DoT Overhauls Telecom Cyber Security, Introduces Real Time MNV

Background

On June 24, 2025, Ministry of Communications (hereinafter referred to as 'MoC') issued the Draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025¹ (hereinafter referred to as 'Draft Rules 2025') under Section 22(1) and Section 56(2) (v) of the Telecommunications Act, 2023² (hereinafter referred to as 'Telecom Act'). These Draft Rules are proposed to amend The Telecommunications (Telecom Cyber Security) Rules, 2024³ (hereinafter referred to as 'Telecom Rules 2024'). These rules have been issued considering the rapid convergence of digital services, widespread use of telecommunication identifiers by non-operator platforms, and escalating SIM/ International Mobile Equipment Identity (hereinafter referred to as 'IMEI') – fraud. This development has underscored the need for a more inclusive, real time mechanism to validate and where necessary, suspend the identifiers at all points of use.

Key Stakeholders under the Telecommunications Framework

1. Authorized Entities – Person or entities which hold licenses under the Telecom Act to provide telecom services or operate networks.⁴
2. Telecommunication Entities – Any person or entity providing telecom service or operating networks including authorized entities.⁵
3. Licensee – Any personal of entity holding license under the Telegraph Act, 1885 to provide telecom services.⁶
4. Telecommunication Identifier User Entity (hereinafter referred to as 'TIUE')– Any non-operator or non-authorized entity that uses telecom identifiers to serve users.⁷
5. Facility Provider – Central Government, Authorized entities or their contractors who build or maintain telecom infrastructure on public land.⁸
6. Assignee – Entities to whom specific radio frequencies are allocated for use.⁹
7. Public Entity – Government bodies empowered with right of way, enforcement or regulatory functions.¹⁰
8. Manufacturers & Importers of IMEI-bearing Equipment – A manufacturer or importer of equipment that has International Mobile Equipment Identity (IMEI) number.¹¹
9. CTSO – Chief Telecommunication Security Officer – Coordinates implementation of cyber-security measures, liaise with Government and manage incident response. Each entity must appoint a CTSO.¹²

Brief Overview of Key Amendments

1. Expanding the Definitions and Scope of ApplicabilityThe Draft Rules introduces the TIUEs alongside existing telecommunication entities bringing non-operator users of telecom identifiers like OTT apps and payment platforms under cyber security regime of the Telecommunications framework. Definitions of Licensee and Mobile number Validation (hereinafter referred to as 'MNV') platform have been added to clarify roles in identifier validation.¹³
2. Data Sharing & Cyber Security ObligationsThe Draft Rules allow the Central Government to seek identifier related data directly for TIUEs and extends the data sharing duties to them. The general security obligations like risk assessments and incident reporting now explicitly apply to TIUEs as well alongside Telecom Network operators.¹⁴
3. Immediate suspension of PowersThe Draft rules amend the Telecom Rules 2024 to empower the Central Government to temporarily suspend any identifier and require both operators and TUIEs to halt it use without prior notice when public security is at risk. Contestation rights and modification orders now cover TIUEs equally ensuring they can file representations and are bound by any new terms.¹⁵
4. New MNV PlatformThe Draft rules establish a centralized, real time validation service to be run by the central government or its agency. TIUEs may initiate suo moto or must comply with government directed validation requests following prescribed forms, channels and fee schedules. Authorised Entities are mandated to respond promptly to such requests with 'match' or 'no match' confirmations.¹⁶
5. Device Integrity EnhancementsThe Draft rules expand the Telecom Rules to require IMEI bearing device manufacturers to assist on tampering incident and not reuse IMEIs already deployed in India. It also mandates a tampered IMEI database and restrict secondary-market transactions through pre-sale checks against this registry.¹⁷

Operationalizing of MNV Platform

Under the Draft Rules, the Central Government or an agency it authorizes must set up and operate a centralized digital platform for real time validation of telecommunication identifiers such as mobile numbers. This Platform is termed as MNV Platform.

1. Who is a TIUE and how it will use the MNV platform?
   TIUEs are defined as a person, other than a licensee or authorized entity which uses telecommunication identifiers for the identification of its customers or users, or for provisioning and delivery of services. A TIUE may initiate a validation request at will or must do so when directed by the Central or State Government. Every request must follow the prescribed digital template and be accompanied by the correct fee. Validation strictly confirms that the number quoted by TIUE's user actually belongs to the intended subscriber.
2. Processing & Response WorkflowOnce a request lands on the MNV Platform, it dispatches the request to the specific authorized entity or licensee whose data holds the number. That entity runs a real time lookup to confirm that the number is active and assigned to the stated subscriber. Response is sent back to the MNV platform which in turn makes it available to the requesting TIUE. All participant must ensure compliance with the applicable laws relating to data protection when handling subscriber data.
3. Fee Structure & Cost RecoveryTo balance public sector needs and cost recovery, the Draft rules insert a schedule of Fees with three categories –
   • Prescribed fees for processing validation requests raised by Central/ State Governments, Ministries or authorities is 'Nil'
   • Prescribed fees for processing validation requests by TIUEs acting on Government direction is 'INR 1.50' per request wherein Government retains 'INR 0.50' and the Authorized entity receives 'INR 1.00'
   • Prescribed fees for processing validation requests by TIUEs at will without a Government direction is 'INR 3.00' per request wherein Government retains 'INR 1.00' and the Authorized Entity receives 'INR 2.00'¹⁸
4. Enforcement & Central Government OversightBeyond validation, the Central Government shall retain broad cyber-security powers. If a security incident involves identifiers in TIUE systems, the Government may Suspend or disconnect identifiers without prior notice, directing both network operators and TIUEs to cease use of such identifier. Further, it may issue modification orders to permanently block or circumscribe use of identifiers at both operator and TIUE levels. In all cases, affected TIUEs shall have the right to make written representations within thirty days and the government must record reasons when upholding or modifying its orders. ¹⁹

Footnotes

1. https://www.teamleaseregtech.com/fileviewer/?f=https://avantiscdnprodstorage.blob.core.windows.net/legalupdatedocs/43915/MoC-issued-the-Draft-Telecommunications-Telecom-Cyber-Security-Amendment-Rules-2025-Jun252025.pdf

2. https://egazette.gov.in/WriteReadData/2023/250880.pdf

3. https://www.medianama.com/wp-content/uploads/2024/11/notified-telecom-rules-Copy.pdf

4. Section 2(e) of Telecom Act

5. Rule 2(g) of Telecom Rules 2024

6. Rule 2(1)(a) of Draft Rules 2025

7. Rule 2(1)(b) of Draft Rules 2025

8. Section 11 of Telecom Act

9. Section 2(c) of Telecom Act

10. Section 2(b) of Telecom Act

11. Rule 8 of Telecom Rules 2024

12. Rule 6 of Telecom Rules 2024

13. Rule 2(1) of Draft Rules 2025

14. Rule 2(2) of Draft Rules 2025

15. Rule 2(5) of Draft Rules 2025

16. Rule 2(6) of Draft Rules 2025

17. Rule 2(7) of Draft Rules 2025

18. Rule 2(9) of Draft Rules 2025

19. Rule 2(5) of Draft Rules 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.