DoT notifies Amended rules for Telecom Cybersecurity

October 27, 2025

By Anuradha Gandhi, Rachita Thakur and Prateek Chandgothia

Introduction:

On October 22, 2025, The Department of Telecommunications (hereinafter referred to as ‘DoT’) notified the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (hereinafter referred to as ‘Amendment Rules’). The Draft of these Amendment rules were released in 2024 for public consultation (hereinafter referred to as ‘Draft Rules’). The Amendment rules introduces key definitions such as licensee, Mobile Number Verification platforms (hereinafter referred to as ‘MNV Platform’), and Telecommunication Identifier User Entity (hereinafter referred to as ‘TIUE’) to strengthen and streamline the cybersecurity in the telecom sector.

(To read about the Draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, refer: https://ssrana.in/articles/dot-overhauls-telecom-cyber-security-introduces-real-time-mnv/)

What has changed since the release of Draft Rules?

The provisions of Draft Rules have remained intact with no alterations made by the DoT after public consultations from relevant stakeholders. As per certain reports, the DoT has clarified that the mandatory application of Amendment Rules shall be limited to licensed telecom operators while other entities which shall be covered under the TIUE’s definition may choose to voluntarily opt to comply with the provisions.[1] This clarification resolves a major concern flagged by industry stakeholders relating to the extended scope of the definition of TIUE to include all entities using mobile number for customer verification.[2] However, an Official clarification in this matter is awaited as of October 24, 2025.

Key Definitions to understand

  1. Authorized Entities – Person or entities which hold licenses under the Telecom Act to provide telecom services or operate networks.[3]
  2. Telecommunication Entities – Any person or entity providing telecom service or operating networks including authorized entities.[4]
  3. Licensee – Any personal of entity holding license under the Telegraph Act, 1885 to provide telecom services.[5]
  4. Telecommunication Identifier User Entity (hereinafter referred to as ‘TIUE’) – Any non-operator or non-authorized entity that uses telecom identifiers to serve users.[6]

Brief explanation of the operation of MNV Platform

The Amendment rules retain the provisions of the Draft Rules which establish a centralized, real time validation service to be run by the central government or its agency. TIUEs may initiate suo moto or must comply with government directed validation requests following prescribed forms, channels and fee schedules. Authorized Entities are mandated to respond promptly to such requests with ‘match’ or ‘no match’ confirmations.[7]

(To read more on MNV Platform and other obligations of stakeholders under the Amendment Rules, kindly refer to – https://ssrana.in/articles/dot-overhauls-telecom-cyber-security-introduces-real-time-mnv/)

Concerns surrounding the Amendment Rules

  1. Regulatory Convergence

    Barring the reported clarification on limiting the scope of the Amendment rules to voluntary application on TIUEs, the expansive scope of the definition of the term may result in regulatory convergence. As per the bare reading of the definition, TIUEs may include entities engaged in Social Media, fintech, E-commerce operations which would result in the convergence with the Information Technology Act, 2000 (hereinafter referred to as ‘IT Act’), CERT-In Directions, and Guidelines released by the Financial Regulators such as Reserve Bank of India. Further, In 2022, the then Minister of Communications clarified that OTT services fall outside the scope of the Telecommunications Act, 2022, as they are governed by the IT Act 2000.[8] This position is further reinforced by the conscious omission of OTT platforms from the Telecommunications Bill, 2022, reflecting clear legislative intent. Therefore, a specific and defined scope of the term ‘TIUE’ must be incorporated to prevent regulatory convergence.

  2. Expansive Data Demand and Identifier Suspension Powers

    Rule 7A(5) and Rule 5 (6) of The Amendment Rules authorize the Central Government to access telecom identifier-related data from TIUEs and direct suspension or deactivation of identifiers without prior notice to the user, ostensibly to curb cyber fraud. However, the framework raises significant concerns. It lacks procedural clarity on who may issue such directions and under what process, unlike the safeguards under Section 69A of the IT Act. It also permits sudden disconnections without user notice or remedy, potentially disrupting critical services like banking or emergency access. To balance security with rights, such measures must be proportionate, limited to high-risk cases, and subject to due process, including prior notice, opportunity to be heard, and institutional checks.

  3. Risk of Unintended Denial of Service

    Mismatches or false positives/negatives in the MNV framework could cause TIUEs to wrongly trigger additional KYC checks, deny services, or impose restrictions on genuine users, raising concerns about unintended denial of service. A key risk arises where financial accounts are linked to phone numbers registered under another person’s credentials, such as shared family SIMs used across multiple accounts. In such cases, the same identifier may correspond to different account holders, and discrepancies between MNV data and TIUE records could generate inaccurate alerts. This may disrupt legitimate access to essential services.

  4. Consumer Redressal for Suspension or Banning Telecom Identifier

    Rule 5(6)(b) and 5(8)(b) of the Amendment Rules authorize the central government to suspend or restrict the use of telecom identifiers by TIUEs for both customer identification and service delivery. The amended provisions do not provide for mandatory or prior notice to the consumers along with no recourse to challenge such restriction.[9] The wide cross-sectoral impact of such measures, particularly in sensitive areas like Banking, Financial Services, and Insurance, makes it essential that affected users also receive a copy of the suspension or prohibition order. Without this safeguard, customers risk wrongful denial of critical services with no opportunity to contest the action.

[1] https://www.moneycontrol.com/news/business/dot-notifies-cybersecurity-rules-for-telcos-to-tighten-security-13630056.html

[2] https://www.communicationstoday.co.in/telcos-face-stricter-cybersecurity-mandates-under-dots-new-rules/

[3] Section 2(e) of Telecommunications Act, 2023

[4] Rule 2(g) of Draft Rules 2024 – https://www.teamleaseregtech.com/fileviewer/?f=https://avantiscdnprodstorage.blob.core.windows.net/legalupdatedocs/48554/Telecommunications-Telecom-Cyber-Security-Amendment-Rules-2025-OCT232025.pdf

[5] Rule 2(1)(a) of Draft Rules 2024

[6] Rule 2(1)(b) of Draft Rules 2024

[7] Rule 2(6) of Draft Rules 2024

[8] https://m.economictimes.com/industry/telecom/telecom-news/ott-not-under-ambit-of-telecom-bill-ashwini-vaishnaw/articleshow/106224226.cms#:~:text=Parliament%20on%20Thursday%20accorded%20approval,said%20industry%20executives%20and%20experts.&text=New%20Delhi:%20Telecom%20minister%20Ashwini,Information%20Technology%20Act%20of%202000.

[9] Rule 5 of Draft Rules 2024

More Articles

  1. 2025 IT Rules Amendment: Regulating Synthetically Generated Information in India’s AI and privacy landscape
  2. Tamil Nadu Becomes First Indian State to Mandate LGBTQIA+ Sensitisation in Medical Education
  3. Data Breach Reporting in India: Legal obligations and Best Practices
  4. CorpConnect Corporate Law News October 2025
  5. Earn-Out Negotiations in India’s Startup M&A Landscape
  6. Government proposes draft registration bill for online registration of property documents
For more information please contact us at : info@ssrana.com