Mobile verification mandate under new Cybersecurity Rules could disrupt digital platforms; spark regulatory overreach fears

India’s digital economy is bracing for sweeping regulatory change. The Telecom Cybersecurity Amendment Rules, 2025, unveiled by the Ministry of Communications, propose to expand the scope of telecom compliance, bringing within its fold nearly all platforms that use mobile numbers for user authentication or communication. Going by the notification, this could include OTT services, e-commerce platforms, fintech players, ride-hailing apps, edtech, logistics, and more, collectively referred to as Telecommunication Identifier User Entities (TIUEs) under the draft.

The draft defines TIUEs, as a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning and delivery of services.

The centerpiece of the draft rules is the mandatory integration with a government-run Mobile Number Validation (MNV) platform. This would require all TIUEs to validate the mobile numbers of users against telecom operator databases before delivering services.

Read more: Centre tightens Telecom Cybersecurity Rules, mandates mobile number validation for all service platforms

Legal experts describe this as a potential regulatory inflection point since it could mandate all platforms that rely on mobile numbers for user verification to integrate with a centralized MNV platform run by the government. The change, though still in the draft stage, is already triggering deep unease in India’s startup and tech ecosystem. While aimed at tightening cyber fraud controls and reinforcing digital identity infrastructure, industry voices warn that the sweeping nature of the draft could lead to operational disruption, increased compliance costs, and potential regulatory overreach.

Industry Reaction: Innovation vs. Enforcement

“This will significantly raise the bar for compliance across digital services,” said Tarun Wig, Co-founder and CEO of Innefu Labs (the agency provides data analytics and information security solutions to national security agencies).

“While the intent to curb telecom-based fraud is valid, stakeholders—especially startups—may resist due to privacy, integration, and cost challenges. For global companies, it may appear intrusive or misaligned with their existing data protection frameworks.”

The friction, experts say, stems from two fundamental issues: privacy concerns tied to centralized government access to user identifiers, and infrastructure limitations among smaller players who may lack the means to adapt quickly.

“Integrating with the MNV platform may require a complete architectural revamp for platforms that rely on legacy login flows,” noted Snigdhaneel Satpathy, Partner at Saraf and Partners. “The current draft raises questions on proportionality and due process, particularly under India’s new Digital Personal Data Protection (DPDP) Act. Without proper safeguards, legal challenges are likely.”

Sonam Chandwani, Managing Partner at KS Legal, called the rules “a double-edged sword.” On one hand, she agreed they could significantly deter impersonation scams and fake user creation; on the other, she flagged serious concerns about the lack of transparency around suspension powers, where the government can deactivate identifiers without prior notice.

“Such broad powers can erode business trust and user confidence, especially when due process isn't clearly defined,” she added.

Compliance Burden and Scope

A major source of tension lies in the breadth of the definition of TIUEs, which many believe is too expansive. “Almost every app in India uses a mobile number in some form,” said Sumeysh Srivastava, Associate Director at The Quantum Hub. “This could pull thousands of entities into the telecom regulatory framework overnight. A tiered, risk-based compliance system could make implementation smoother.”

The cost of integration, too, will not be trivial. Platforms will need to build APIs, create real-time verification pipelines, store validation logs securely, and potentially overhaul backend workflows. For small and mid-sized companies already navigating complex regulatory environments, including IT Rules, DPDP compliance, and sectoral norms, this could become a make-or-break compliance cliff.

Siddharth Chandrashekhar, an advocate at the Bombay High Court, underscored that this shift could redraw the boundary between telecom regulation and digital innovation. “The government is, in effect, assigning KYC-like duties to tech platforms, something previously restricted to banks or telcos. Without a phased rollout, test sandbox, or government support, this risks choking digital entrepreneurship,” he said.

What’s at Stake?

Proponents of the move argue that the rules could help fight cyber fraud more effectively, creating a centralized, standardized system to detect and block suspicious mobile identities across the digital economy. The rise of scam lending apps, impersonation fraud, and fake account creation has made a strong case for reform.

But the rules also raise fundamental questions: How will user anonymity be preserved on platforms that rely on it for free expression? How will sensitive telecom ID data be handled? Will global platforms comply—or reconsider their India footprint?

Read more: TRAI excludes likes of Google, Telegram, WhatsApp from new licensing rules

The government has opened a 30-day public consultation window. But if the current draft becomes law without substantial revision, it could set a precedent where all digital platforms are treated like telecom operators, a move, say experts, with massive implications for India’s digital growth story.

It is to be noted that the Department of Telecommunications (DoT), last year in November, notified Telecommunication Cybersecurity Rules under the Telecom Act, 2023. As per the notified rules, the central government or any of its authorized agencies can ask telecom companies for traffic data or any other data for the purpose of ensuring telecom cybersecurity. The only exemption is the content of messages, which the rules exclude from the scope of the data the government can request.