Trade groups raise concerns about draft telecom cyber-security rules

Trade groups raise concerns about draft telecom cyber-security rules

Caution about regulatory overreach and cost burdens

Leading industry associations, including the Broadband India Forum (BIF), Internet and Mobile Association of India (IAMAI), NASSCOM and CUTS International, have raised concerns over the Department of Telecommunications (DoTs) proposed Draft Telecommunication (Telecom Cyber Security) Amendment Rules, 2025.

DoT's draft rules are aimed at strengthening cybersecurity and reducing telecom-related fraud. However, industry stakeholders have cautioned that the proposed amendments could result in excessive regulation, compliance burden and privacy risks for India's digital economy.

They argued that the amendments significantly exceed the legislative scope of the Telecom Act, 2023, by creating a new class of regulated entities, Telecommunication Identifier User Entities" (TIUEs) and extending telecom regulation to a wide range of non-telecom digital service providers.

IAMAI submitted that TIUEs would bring almost all digital platforms using mobile numbers, including e-commerce apps, delivery services, digital wallets, schools and hospitals, under telecom regulations. It added, "This means a regulatory overreach and creates a parallel compliance regime with no statutory mandate.”

While raising similar concerns, BIF said that the creation and regulation of TIUEs was ‘not envisaged’ in the Telecom Act. Therefore, imposing binding obligations through delegated legislation exceeds constitutional limits. It noted, "TIUEs do not operate at the network layer,” and they neither assign nor manage telecom identifiers, making the rules irrelevant.

CUTS International reasoned, "Every person using a mobile phone can be held responsible for its telecom cybersecurity.” It described the rules as disproportionately expansive and likely to bring thousands of unintended entities under telecom oversight.

The stakeholders flagged overlapping obligations with existing frameworks under the Information Technology Act, the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI). They stated, "Such duplication creates regulatory uncertainty and unnecessary compliance burden on entities, impacting ease of doing business.”

Meanwhile, the proposed Mobile Number Validation (MNV) framework, which mandates digital platforms to verify users' mobile numbers through a centralised system, was also criticised for being prohibitively expensive. The draft envisages a fee of Rs.1.5 to Rs.3 per validation request.

IAMAI pointed out that for startups and MSMEs with millions of users, the cost could rise to millions of rupees annually.

Likewise, NASSCOM stated that MNV compliance would necessitate ‘significant changes’ to platform infrastructure. It warned of adverse impacts on essential services and user experience, adding, "Such a pricing structure is economically unsustainable.”

CUTS cautioned that MNV could be circumvented by fraudsters using SIM-swapped numbers or burner phones, thereby undermining its effectiveness. It highlighted the risk of increased service costs for end-users if platforms pass on the compliance burden.

CUTS and BIF also raised privacy concerns over vague provisions allowing government access to user data. They stressed the absence of safeguards and potential conflicts with the decision of the Supreme Court in the Puttaswamy case on privacy.

The collaborators urged the DoT to conduct a comprehensive consultation, legal review, and impact assessment before finalising the proposed amendments.