1.Introduction
The Ministry of Communications ("MoC"), through the Department of Telecommunications ("DoT"), has released the Draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 ("Draft Rules") to strengthen India's cybersecurity in the telecom sector and improve the security of telecom networks. The Draft Rules propose to amend the existing Telecommunications (Telecom Cyber Security) Rules, 2024 ("Telecom Cyber Security Rules"). The deadline for submitting public feedback and suggestions on these draft rules to the DoT is July 24, 2025.
2.Applicability
The Draft Rules apply to licensee (any person holding a license to provide telecommunication services), authorised entities (entities authorised by the Reserve Bank of India for the delivery of banking and payment services), Mobile Number Validation ("MNV") platforms, and Telecommunication Identifier User Entity ("TIUE").
3. Key aspects of the Draft Rules include:
3.1. Introduction of New Definitions
Several new terms have been introduced for regulatory clarity. A 'licensee' is now defined as a person holding a license under the Indian Telegraph Act, 1885, to provide telecom services. The term 'TIUE' refers to a person (excluding licensee or authorised entity) which uses telecommunication identifiers for the identification of its customers or users or for providing and delivering services. A 'MNV Platform' is proposed as a centralised digital infrastructure that would enable validation by authorised entities and licensees to check and confirm whether a mobile number or other telecom identifier provided by TIUE customers or users matches the records held by an authorised entity or licensee.
3.2. Establishment of MNV Platform
The Central Government or its authorised agency will set up a centralised MNV platform and will issue specific directions to authorised entities and licensees on how they should participate in and use the MNV platform. The TIUE may, either on its own or upon receiving directions from the Central or State Government or their authorised agencies shall submit a request on the MNV platform to verify whether the telecom identifiers provided by its customers or users match the records held by authorised entities or licensees.
Similarly, the Central/State Government or its authorised agencies may also seek validation requests for identifiers specified by TIUEs. The MNV platform will forward any request it receives to authorised entities or licensees for verification. These entities must then carry out the validation and send their response back to the MNV platform.
The validation process is only meant to confirm the identity of users linked to telecom identifiers for providing related services linked to such identifiers, and the TIUEs, authorised entities, and licensees are required to comply with applicable data protection laws throughout the validation process.
3.2. Strengthening IMEI Regulation
The amended Rule 8 empowers the Central Government to issue directions to telecom equipment manufacturers regarding the handling of devices with International Mobile Equipment Identity ("IMEI") numbers. Manufacturers must assist in cases involving tampered devices or IMEIs and are prohibited from assigning IMEIs already in use within Indian networks to new devices, whether manufactured or imported. Additionally, the Central Government or its authorised agency will maintain a database of tampered or restricted IMEIs. Any individual involved in buying or selling used telecom devices in India must, before completing the transaction, apply for access to the designated IMEI database through the specified portal by paying INR 10 (Indian Rupees Ten only) per IMEI to ensure the device is not blacklisted.
3.3. Fees for MNV Validation
A tiered fee structure has been proposed for mobile number validation requests, which is as follows:
- If a TIUE is a department, ministry, office of the Central Government or a statutory authority set up by the Central/State Government- Nil
- Government-Initiated Requests- If the TIUE (including
government agencies) makes a validation request as per government
directions, INR 1.50 (Indian Rupees One Rupee Fifty Paise only) per
request, of this:
- INR 0.50 (Indian Rupees Fifty Paise only) shall be retained by the CG or its authorised agency;
- INR 1 (Indian Rupees One only) shall be transferred to the authorised entity or licensee that performs the validation.
- Private TIUEs- For all other TIUEs not covered above- INR 3
(Indian Rupees Three only) per request, of this:
- INR 1 (Indian Rupees One only) shall be retained by the CG or its authorised agency;
- INR 2 (Indian Rupees Two only) shall be transferred to the authorised entity or licensee that performs the validation.
4. Key Takeaway
The Draft Rules aim to enhance digital trust by introducing mandatory mobile number validation, stricter IMEI controls, and greater accountability for all entities using telecom identifiers. Implementing bodies like banks and authorised payment service providers will need to update their systems to support MNV requests, ensure compliance with data protection laws, and potentially incur validation fees. This new validation mechanism is expected to significantly reduce fraud, impersonation, and cyber threats while introducing new compliance and operational responsibilities across the digital financial ecosystem.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
