Centre tightens Telecom Cybersecurity Rules, mandates mobile number validation for all service platforms
The draft Telecom Cybersecurity Amendment Rules, 2025, introduces mandatory verification of user identifiers through a government-run platform, extending compliance to OTTs, e-commerce players, and other digital services using telecom numbers.
ADVERTISEMENT
In a significant step toward strengthening digital security and curbing cyber fraud, the Ministry of Communications has released the draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, proposing sweeping new compliance requirements for all entities using telecom identifiers, extending beyond licensed telecom operators.
Notified on June 24, the amendments mandate that Telecommunication Identifier User Entities (TIUEs), which include platforms like e-commerce sites, fintech apps, OTT services, ride-hailing companies, and any digital service that uses mobile numbers for user authentication- will now be required to validate these numbers through a centralized Mobile Number Validation (MNV) Platform.
This marks a dramatic expansion of the telecom cybersecurity net, previously limited to license-holders under the Indian Telegraph Act.
The rules propose the creation of the MNV platform by the Central Government or an authorized agency. Both TIUEs and licensed telecom players must integrate with the platform to cross-check user-provided mobile numbers against verified telecom databases. The government or authorized agencies can also initiate such verifications, and a structured fee schedule has been proposed: Rs 3 per request for private TIUEs, with a revenue share between the government and the validating telecom entity.
"MNV platform” means the mobile number validation platform established under rule 7A to enable validation by authorised entities and licensees as regards whether telecommunication identifiers specified by TIUE customers or users, correspond to the users as present in the database of an authorised entity or licensee, as the case may be," it said.
It added, "Mobile number validation under this rule shall be solely for the purpose of validation of customers or users associated with a telecommunication identifier for the purpose of services linked to such identifier, and the TIUE, authorised entity and licensee, as the case may be, shall ensure compliance with applicable laws relating to data protection for this purpose."
The move is designed to curb identity spoofing, impersonation, and fraudulent service activations, particularly in light of rising cybercrimes involving fake or unverified numbers.
"With a view to ensuring telecom cyber security and prevent security incidents, the Central Government shall by itself, or through an agency authorised by the Central Government, establish a MNV platform and issue directions to authorised entities and licensees, as regards the form and manner in which to participate on such platform.
The Central Government or State Government or any agency authorised by the Central Government or State Government, may also seek validation on the MNV platform as regards whether telecommunication identifiers as specified by TIUE customers or users, correspond to the users as present in the database of an authorised entity or licensee."
Significantly, the draft rules empower the government to temporarily suspend or even permanently disconnect telecom identifiers linked to suspicious activities, either by telecom companies or TIUEs, without prior notice, if deemed necessary in public interest.
Manufacturers of telecom equipment can also be directed not to reuse tampered IMEI numbers, with the government maintaining a central database of compromised devices.
By bringing platforms beyond the telecom sector under regulatory oversight for identifier validation, the government aims to close loopholes exploited by cybercriminals. For example, a fintech app or OTT platform using phone numbers for logins or service provisioning would now be accountable for ensuring the number actually belongs to the claimed user.
Stakeholder and public have 30 days from the notification date to submit objections or suggestions before the rules are finalised.
"... the said draft rules shall be taken into consideration after the expiry of thirty days from the date on which copies of this notification as published in the Gazette of India, are made available to the public; Objections or suggestions, if any, may be addressed to the Joint Secretary (Telecom), Department of Telecommunications, Ministry of Communications, Government of India. The objections or suggestions which may be received from any person in respect of the said draft rules before the expiry of the aforesaid period shall be taken into consideration by the Central Government," it said.
