India’s telecommunications sector forms the backbone of its digital economy, connecting over a billion subscribers and enabling everything from mobile banking to e-governance. With this scale comes significant vulnerability, in the form of cyber threats targeting telecom networks which can compromise national security, disrupt services, and expose citizens’ data to exploitation. Recognizing this, the government has over the years introduced frameworks to secure critical telecom infrastructure. The Telecommunications Act, 2023 became the statutory backbone for safeguarding India’s telecom networks, followed by the Telecommunications (Telecom Cyber Security) Rules, 2024 (‘2024 Rules’).
Recognizing that the threat landscape extends beyond traditional telecom operators, the Department of Telecommunications (‘DoT’) notified the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (‘Amendments’) in October this year. These Amendments introduce sweeping obligations for businesses that rely on telecom identifiers, new mechanisms for mobile number verification, and stricter International Mobile Equipment Identity (‘IMEI’) oversight. While these measures highlight the government’s intention to plug systemic vulnerabilities, the changes falls short of addressing some operational challenges and lacks clarity on coordination between industry stakeholders.
Telecom Identifier User Entity: Intent vs. Execution
The most transformative change is the creation of a new regulated category, the Telecom Identifier User Entity (‘TIUE’)[1], which is defined as an entity that uses telecom identifiers for identification of its customers or users or for provisioning or delivery of services. This definition might potentially include banks, Non-banking Financial Institutions (NBFCs), and insurers using numbers for KYC and alerts, e-commerce platforms and fintech applications, social media intermediaries, corporates and other entity or service provider interacting with customers for various purposes including through OTPs, or mobile-based authentication.
With well-evolved realities surrounding use of mobile numbers as a digital identifier for many users, and entities exceedingly use the same for provision of services and other commercial purposes. The absence of clear limits may have the effect of requiring entities across the entire digital economy under DoT’s remit, stretching regulatory capacity and industry resources.
Mobile Number Validation Platform: Promise and Pitfalls
To operationalize TIUE compliance, the Amendments propose a centralized Mobile Number Validation (MNV) Platform, that allows TIUEs to confirm whether a customer’s claimed identity aligns with the official subscriber database maintained by Telecom Service Providers (TSPs). While the detailed process of such verification has not been laid out, it remains to be seen if the process adopted would likely be in the form of a privacy protective ‘Yes/No’ response, or through a ‘fetch’ of data from the MNV database.
The method of pushing verifications and/or data may result in personal data transfers at scale that necessitate further security safeguards as well as user rights attached to the platform. Additionally, the MNV platform places a direct duty on TSPs under the Digital Personal Data Protection Act[2] (‘DPDP Act’) to ensure subscriber data is complete, accurate, and consistent, since it is used to assess and make decisions as to whether users may access a service.
Evaluating the IMEI-based restrictions
At the device level, the Amendments build on existing IMEI regulations under 2024 Rules by introducing a central database of tampered or restricted IMEIs to be maintained by central government and obligations for the secondary market by imposing mandatory checks by sellers or buyers of used telecom equipment against the database before completing a transaction.
While practical implementation may remain a challenge in the Indian context, these measures mark a significant step to strengthen Indian telecom sector’s resilience reflecting the realities of a hyper-digital economy. The Amendments represent a timely and necessary intervention, their success will rest on refining their scope, ensuring proportionality in compliance obligations, and embedding a coherent inter-regulatory framework. In addition to the above, a coordinated approach to regulate the concern across sectoral regulators may produce a sustainable result.
[The article is written by Data Privacy and TMT Team at Lakshmikumaran & Sridharan Attorneys, Hyderabad]
[1] Rule 2(1)(i) of Draft Rules defines TIUE as ‘a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning and delivery of services;’
[2](3) Where personal data processed by a Data Fiduciary is likely to be—
(a) used to make a decision that affects the Data Principal; or
(b) disclosed to another Data Fiduciary,
the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency.
