Introduction  

In June 2025, the Department of Telecommunications released the Draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025. These proposed amendments aim to introduce a centralised framework to validate mobile numbers as part of a larger cybersecurity initiative. The Department intends to improve identity verification and reduce telecom-related fraud by enabling telecom operators to confirm the lawful ownership of mobile phone numbers upon request. This framework proposes to allow private entities to verify phone numbers through a government-supervised Mobile Number Validation (MNV) platform, with telecom providers permitted to charge up to ₹3 per query. While the objective is to strengthen cybersecurity and prevent misuse of telecom identifiers, the draft has raised several concerns regarding jurisdiction, compliance costs, and the broader impact on digital platforms and consumers. 

Overview of the Proposed Mobile Number Validation Framework 

At the heart of the draft amendment is the creation of the Mobile Number Validation (MNV) platform. This centralised digital infrastructure would allow entities specifically those defined as Telecommunication Identifier User Entities (TIUEs) to verify whether a phone number provided by a user is indeed registered to that person. TIUEs, as introduced in the draft, are defined broadly. The term includes any individual or organization that uses telecom identifiers such as mobile numbers, SIM cards, or IMEIs for purposes of user identification or service delivery. This category could potentially include a wide spectrum of digital services ranging from e-commerce platforms and fintech applications to ride-hailing services, social media platforms, education portals, and even offline retailers using phone numbers for digital orders or communication. 

Under the proposed mechanism, a TIUE could submit a validation request through the MNV platform, which would then route the request to the respective telecom operator. The operator would confirm whether the phone number is valid and registered in the name of the user who claims to hold it. This process would cost ₹1.50 per request when mandated by government directions, or ₹3 when initiated voluntarily by the private entity. These validation checks are intended to support user verification at the time of onboarding or service delivery, providing additional assurance that the user is indeed the legitimate holder of the number. As per the draft, all entities involved in the process must ensure compliance with applicable data protection laws. 

Expanded Regulatory Scope and Its Implications 

The draft rules broaden the applicability of telecom cybersecurity norms. Earlier, these rules were limited to telecom licensees i.e., telecom operators and authorised telecom entities that operate infrastructure or manage telecom networks. The inclusion of TIUEs represents a major shift, bringing non-licensed digital platforms under the purview of telecom regulation. This expansion has led to discussions about the legal basis for including entities that do not offer telecom services themselves but merely use telecom identifiers for basic functions like user login or authentication. The breadth of the definition could potentially include both large platforms and smaller entities such as start-ups, educational portals, or even retailers that use mobile numbers for loyalty programmes or service updates. 

In practice, this could mean that a vast range of businesses will now be required to comply with telecom-specific obligations, even though they may already be governed by other sector-specific regulations. For example, digital payment apps are regulated by the Reserve Bank of India, securities platforms by SEBI, and insurance apps by IRDAI. The Information Technology Act also applies to a wide range of intermediaries in the digital space. Expanding the telecom cybersecurity rules to overlap with these regulatory regimes could create hurdles for entities that must now comply with multiple compliance frameworks for the same data or user verification activities. There is also the concern that such overlap could blur the lines between telecommunications regulation and digital services governance, requiring greater clarity on which obligations take precedence. 

Verification Costs and Business Impact 

One of the most widely discussed aspects of the draft framework is the introduction of fees for every validation request. While the charges ₹1.50 for mandated checks and ₹3 for voluntary ones may appear nominal, their cumulative impact is expected to be huge, particularly for high-volume digital platforms. Today, most digital services verify users via OTPs sent through SMS, which typically costs a few paise per message. Transitioning from this low-cost model to a ₹1.50-₹3 verification mechanism could represent a 30-60x increase in per-check costs. For platforms handling millions of logins or transactions daily, this could lead to annual costs in the range of several hundred crores. For instance, if a platform processes tens of millions of transactions per day and even a small fraction of those require validation through the MNV system, the total cost could rise into the thousands of crores annually. These costs may influence business decisions regarding service pricing, user verification processes, and growth strategies. 

Smaller digital service providers and startups could be especially affected. Unlike large, established firms, smaller players may not have the margins or reserves to absorb these additional expenses. As a result, they might have to rework their operating models, increase end-user prices, or limit free access to services. The pressure of compliance costs on early-stage businesses may also affect innovation and digital inclusion, especially in price-sensitive markets. Some estimates suggest that if the MNV system is widely adopted, Indian consumers could bear an additional burden of ₹540 crore per month, which translates to over ₹6,000 crore per year in indirect or direct costs. These changes could also impact overall adoption rates of digital services, particularly among users who are highly cost-sensitive. 

Potential for Mandatory Expansion 

Although the DoT has stated that the MNV system could remain optional for private companies, the draft language allows for the possibility of future mandates. Government or regulatory authorities may issue directions to require validation of mobile numbers in specific sectors such as finance, commerce, or health especially where risks of fraud are considered higher. This means that while the use of the platform may begin as a best-practice recommendation, it could become a legal requirement for entire categories of services over time. Such a transition would necessitate significant planning and infrastructure adjustments by affected entities, particularly if directives are issued on short notice. Moreover, platforms would need to ensure that they have mechanisms in place to integrate with the MNV platform securely, handle data sharing in accordance with privacy laws, and adjust their workflows to accommodate mandatory checks. 

Addressing Telecom Fraud and System Efficacy 

The primary goal of the MNV framework is to reduce telecom-related fraud, including identity theft, SIM spoofing, and impersonation. By verifying whether a mobile number is indeed registered to the individual claiming to use it, the framework aims to introduce an additional layer of trust in digital interactions. However, it is important to consider how such a framework would interact with existing verification processes. Telecom operators already perform KYC  checks at the time of SIM issuance, as mandated under current law. The proposed MNV validation essentially re-verifies this information by linking it to usage within third-party services. There are concerns about whether this second layer of verification will effectively deter fraudulent activity. Sophisticated fraud schemes often involve methods such as SIM swapping, use of counterfeit documents, or black-market acquisition of pre-registered SIM cards. These practices may not be easily disrupted by number validation alone, since the number might still appear legitimate in the telecom operator’s records. 

If fraud continues despite initial KYC protocols, additional checks at the service level may not resolve the root causes such as gaps in identity verification during SIM issuance or inadequate enforcement against fraudulent resellers. As a result, the effectiveness of the MNV platform in significantly reducing fraud may depend on how it complements other enforcement and regulatory mechanisms. 

Device Integrity and IMEI Checks 

Beyond mobile number validation, the draft rules also address device-related security. The government proposes to create a centralised database of tampered or blacklisted International Mobile Equipment Identity (IMEI) numbers. This database is intended to identify and restrict the use of mobile devices associated with suspicious or illegal activity. Entities engaged in the resale or distribution of second-hand mobile devices would be required to consult this database before completing any transaction. A fee of ₹10 per IMEI verification is proposed for accessing this service. Manufacturers and importers of telecom equipment would also be subject to obligations to ensure that devices do not reuse IMEIs already active in India. The goal is to reduce the prevalence of cloned or tampered devices, which could otherwise be used to mask user identity or circumvent lawful surveillance. 

Privacy, Oversight, and Data Governance 

The draft rules include provisions that authorize the government to access data related to telecom identifiers held by TIUEs. This may involve collection of metadata, user identifiers, or transaction records, particularly where necessary for telecom cybersecurity objectives. While the intent is to improve oversight and prevent misuse of telecom identifiers, stakeholders have raised questions about how such access will be structured. Specifically, there is a need for clarity around the frequency and scope of data collection, the types of data that will be requested, and the mechanisms to ensure that data access remains proportionate and legally justified. 

Given that the validation process involves sharing user details across platforms, operators, and the government, concerns around privacy, profiling, and potential surveillance have been highlighted. There is particular interest in understanding how this framework will align with the Digital Personal Data Protection Act, 2023, which sets out principles of consent, purpose limitation, and user notification.  

 Due Process and Stakeholder Engagement 

The draft also introduces a provision allowing authorities to direct the suspension of telecom identifiers used by TIUEs. In practice, this means that a digital platform may be asked to suspend or restrict services to a particular user if their telecom identifier is believed to be linked to cybercrime or misuse. While such powers can help limit harm in urgent situations, the draft does not elaborate on the conditions under which such suspension orders can be issued or the process for reviewing or appealing these directives.  

Various stakeholders have submitted their feedback on the draft rules, The submissions have urged the Department of Telecommunications for a more detailed consultation regarding scope, legal review, impact assessment and alignment with existing regulatory frameworks prior to finalising the amendments. 
 
Recommendations from stakeholder submissions include: 

1. Clarifying the definition of TIUEs to ensure that only relevant, high-risk entities are subject to regulation; 

2. Implementing risk-based compliance models, where sectors with higher exposure to fraud are prioritised; 

3. Providing exemptions or concessions for startups and small businesses to maintain ease of doing business; 

4. Considering phased or pilot rollouts of the MNV platform to test its functionality and cost-effectiveness before scaling; 

5. Harmonizing the rules with other regulatory regimes, including data protection, fintech, and IT regulations, to prevent duplication and ensure legal consistency. 

6. Tiered compliance obligations based on the size and risk profile of TIUEs could make the system more proportionate and fair.  

7. Sandboxed or phased rollouts may also help mitigate disruption while still testing security protocols.  

8. Clarifying data protection safeguards and aligning with existing privacy laws, can help the government balance its fraud-prevention goals with constitutional rights. 

9. Proportional Use of MNV to Restrict mandatory MNV only to transactions or platforms where fraud risk is demonstrably high. ◦ Monitor and limit voluntary use of the MNV Platform, as its utilisation by malicious TIUEs could lead to exposure of personally identifiable information at scale. 

Conclusion 

The draft rules represent a policy initiative to enhance telecom cybersecurity and improve user verification mechanisms. By introducing the MNV platform and expanding regulatory coverage to include TIUEs, the government aims to build a more secure digital environment. However, the scope, costs, and execution of the proposed framework present important considerations. Effective implementation will require not only technical integration but also clear legal foundations, privacy safeguards, and coordinated oversight. The future of the rules will likely depend on how these concerns are addressed in the final version. As the public consultation concludes and the Department of Telecommunications reviews the feedback, there is an opportunity to shape a forward-looking framework. One that strengthens security, minimizes risks, and supports the continued growth of India’s digital economy.