The Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 — A Legal Analysis.

I. Introduction

The Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (“2025 Amendment Rules”) were promulgated by the Central Government under the enabling provisions of the Telecommunications Act and notified by the Department of Telecommunications (DoT). The Amendment modifies and supplements the Telecommunications (Telecom Cyber Security) Rules, 2024, with the object of strengthening cyber security across all telecommunications networks, devices, identifiers, and related digital ecosystems operating within India.

The Amendment redefines regulatory boundaries, expands the scope of compliance obligations, and empowers governmental authorities to implement real-time preventative measures against cyber threats, fraud, and misuse of telecom identifiers.

II. Salient Features of the 2025 Amendment Rules

1. Establishment of a Centralised Mobile Number Validation (MNV) Framework

The Amendment mandates the creation and maintenance of a centralised MNV platform by the Central Government. The platform shall serve as a verification mechanism for confirming whether a telecommunication identifier—particularly a mobile number—corresponds to an authenticated subscriber registered with a licensed telecommunications service provider.

Entities using mobile numbers for authentication, account creation, verification, or service delivery may be compelled to interface with the MNV system as directed by the Government.

2. Introduction of “Telecommunication Identifier User Entities” (TIUEs)

The Amendment introduces a new regulatory class, Telecommunication Identifier User Entities (TIUEs), which includes all entities, other than licensed telecom operators, that utilise telecom identifiers for identification, verification, service delivery, or communication. This encompasses digital platforms, financial technology providers, e-commerce entities, mobility platforms, over-the-top (OTT) service providers, and any organisation employing telecom identifiers as part of its operational processes.

TIUEs are now subject to statutory obligations analogous to those imposed on licensed telecom operators with respect to cyber security, data integrity, reporting, and cooperation with governmental authorities.

3. Enhanced Regulation of IMEI and Device Identifiers

The Amendment strengthens regulatory authority over International Mobile Equipment Identity (IMEI) numbers and device identifiers. Key provisions include:

• Prohibition on the assignment or use of IMEI numbers that are duplicated, tampered, or already assigned to another device.
• Maintenance of a central IMEI blacklist identifying compromised, fraudulent, or unlawful device identifiers.
• Mandatory scrubbing of IMEI numbers by all resale, refurbishment, or second-hand device dealers prior to any transaction.

This framework aims to deter circulation of stolen or cloned devices and enhance device-level traceability.

4. Expanded Governmental Powers of Suspension and Restriction

The Amendment confers express powers upon the Central Government and authorised agencies to direct the immediate suspension, restriction, or disconnection of telecom identifiers—mobile numbers, devices, or associated credentials—without prior notice where such action is deemed necessary in the interest of:

• national security,
• public safety,
• prevention of cybercrime, or
• protection of the integrity of telecommunications networks.

Subsequent permanent disconnection or additional restrictions may be ordered following further review.

III. Objectives and Rationale Underlying the Amendment

The 2025 Amendment Rules are premised on the following considerations:

1. Escalation of cyber fraud and misuse of telecom identifiers, including fraudulent SIM usage, identity masking, device tampering, and proliferation of mule accounts.
2. Widespread adoption of mobile numbers as universal digital identifiers, particularly in financial transactions, e-commerce, digital payments, authentication processes, and app-based services.
3. Need for uniform regulation beyond licensed telecom operators due to the extensive use of telecom identifiers by non-telecom digital service providers.
4. Significant expansion of the second-hand device market, which has created avenues for circulation of stolen or altered devices.
5. Necessity of ensuring authenticity, traceability, and accountability to preserve digital trust and enhance cyber resilience across India’s interconnected digital economy.

IV. Implications for the Telecom Sector and Digital Ecosystem

1. Strengthening Cyber Security and Identity Verification

The implementation of MNV and uniform obligations across TIUEs is expected to significantly reduce the incidence of identity spoofing, fraudulent account creation, and unauthorised usage of telecom identifiers. This strengthens the authentication backbone of India’s digital services.

2. Increased Traceability and Deterrence

Mandatory IMEI scrubbing and blacklisting enhance the traceability of devices used in cyber-offences and discourage circulation of illicit devices, thereby assisting enforcement agencies in cybercrime investigations.

3. Expanded Regulatory Compliance

TIUEs—many of which have not previously operated under telecom-sector oversight—must now comply with stringent cyber-security standards, reporting mechanisms, and validation requirements. This may necessitate organisational restructuring, investment in compliance systems, and integration with the MNV platform.

4. Potential Challenges

While the Amendment provides a robust regulatory framework, it may pose certain operational and jurisprudential challenges:

• Increased compliance burden for small and medium digital enterprises.
• Potential impact on affordability and accessibility in the second-hand device market.
• Possibility of erroneous or overbroad suspensions of identifiers without prior notice if safeguards are weak.
• Concerns regarding data privacy and proportionality, given the expanded data-sharing obligations and Government authority.

V. Impact on Citizens

For individual users, the Amendment serves to enhance security and trust in all digital interactions anchored to telecom identifiers. Citizens may experience:

• reduced exposure to telecom-based fraud,
• safer second-hand device transactions,
• improved security in digital payments and online verification,
• stricter identity checks across digital platforms.

However, users may also contend with more stringent onboarding processes, heightened regulatory monitoring, and occasional friction in the use of telecom identifiers.

VI. Conclusion

The Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 represent a pivotal development in India’s cyber-security architecture. By expanding the regulatory perimeter beyond traditional telecom operators to encompass a wider digital ecosystem, the Amendment acknowledges the centrality of telecom identifiers in modern digital life.

The framework enhances national cyber security, strengthens deterrence against fraud, and improves device and identity traceability. Nevertheless, its efficacy will depend upon balanced implementation, strict adherence to proportionality, transparent procedures, adequate checks against misuse, and robust protection of citizens’ privacy and civil liberties.

If administered judiciously, the 2025 Amendment Rules have the potential to substantially fortify India’s digital trust infrastructure and safeguard the interests of both the telecom sector and Indian citizens.