India’s digital economy is staring at a regulatory standoff.
In response to the Draft Telecommunication (Telecom Cyber Security) Amendment Rules, 2025, industry bodies including Broadband India Forum (BIF), Internet and Mobile Association of India (IAMAI), NASSCOM and CUTS International have raised a series of concerns in their submissions to the Department of Telecommunications (DoT).
The rules, introduced with the stated aim of tackling telecom-related fraud and strengthening cyber security, have triggered a wave of criticism for what stakeholders say is regulatory overreach, increased compliance burdens, and potential infringement on user privacy.
Scope and mandate in dispute
The submissions challenge the legal basis of the draft, stating that the Telecom Act and its associated rules are applicable to entities offering telecommunication services or holding authorisation under Section 3 of the Act.
The stakeholders refer to public statements by the former Union minister of communications who had clarified that Over-The-Top (OTT) platforms and digital service providers fall under the IT Act, 2000, not the Telecom Act.
IAMAI, in its submission, stated, “The Draft Amendments introduce a new class of regulated entities, ‘telecommunication identifier user entity’ (‘TIUE’) and defines them as any person or entity, other than a licensee or authorised entity, that uses telecom identifiers for user identification or service delivery. This definition is unqualified and will cover nearly all digital platforms or services that use mobile numbers."
"This goes far beyond any reasonable or legally permissible reading of the Telecommunications Act, 2023 (‘Telecom Act’). By attempting to bring the entire digital economy under telecom regulation, the proposal amounts to regulatory overreach and creates a parallel compliance regime with no statutory mandate,” it added.
BIF noted that “creation and regulation of TIUEs is not envisaged under the Act,” and described the attempt to impose binding obligations on these entities through delegated legislation as exceeding constitutional limits.
“TIUEs do not operate at the network layer. They neither assign nor manage telecom identifiers,” the forum added.
Expansive definitions raise flags
A central concern across all submissions is the draft’s definition of TIUEs, a term which could encompass a wide range of service providers. The concern is that the rules would apply not only to digital platforms but also to offline businesses, retailers, schools, hospitals, and delivery apps, essentially any organisation using mobile numbers for communication or authentication.
IAMAI warned, “This expansive language will inadvertently bring thousands of businesses under the telecom regulatory framework overnight.”
CUTS added that “every person using a mobile phone can be held responsible for its telecom cyber security,” describing the provision as “regulatory overreach”.
NASSCOM, BIF and CUTS also pointed to overlaps between the proposed rules and existing regulations under the IT Act, RBI, SEBI, IRDAI and other regulators. BIF said, “Such duplication creates regulatory uncertainty and unnecessary compliance burden on entities, impacting ease of doing business,” and warned against “regulatory fragmentation and uncertainty for a vast array of digital services.”
Cost concerns and feasibility issues
One of the more contentious provisions is the Mobile Number Validation (MNV) framework. The rules propose a centralised platform requiring digital services to verify user mobile numbers for a fee of ₹3 per query. For businesses with millions of users, stakeholders say this would translate to prohibitive expenses.
IAMAI cautioned, “Cumulated over millions of customers, this would result in significant costs running into several millions every year,” particularly affecting high-volume startups and MSMEs.
NASSCOM’s submission noted, “The introduction of mandatory MNV compliance for TIUEs will necessitate significant changes to digital platforms' product design, workflows, and backend infrastructure. TIUEs, many of whom are not part of the licensed telecom ecosystem, rely on mobile numbers for legitimate purposes like user onboarding, authentication, and communication."
"Imposing suspension powers and verification mandates without a nuanced understanding of how these identifiers are used in practice risks disrupting essential services, creating compliance uncertainty, and undermining platform reliability,” it added.
It also flagged the cost discrepancy: “One of the most pressing concerns is the proposed fee of INR 1.5 - 3 per verification request via the MNV platform. This is nearly 30 to 60 times higher than the prevailing cost of OTP-based verification (typically under INR 0.10 per request). For platforms handling large transaction volumes or serving cost-sensitive user segments, such a pricing structure is economically unsustainable.”
CUTS also questioned the efficacy of the system itself: “The proposed Rules may not adequately address issues like misuse of SIMs of leaked data on customer details through cyber breaches, and misreporting and reissuance of SIMs for frauds. A fraudster using a stolen or SIM-swapped number, but paired with the legitimate subscriber name, would still pass validation."
"Similarly, IMEI controls may be ineffective against inexpensive burner phones with valid identifiers and are commonly used in fraud—which sidesteps tampering detection altogether,” it added.
It further added that the financial burden could eventually fall on users: “If the cost of compliance is passed on by service providers to consumers, even partially, users face rising service prices. A platform like Uber or Zomato or PhonePe, processing millions of authentications per month, may factor these into pricing structures, subtly increasing the cost of access across urban and rural markets. Even a seemingly nominal fee can compound quickly for end-users.”
Privacy and legal safeguards under question
BIF and CUTS have also raised concerns about provisions allowing the government to request “data related to telecommunication identifiers” from TIUEs, without clarity on the scope, frequency, or safeguards for such data access.
“There is no clarity on the scope and frequency of validation requests, the type of information exchanged or stored by the platform, or the procedural safeguards to prevent misuse,” BIF stated.
It said such gaps could “raise the risk of user profiling, unlawful personal data processing, and data sharing, in conflict with principles of necessity and proportionality laid down in the Puttaswamy judgment.”
CUTS added that “the draft amendment rules propose data-sharing frameworks which appear inconsistent with the Puttaswamy decision,” reiterating that any intrusion on privacy must meet the tests of legality, legitimate state interest, and proportionality.
Call for reassessment
In conclusion, the four stakeholder groups have urged the Department of Telecommunications to undertake a comprehensive consultation, review the legal scope of the proposed amendments, assess their impact, and align the rules with existing regulatory frameworks before finalisation.
As the country attempts to balance digital innovation with national security, the response to the draft rules signals strong industry resistance to broad-brush mandates, especially those seen as lacking legal clarity or economic feasibility.