India’s Draft Cybersecurity Rules for Telecom 2025 explained: How they impact us all

In June 2025, the Indian government uploaded a document that could reshape how you connect, communicate, and get verified online. It didn’t spark a lot of headlines, but if you peel back the legalese a bit, the draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 might be one of the most consequential rule changes in India’s ongoing digital transformation.

So, what’s really going on here? And why are watchdogs like the Internet Freedom Foundation raising red flags? Dive in for the explanation, we’ve tried to keep it as simple as we can. Let’s start with the big picture.

The government’s aim

Imagine India’s vast mobile network as a colossal subway system. The new draft cybersecurity rules aim to not only monitor every station (telecom operator), but also tag every passenger (mobile user) and every train (device) that moves across it.

Also read: TRAI extends message traceability guidelines deadline to December: What it means for users

On June 24, the Ministry of Communications rolled out proposed amendments to last year’s Telecom Cyber Security Rules, opening the draft for public comment until July 24, 2025. The amendments expand the scope of the 2024 rules to include a new breed of entities called TIUEs or Telecommunication Identifier User Entities. These are companies or platforms that use mobile numbers to verify customers. Think banks, e-commerce apps, OTT platforms, food delivery services – essentially, any app that pings you with an OTP.

The idea is pretty straightforward on paper. The government’s asking companies who use telecom identifiers (like mobile numbers, SIMs, or IMEIs) in your digital onboarding or service delivery, they must follow the same cybersecurity hygiene as licensed telecom operators. The goal is to have uniform standards and shared accountability.

So far, so reasonable, right? But here’s where it gets interesting.

Enter the MNV platform and IMEI database

At the heart of the proposed rulebook lies two powerful new tools:

MNV Platform (Mobile Number Validation): Think of it as Aadhaar for phone numbers. It lets a digital service check if a mobile number actually belongs to the user it claims to. The government wants to make this validation mandatory in some cases and optional (but paid) in others. Request a check? That’ll be ₹1.5 if the government told you to, ₹3 if you asked on your own.

IMEI Tracking and second-hand device checks: The new rules go beyond users and straight into your pockets – literally. Every mobile device in India carries a unique IMEI number. The government now wants equipment manufacturers to avoid assigning duplicate or spoofed IMEIs and maintain a central IMEI database. Planning to buy a used phone? You or the seller will have to check the database (for a ₹10 fee) to ensure the device hasn’t been flagged or tampered with.

If it all sounds like a bureaucratic upgrade to SIM-swapping prevention, that’s part of the point. The government argues that tighter verification mechanisms will help prevent identity theft, impersonation, and online fraud.

But as always, the devil’s not just in the details – it’s in who controls them.

The IFF’s alarm bells

India’s Internet Freedom Foundation (IFF) isn’t buying the whole “trust us, it’s for your safety” narrative. In their formal submission to the Department of Telecommunications on July 18, they raised a battery of concerns that essentially boil down to the government having expanded surveillance powers, with no checks and balances.

Also read: Indian telecom operators boost network readiness following govt’s emergency orders

Govt wants to expand its surveillance powers with the Interception & Cyber Security Rules, 2025, by letting it collect data on telecom identifiers & even disconnect your device without a judge’s approval. IFF has filed strong objections. 🧵1/3https://t.co/eWulYjmIzb

— Internet Freedom Foundation (IFF) (@internetfreedom) July 24, 2025

The IFF points to three major problems in the draft:

Government overreach: By defining TIUEs so broadly, the rules pull a vast range of digital services – including OTT platforms, e-commerce apps, and fintech players – into the same regulatory tent as telecom operators. That’s a significant policy shift with minimal public debate, claims the IFF.

No judicial oversight: The IFF further suggests that the draft allows the government to collect user data or direct the suspension of a user’s telecom identifier – essentially cutting someone off from their digital life – without needing judicial approval or even notifying the user. It’s all justified in the name of “public interest.”

No appeal, no remedy: If your SIM gets flagged, or your IMEI gets blacklisted, there’s currently no mention of how you’d find out or what recourse you’d have to reverse any potential blocks. That raises constitutional questions, according to the IFF, particularly under Articles 19 and 21, which protect speech, expression, and personal liberty.

“This is not just about telecom security; it’s about how the government could turn off your digital identity with no warning, explanation, or path to redress,” summarises the IFF, without mincing any words.

To illustrate this with a metaphor – imagine your local municipality suddenly revokes your house address overnight. You can’t get mail, packages, or even prove where you live. Except in this case, it’s not a house – it’s your phone number. And with that goes your banking access, your food deliveries, your Uber, your social network logins. Gone, in one silent keystroke.

Legal take on the draft rules

For those not sounding the alarm like IFF, there’s a more grounded, legalistic view coming from the offices of Khaitan & Co, one of India’s heavyweight law firms. In a joint legal opinion authored by Harsh Walia (Partner) and Sanjuktha A. Yermal (Senior Associate), the duo acknowledges that while the government’s draft amendment carries real technical merit, it also ushers in several compliance and constitutional caveats that shouldn’t be glossed over.

Also read: India-Pak conflict: 5 examples of rise in cyber warfare threats

Extending cybersecurity compliance beyond telecom licensees to include TIUEs is a logical evolution in a world where digital services are increasingly entangled with telecom infrastructure, the Khaitan & Co duo submit. After all, when e-commerce apps and fintech platforms use your mobile number for everything from KYC to two-factor authentication, shouldn’t they also share the responsibility of keeping that data secure?

But on the flip side, Walia and Yermal point to the rising burden these rules would place on smaller businesses – startups and MSMEs, in particular – who now face not only infrastructure costs but also per-request validation fees that could quickly add up. “Technology and infrastructure investments, layered with transactional costs like IMEI checks and MNV validations, could weigh heavily on resource-light digital players,” they note.

They also raise important legal flags. For one, the rules seem to duplicate obligations already prescribed under the Information Technology Act, 2000, creating a fuzzy jurisdictional overlap, according to Khaitan & Co. And more worryingly, the broad authority handed to the executive – including the power to demand user data from TIUEs or shut down telecom identifiers – lacks clear procedural safeguards or an independent oversight mechanism.

In their words, “The current framework lacks proportionality and may create regulatory confusion unless clearly reconciled with existing IT and privacy laws.” The rules are well-intentioned, but need “clarity, proportionality, and consistency with existing data protection norms.”

What happens next?

As public comments close on July 24, and the government is expected to finalize the rules soon after, whether they’ll water down the powers, tighten the definitions, or create avenues for appeal remains to be seen.

What’s clear, though, is that this isn’t some abstract policy battle. This directly affects real people, real platforms, and real freedoms. Whether it’s confirming an OTP, selling a second-hand iPhone, or unlocking your front door with a mobile app – the ripples of these rules will be felt by everyone from fintech unicorns to the average chaiwala using a smartphone.

In a country where your mobile number is fast becoming your identity, the big question is no longer whether telecom networks need cybersecurity – but whether that security comes at the cost of citizen’s privacy and rights.

Also read: Google Chrome users alert! Govt issues high-risk warning over critical security flaws: How to stay safe