The Ministry of Communications has released the draft Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 for public consultation, aiming to strengthen India’s digital infrastructure through enhanced cybersecurity mandates. Introduced under the Telecommunications Act, 2023, the amendments propose stricter compliance norms, a centralized Mobile Number Validation (MNV) platform, and broader regulatory oversight across sectors. In an exclusive interaction with Tech Achieve Media, Gaurav Sahay, Founder Partner at Arthashastra Legal, breaks down the key provisions, potential impact on businesses, and the legal challenges that lie ahead.
TAM: What are the key changes proposed in the new telecom cybersecurity rules?
Gaurav Sahay: The changes enhance compliance obligations of the telecom cybersecurity that brings within its purview banks, e-commerce platforms, and other digital service providers, that were previously for most instances outside the ambit of telecom specific cybersecurity regulations. TIUEs are now mandated to implement cybersecurity controls, adopt information security protocols, deploy secure network architecture, establish SOCs, conduct vulnerability assessments, undergo annual audits and appoint CTSO to ensure compliance and serve as a nodal point with DoT. The rules propose for a centralised MNV to be managed by the government that would verify the authenticity and status of telecom licensee records. It also mandates enhanced governance and a national IMEI repository to identify blocked, cloned, or tampered devices. It also reinforces cybersecurity incident reporting obligations.
TAM: How will this improve security or reduce cyber fraud in India’s digital ecosystem?
Gaurav Sahay: It aims to create a multi-layered defence mechanism that addresses user authentication, device security, organizational preparedness, and incident response, thereby significantly enhancing the overall cybersecurity posture of India’s digital ecosystem. This comprehensive approach will not only deter cybercriminals but also boost confidence among users, businesses, and investors in the safety and reliability of India’s digital economy.
TAM: What challenges do you foresee in implementing these new rules across sectors?
Gaurav Sahay: From a legal and governance standpoint, the expanded government powers to access traffic metadata and to suspend or disconnect telecom identifiers may raise questions around due process, proportionality, and oversight. While the rules provide for an opportunity to be heard, the absence of detailed procedural safeguards could lead to concerns about arbitrary enforcement, misuse of power, or conflicts with existing privacy protections under Indian constitutional jurisprudence. The enforcement challenge is further compounded by the absence of sector-specific readiness and harmonisation of standards. Entities regulated under other frameworks.
TAM: How should companies prepare for these new cybersecurity requirements?
Gaurav Sahay: TIUEs must adopt a proactive approach that addresses legal, technical, operational, and governance dimensions that involves a detailed legal and regulatory assessment to understand the new obligations, particularly in relation to existing sector-specific cybersecurity frameworks. Companies must evaluate how the rules intersect with or override current regulatory requirements to avoid conflicting obligations and strengthen the organisation’s cybersecurity policies and align, appoint a CTSO, and update their governance structures with adequate authority and resources to oversee compliance, cybersecurity operations, and regulatory reporting. Companies must evaluate their existing IT systems and make necessary infrastructure investments to enable real-time integration with the MNV platform. Companies must develop incident response plans that meet the mandatory reporting timelines, ensure vendors, partners, and resellers in the value chain also comply with the obligations, with appropriate contractual protections and monitoring mechanisms. Companies must plan for the financial impact of these rules by budgeting for compliance costs in a manner that balances security imperatives with operational practicality.
