller ID displayed is truly the originator of the call, without exposing the user data or creating a centralised honeypot of verification logs. Unless paired with such network-level trust protocols, India’s model risks high cost, limited fraud reduction, and additional privacy vulnerabilities.

Do these rules risk overreach in terms of privacy or data protection, and how do they align with the Digital Personal Data Protection Act, 2023?

This is the most alarming aspect. Because the MNV involves real-time data exchange between telecom operators, authorised entities, and TIUEs, it raises privacy and data-minimisation concerns. Experts urge strict purpose limitation, tokenised (“yes/no”) responses, short retention, and clear assignment of fiduciary/processor roles under the Digital Personal Data Protection Act, 2023. Current provisions empower identifier suspension without user notice or appeal, a potential overreach that undermines due process.

This framework is the philosophical opposite of modern, privacy-first authentication models. For example, the EU’s eIDAS 2.0 regulation is building a user-centric Digital Identity Wallet based on data minimization and user control, allowing selective disclosure, like proving age without sharing a birthdate.

To align with the DPDP framework, DoT should codify lawful processing bases, retention limits, and redress mechanisms, and ensure independent audits of the MNV and IMEI databases. Doing so would reconcile telecom security objectives with India’s emerging data-protection regime and build lasting public trust in the system.

Author: