The telecommunications space in India has undergone a swift digital transformation, with mobile numbers, device identifiers and telecom-linked authentication systems becoming integral to financial services, e-governance, digital payments, social media platforms and critical infrastructure. The increased reliance on telecommunication identifiers has also heightened the risks of cyberattacks, identity fraud, spoofing, SIM manipulation, and the misuse of device identifiers, such as IMEI numbers. As the digital service landscape expanded beyond traditional telecom operators and device supply chains, the need for a more comprehensive cybersecurity mechanism became evident.
Recognising these vulnerabilities, the Government introduced the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (the Amendment Rules) on October 22, 2025, vide notification G.S.R. 771(E). On October 29, 2025, the Amendment Rules were republished in the Gazette of India under notification G.S.R. 796(E). The Department of Telecommunications rectified this by issuing notification G.S.R. 863(E) on November 25, 2025. This new notification rescinded the republication while preserving the validity and enforceability of the original Amendment Rules, first published under G.S.R. 771(E).
The Rules have been introduced to strengthen oversight, enhance validation of telecom identifiers, expand accountability to non-telecom service entities, and strengthen safeguards against misuse of mobile numbers and device identifiers. These amendments aim to increase national security, protect consumers, and ensure the integrity of digital networks in India.
Key Highlights of the Amendment Rules
Definitions and Scope
The Amendment Rules introduce new definitions to widen the applicability of the telecom cybersecurity framework.
“licensee” refers to any entity holding telecom service licences under the Indian Telegraph Act, 1885.
“Telecommunication Identifier User Entity (TIUE)” means any non-licensee entity that uses telecom identifiers, such as mobile numbers or device identifiers, for identifying customers or for delivering services. Examples may include fintech companies, OTT platforms, logistics networks and similar digital entities; however, these are only illustrative and not prescribed in the Rules.
“Mobile Number Validation (MNV) Platform” means a dedicated platform to validate whether telecom identifiers used by a TIUE’s customers or users match the user details maintained by authorised entities and licensees.
Obligations of TIUEs
The Amendment Rules strengthen the powers of authorised agencies to seek data related to telecommunication identifiers. The Rules now expressly permit authorities to obtain data related to identifiers used by TIUEs in the manner specified on the designated portal. Additionally, sub-rule (2)(b) has been amended to extend the obligation to share information to TIUEs as well, to ensure uniform compliance across all entities handling telecom identifiers.
In Rule 4(3), the scope of entities required to adhere to monitoring directions has been expanded to include TIUEs. All TIUEs must comply with any directives issued by the Central Government on matters relating to identifier-based cybersecurity. This expansion of scope would strengthen accountability and ensure that vulnerabilities arising from the wider digital service ecosystem are effectively addressed.
Rule 5 has been expanded to empower the government to respond swiftly when a telecommunication identifier is suspected of misuse. Sub-rule (6) enables the government to direct both telecom entities and TIUEs to temporarily suspend the use of any identifier without issuing prior notice, provided such action is necessary in the public interest. This facilitates immediate intervention in urgent cybersecurity situations.
Sub-rule (8) has been modified to allow subsequent orders requiring a telecommunication entity to permanently disconnect the telecommunication identifiers. The order may also require TIUEs to restrict future use and to prohibit or circumscribe the use of relevant telecommunication identifiers to identify their customers or users, or to deliver messages or services. These measures enable structured reuse of identifiers after necessary checks. Additionally, amendments to sub-rule (7) and sub-rule (11) reinforce that TIUEs are equally responsible for compliance when dealing with telecommunication identifiers.
Amendments to Rule 10 extend reporting and compliance responsibilities to TIUEs, in addition to telecommunication entities. According to sub-rule (2), when the Central Government determines that a secure method of communication, apart from its portal, is essential for issuing orders, instructions, or directions to TIUEs, or for gathering information from TIUEs alongside telecommunication entities, it may opt for such a secure communication method. Sub-rule (3) further requires TIUEs to comply with directions concerning cybersecurity incidents, breach reporting, and related investigations.
Mobile Number Validation (MNV) Framework
One of the most significant additions is Rule 7A, which establishes a centralised Mobile Number Validation Platform to prevent cybersecurity incidents and ensure the integrity of telecom identifiers. The government may set up this platform directly or through an authorised agency and require authorised entities and licensees to participate.
Under this framework, TIUEs, government agencies and authorised bodies may request validation to confirm whether a telecommunication identifier belongs to the user who has provided it. This is essential for banking, digital payments, e-commerce, KYC processes and other identity-linked transactions. TIUEs may initiate validation voluntarily or upon government direction, but voluntary use requires central government approval.
As per the Rules, a fee-sharing mechanism is established between the government or its authorised agency and the validating licensees or authorised entities, as specified on the portal.
All validation requests received will be routed to authorised entities, which must respond as per procedures on the portal. Rule 7A(5) mandates that TIUEs, authorised entities, and licensees must comply with applicable data protection laws when handling personal data during the validation process, aligning with India’s broader personal data protection framework.
IMEI-Related Controls
The Amendment Rules introduce several measures to curb the misuse, tampering and duplication of IMEI numbers. The amendments introduce a targeted set of safeguards to regulate the sale, purchase, and circulation of second-hand and refurbished telecom devices in India, preventing the distribution of devices with tampered or restricted IMEI numbers. A significant addition is Rule 8(4A), which expressly prohibits manufacturers of telecommunication equipment from assigning IMEI numbers already in use in Indian telecom networks to any new device manufactured or imported into India. This is a critical safeguard to prevent duplication, spoofing and identity masking through cloned identifiers.
Sub-rule (6) mandates that the government or its authorised agency must maintain a central database of tampered or restricted IMEIs. It further mandates that any person engaged in the sale or purchase of a device access the government-maintained IMEI database, which contains details of tampered or restricted IMEIs, upon payment of a specified fee, and verify that the device being traded is not listed in the database. This ensures that no second-hand or refurbished device with a compromised IMEI enters the consumer market, thereby reducing fraud, theft-linked circulation, and security vulnerabilities associated with cloned or manipulated identifiers. In addition, the amendments require all manufacturers and importers of IMEI-bearing devices to comply with directions issued by the Central Government to operationalise these rules.
Conclusion
The Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, expand and reinforce telecom cybersecurity infrastructure in India by bringing new categories of digital service entities under regulation, enabling accurate validation of telecom identifiers, improving IMEI oversight, including prohibiting reuse of active IMEIs, and strengthening government powers to suspend or restrict the use of identifiers where necessary. These amendments reflect an integrated approach to national cybersecurity, recognising the central role of telecom identifiers in digital transactions, identity verification, and critical communication systems.
Authors: Manisha Singh and Shivi Gupta
First Published by: Mondaq here