India’s Draft Telecom Cybersecurity Rules Face Backlash Over Overreach and High Compliance Costs

The Department of Telecommunications (DoT) introduced draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 on June 24, aiming to bolster digital trust with sweeping compliance measures. The draft extends regulations beyond telecom operators to include Telecommunication Identifier User Entities (TIUEs)—entities that use mobile identifiers for services like fintech apps, OTT platforms, and e-commerce—through a Mobile Number Validation (MNV) platform.

Key Proposals

• Mandatory MNV: TIUEs must validate user numbers via a centralized platform, likely incurring fees per request.
• IMEI Regulations: Manufacturers must maintain a database of tampered device identifiers and ensure no duplicate IMEIs. Resellers must check devices—paying ₹10 per IMEI—for credibility.

Industry Concerns & Backlash

• Regulatory Overreach: Key trade bodies—including NASSCOM, IAMAI, and BIF—warn that the draft breaches the legislative scope of the 2023 Telecom Act, dragging diverse digital platforms under telecom compliance.
• Cost Burden for Businesses: CUTS International estimates that even modest per-validation fees could balloon into crores for platforms like PhonePe, Zomato, and Uber. Compliance could erode digital adoption and exclude thousands of startups.
• Privacy and Constitutional Risks: Experts argue the rules lack clarity on what “traffic data” entails and how long it can be stored—raising serious privacy issues and constitutional concerns.
• Need for Greater Fairness: Stakeholders stress that finalized rules should incorporate robust industry consultation, be innovation-friendly, and align with global best practices.

Why This Matters for AVGC & Digital Economies