DoT notifies Telecom Cybersecurity Amendment Rules to curb fraud

The Ministry of Communications has notified the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, introducing a new framework aimed at strengthening India’s telecom infrastructure against cyber threats, SIM misuse, and device fraud.

The rules, which amend the 2024 framework, came into effect upon their publication in the Official Gazette on October 22, 2025. The amendments follow public consultations initiated in June this year and introduce key provisions for enhanced identity validation, equipment traceability, and compliance obligations for entities using telecom identifiers.

Centre tightens Telecom Cybersecurity Rules, mandates mobile number validation for all service platforms

Storyboard18 was the first to report the draft notification that mandated that Telecommunication Identifier User Entities (TIUEs), which include platforms like e-commerce sites, fintech apps, OTT services, ride-hailing companies, and any digital service that uses mobile numbers for user authentication- will now be required to validate these numbers through a centralized Mobile Number Validation (MNV) Platform.

The rules propose the creation of the MNV platform by the Central Government or an authorized agency. Both TIUEs and licensed telecom players must integrate with the platform to cross-check user-provided mobile numbers against verified telecom databases. The government or authorized agencies can also initiate such verifications, and a structured fee schedule has been proposed: Rs 3 per request for private TIUEs, with a revenue share between the government and the validating telecom entity.

The MNV platform will allow TIUEs, such as banks, fintech companies, and OTT players, to verify whether the mobile number provided by a user matches official telecom records. This move is expected to curb identity fraud, unauthorised access, and cyber incidents linked to mobile-based services.

Fees for using the platform will be shared between the government and participating telecom operators or authorised entities, ensuring a revenue-sharing mechanism for maintaining the validation ecosystem.

Industry observers earlier told Storyboard18 that the move is a potential regulatory inflection point since it could mandate all platforms that rely on mobile numbers for user verification to integrate with a centralized MNV platform run by the government. While aimed at tightening cyber fraud controls and reinforcing digital identity infrastructure, industry voices warned that the sweeping nature could lead to operational disruption, increased compliance costs, and potential regulatory overreach.

The friction, experts say, stems from two fundamental issues: privacy concerns tied to centralized government access to user identifiers, and infrastructure limitations among smaller players who may lack the means to adapt quickly.

Mobile verification mandate under new Cybersecurity Rules could disrupt digital platforms; spark regulatory overreach fears

The cost of integration, too, will not be trivial. Platforms will need to build APIs, create real-time verification pipelines, store validation logs securely, and potentially overhaul backend workflows. For small and mid-sized companies already navigating complex regulatory environments, including IT Rules, DPDP compliance, and sectoral norms, this could become a make-or-break compliance cliff.

New Definitions and Expanded Oversight

The amendment formally introduces definitions for licensee, TIUE, and MNV platform under the Telecom Cyber Security Rules, clarifying the roles of non-telecom entities that handle user identifiers. This expansion effectively brings digital platforms and enterprises that use telecom data- such as customer verification systems- under the cyber compliance umbrella.

Government authorities will now have the power to seek telecom identifier data from TIUEs and direct them to suspend or restrict the use of identifiers if they pose security risks.

In its submission on the draft to the DoT, Internet and Mobile Association of India (IAMAI) had said that the creation of TIUEs will impose high costs on digital businesses and effectively bring them under a parallel telecom-like compliance regime. It pointed out that the inclusion of digital businesses under the proposed amendments to the Telecom CS Rules was in violation of the scope of the Telecom Act and amounts to regulatory overreach.

The association also expressed concern around the proposed creation of a MNV platform and imposition of a verification fee, warning that it could prove to be a significant expense and compliance burden for digital businesses. This might lead to increased service costs for end-users and reduced profit margins for businesses, particularly for start-ups and MSMEs where such costs may be disproportionately felt.

IMEI Database for Tampered Devices

To address the rising issue of cloned and tampered mobile devices, the government will maintain a central database of International Mobile Equipment Identity (IMEI) numbers that are restricted or found compromised.

Manufacturers and importers of telecom equipment are required to ensure that new devices are not assigned IMEI numbers already active in Indian networks. Additionally, sellers of used mobile phones must check the IMEI database before sale or purchase, ensuring that blacklisted devices are not reintroduced into circulation.

IAMAI slams telecom cybersecurity rules for overreach; writes to DoT

In cases where immediate intervention is deemed necessary in the public interest, the Central Government can now suspend telecom identifiers or direct TIUEs to halt services linked to such identifiers without prior notice. Orders may also include permanent disconnection or restrictions on reuse of identifiers to prevent fraudulent activity.

Data Protection and Compliance

The rules emphasise compliance with applicable data protection laws during the validation process, underscoring the government’s effort to balance security with user privacy.

The 2025 amendments are part of India’s broader digital security overhaul following the enactment of the Telecommunications Act, 2023. The law aims to modernise telecom governance, bring online communication platforms under clearer regulatory scrutiny, and safeguard citizens from emerging cyber risks in an increasingly connected economy.