The Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 (‘Amendment Rules’), notified on October 22, 2025, have come into force immediately, and significantly expand the scope and instruments available to the Government to curb telecom- and device-enabled fraud. They amend the principal Telecommunications (Telecom Cyber Security) Rules, 2024 (‘Telecom Cyber Security Rules’) to introduce a new compliance category, a centralized verification gateway, and tighter controls on device identifiers.

What Amendment Rules Do

The key amendments approved, inter alia, are summarised below:

i.    The Amendment Rules define Telecommunication Identifier User Entities (‘TIUEs’) as any person other than a telecom licensee or authorised entity that uses telecommunication identifiers to identify customers or users or to provision or deliver services. In practical terms, this brings a wide array of digital platforms and enterprises—banks and fintechs, e‑commerce and delivery platforms, ride‑hailing services, messaging and OTT providers—within the operational ambit of the telecom cyber security framework when they rely on mobile numbers or other telecom identifiers;

ii.   A new Rule 7A Telecom Cyber Security Rules establishes a Government-run Mobile Number Validation (‘MNV’) platform to validate whether telecom identifiers provided by TIUE customers correspond to the subscriber records of a telecom licensee or authorised entity. TIUEs may be directed to, or may seek permission to, use the MNV platform; Government agencies authorised by the Central Government will have assured access. Fees for the service will be shared between the Government (or its authorised agency) and the validating licensee/authorised entity. All participants must ensure compliance with applicable data protection laws when using the platform;

iii.  The Amendment Rules strengthen the Government’s immediate-action powers under Rule 5 of the Telecom Cyber Security Rules by expressly enabling orders directing both telecom entities and TIUEs to suspend the use of relevant telecom identifiers without prior notice where required in the public interest, with reasons recorded in writing. Follow‑on directions may include permanent disconnection by telecom entities and orders to TIUEs to prohibit or circumscribe use of specified identifiers for identification or service delivery, including to enable reuse pathways; and

iv.   To disrupt the supply chain of cloned and tampered devices, the amendments to Rule 8 of the Telecom Cyber Security Rules introduce: (a) a right to the Government to issue directions prohibiting the assignment of International Mobile Equipment Identity (‘IMEIs’) numbers already in use on Indian telecom networks to new devices manufactured in or imported into India (from a date to be specified on the portal maintained by the government in this regard); (b) a government maintained database of IMEIs that are tampered or restricted; and (c) a mandatory pre‑sale check obligation for any person engaged in sale or purchase of used devices bearing IMEIs, with fees payable to access the database. Manufacturers and importers must ensure compliance with directions that the government will issue to give effect to these rules.

Why these Reforms Now

The Amendment Rules seek to respond to a marked escalation in cyber-enabled financial fraud and impersonation crimes relying on stolen, forged, or cloned telecom identifiers and devices. Reported cybercrime cases in early 2024 were substantial, with a high proportion linked to online financial fraud. Criminals routinely exploit fake or compromised mobile numbers to defeat one-time passwords (‘OTP’)-based authentication, create fraudulent accounts across platforms, and impersonate legitimate users. The grey market in stolen or tampered handsets with cloned IMEIs has compounded the issue. The policy objective is to prevent misuse at two critical control points: (i) the identity layer that binds services to telecom numbers; (ii) and the device layer that binds users to unique IMEIs.

Analysis

The amendments align the telecom security perimeter with today’s digital identity reality; banks, fintechs, OTTs and platforms functionally rely on telecom identifiers and therefore sit at risk. A centralized MNV platform can materially reduce impersonation and improve the integrity of number-linked onboarding and transactions. The IMEI measures should make it harder for compromised handsets to persist in the secondary market and across networks.

At the same time, there are operational and governance challenges. Immediate suspension powers over identifiers could result in simultaneous, multi‑service lockouts from communications, payments, and access‑controlled environments. While orders must record reasons and post‑facto representations are permitted, there is limited procedural detail on notice, scope of evidence, and restoration timelines; TIUEs will need robust processes to avoid over‑blocking and to manage customer remediation. The MNV platform’s fee model and technical specifications have not been fully detailed; TIUEs must plan for integration complexity, and service availability dependencies. Data protection compliance is mandated, but the contours of lawful basis, consent capture, data sharing with telecom licensees, and retention on both the platform and TIUE side will need careful alignment with applicable privacy law. For device markets, mandatory IMEI checks will add friction to resale channels but should be implementable with the right dealer processes; however, clarity will be needed on liabilities for false negatives/positives and on appeals or rectification for erroneously restricted IMEIs.

Additionally, by bringing TIUEs within the Amendment Rules, nearly any business that uses mobile numbers as user identifiers would fall within the scope of the Telecommunication Act, 2023, raising the prospect of a potential overlap with various other laws including the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023. This is particularly significant given the widespread use of mobile OTPs for user authentication in India.

Recommended Next Steps

Telecom operators, TIUEs across tech and banking, and device ecosystem participants should move swiftly on governance, technical integration, and customer‑impact readiness. Some of the key steps that these entities must take are listed below:

i.    Designate Accountability: Identify whether your business is a TIUE and appoint an executive owner (with Board oversight where appropriate) to coordinate telecom cyber security compliance, including order intake and execution under Rule 5 of the Telecom Cyber Security Rules and interactions through the Department of Telecommunications portal (‘DoT Portal’).

ii.   Map Identifier Usage and Build MNV Integration: Catalogue all workflows that rely on telecom identifiers (onboarding, authentication, recovery, transaction alerts). Prioritize integration with the MNV platform for high‑risk categories; design fallbacks and service‑level thresholds; budget for platform fees. Establish controls to log, reconcile, and audit validations.

iii.  Be Ready to Act on Government Directions: Implement a 24/7 runbook to receive, authenticate, execute, and document suspension orders affecting telecom identifiers. Build targeted controls to avoid blanket blocks; maintain an audit trail and a process to act on modifications or revocations. Prepare a customer communication and remediation playbook to manage lockouts, including exception handling for critical services.

iv.   Update Privacy Governance: Update your privacy notice and internal records to explain that you use the MNV system and may share data with telecom operators for validation. Check that you have a clear legal basis, collect any consent needed, limit how long you keep the data, and secure it. Make sure vendor contracts cover these points if a third party helps you.

v.    Prepare for IMEI Compliance: For manufacturers and importers, ensure systems prevent assignment of duplicate or in‑use IMEIs and that IMEIs are registered as required. For resellers and refurbishers, operationalize mandatory pre‑sale IMEI checks against the Government database, embed the control in point‑of‑sale flows, and train staff. Update customer terms and procurement contracts to allocate responsibilities and remedies for blacklisted devices.

vi.   Engage Early with Regulators: Monitor the DoT Portal for the effective date of the IMEI assignment prohibition, technical specifications for the MNV platform, and fee schedules. Participate in any stakeholder consultations to clarify ambiguities and align implementation timelines.