Naavi.org

Following the publication of the draft rules under Section 56 of the Telecommunications Act 2023, on 25th June 2025 and after obtaining public comments, the Ministry of telecommunications has issued the final rule on 22nd October 2025 called ” Telecommunications (Telecom Cyber Security) amendment Rules 2025 which have come into force from October 22nd, 2025.

Most of the provisions of the Telecommunications Act were directed towards licensed Telecommunication companies  (also refer here for details of the Act) . However some parts of the Act applied to OTT platforms and Messaging Platforms.

The Tele Communications Act 2023 which was passed by the Parliament in December 2023 and received presidential assent on December 24, 2023. Some sections of the Act were notified for effect on 26 th June 2024 and More on July 5th 2024.

The compendium rules notified till date are

Now this Notification GSR 771(E) dated 22nd October 2025 which is called Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 brings in further important changes that could impact both ITA 2000 and DPDPA applicability to some entities.

This latest notification should be read with the earlier notification of 21st November 2024.

The rules defines a new entity named TIUE which will be an intermediary under ITA 2000 and Data Fiduciary under DPDPA. It is defined as

“TIUE (telecommunication identifier user entity)‖ means a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning, or delivery of services‘”

Since most services use Mobile Number as an “Identity” parameter,, all such entities would be considered TIUEs. Such entities are already covered under the concept of “Due Diligence” in the Intermediary Guidelines of ITA 2000 or Obligations of Consent under DPDPA, the new rule under Telecommunications act adds another  procedural check point for compliance and hence comes under DGPSI-Full version.

As per the amendments, Government will have powers to “seek data related to telecommunication identifiers used by a TIUE in the form and manner as specified on the portal; “. This will be an add on to Section 69B of ITA 2000.

Government can also direct such TIUEs “to establish necessary infrastructure and equipment for collection and provision of such data from designated points to enable its processing and storage”

The rule “Every telecommunication entity shall ensure compliance with the directions and standards, including timelines for their implementation, as may be issued by the Central Government for the prevention of misuse of telecommunication identifiers or telecommunication equipment or telecommunication network or telecommunication services for ensuring telecom cyber security” will now apply to TIUEs also.

Rule 5(6) which now states “Where the Central Government considers that immediate action under sub-rule (5) is necessary or expedient in the public interest, it shall without issuing a notice under sub-rule (2), pass an order recording the reasons thereof,
with appropriate directions to the telecommunication entity to temporarily suspend use of the relevant telecommunication identifier.”

will be replaced by

―(6) Where the Central Government considers that immediate action under sub-rule (5) is necessary or expedient in the public interest, it shall without issuing a notice under sub-rule (2), pass an order recording the reasons thereof, with appropriate direction—

(a) to the telecommunication entity to temporarily suspend use of the relevant telecommunication identifier; and
(b) to the TIUE to temporarily suspend use of the relevant telecommunication identifier for identification of or for delivery of message or services to its customers or users.‖;

In rule number (8) following clause will be substituted for the existing clause

―Provided that any modification of the order under sub-rule (6) may also include an order directing:
(a) the telecommunication entity to permanently disconnect the use of the relevant
telecommunication identifier as specified under clause (b) of sub-rule (5); and
(b) the TIUE to prohibit or circumscribe the use of relevant telecommunication identifiers for identification of its customers or users, or for delivery of message or services, in the manner as may be specified in such order to enable the reuse of relevant telecommunication identifiers.

This will be  an extension to the powers 69A of ITA 2000.

The rule “The Central Government may, if it considers necessary, or pursuant to any request made by any person providing services that are linked to telecommunication identifiers, share the list of telecommunication identifiers that have been acted upon pursuant to orders under sub-rule (5), or sub-rule (6), or sub-rule (8), or sub-rule (9), with such persons and, by order, direct such persons to also prohibit or circumscribe the use of such telecommunication identifiers for identification of their customers or for delivery of services, in the manner as may be specified in such order.” will now apply to TIUEs

The Government  is also setting up a platform called “MNV Platform” for Mobile number validation to which all authorized entities and licensees need to participate.

An IMEI data base is also mandated to be maintained by all entities engaged in the sale and purchase of telecom equipment.

The MNV will be a “Significant Data Fiduciary” under DPDPA.

A summary of compliance requirements collated by one of the members of FDPPI are as follows:

Security Flag and Suspension Mechanism:
If the government flags a phone number for security reasons, both licensed telecom operators and TIUEs can be ordered to suspend the number’s use, potentially cutting off a user across multiple platforms simultaneously.
Emergency Action Without Prior Notice:
Authorities may act without prior notice in the interest of public safety or security, provided reasons are recorded .
IMEI Verification for Used Mobile Devices:
Buyers and sellers of used mobile phones must verify device IMEIs against a government database.
The database will list tampered, stolen, blacklisted, or fraud-linked devices.
Sale or purchase of blacklisted IMEIs is prohibited.
Device manufacturers cannot reuse existing IMEIs for new or imported devices.
Implementation Modalities Pending:
Financial, procedural, and data submission details (including any fees or portal-based compliance processes) will be defined through a dedicated online portal, which is yet to be launched.
Key Takeaway
The continued inclusion of potential compliance obligations for TIUEs sets a concerning precedent. By linking user verification and suspension powers to phone-number-based identification, the rules effectively extend the telecom cybersecurity framework to digital platforms and internet-based businesses — including those in fintech, e-commerce, OTT, edtech, mobility, logistics etc.
This development raises important questions regarding proportionality, scope, and operational impact for non-licensed entities that rely on mobile numbers for user authentication.

…More  to follow

Naavi

The Meity has released a draft amendment to the Intermediary Guidelines 2021 to further update the ITA 2000 regulations. It is  good to note that MeitY seems to have realized the power of ITA 2000 and bringing in changes silently to the IT environment  in India.

Now the Government has released a  new version of the Intermediary Guidelines 2025 for public comments before November 6.

Some of the envisaged changes are captured here for quick review.

It is important to note that lack of due diligence under Section 79 will expose the Intermediary to whatever consequences arise  out of the said content whether it is a civil liability or a criminal liability. The Criminal liability will further extend to the executives of a company through Section 85.

DGPSI-AI, has already recognized use of AI as significant risk and hence any data fiduciary (whether it is an intermediary or significant intermediary under ITA 2000) will be expected to follow the above due diligence as part of DPDPA compliance.

Naavi

To

All Chief HR Managers
All companies (in India, or operating in India)

The Challenge of Designating DPO for our company

Dear ……………………..

While the Tech and Legal professionals are keenly waiting for the Government to notify DPDPA rules, you are one of the professionals who will suddenly wake up to find an email from your CEO to give your views for designating a DPO for our Company. 

Our ever vigilant Independent Director has already sent me a note on whether we have designated any DPO. Please send me your views in this regard covering the following aspects.

1. Do we mandatorily need a DPO?
2. Do we have in-house resources to designate?
3. To whom shall the DPO report to?
4. Can we shortlist a few of our senior professionals to be considered for this position?
5. What should be the package?
6. Are there persons in our organization who are Techno Legally qualified to be a DPO?
7. Is it sufficient for some body to sit through a Certification training program and be considered having necessary credentials for being a DPO?
8. Have anybody gone through a systematic Certification program with a good evaluation system? 
9. Should we hire from outside and if so, would we be disturbing the harmony of the CxO cadre?
10. Would it be possible to designate  one of our CISO/CRO/CTO/CCO as also a DPO?
11. Can we hire an external DPO?
12. Should we set up a special training for our short listed persons and evaluate them with a rigorous examination?

Looking forward to your quick response before the Board meeting tomorrow. Please check www.fdppi.in for their latest DPO certification program in Mumbai on November 1 and 2 and let me know if we want to depute anybody from our company.

Thanking you in advance

CEO

Imagine you receiving the above email….What would be your response?

Naavi

Government of India
Ministry of Electronics and Information Technology
*****
NOTICE

Subject: Inviting feedback/comments of stakeholders on the Draft amendments to Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 – in relation to synthetically generated information – reg.

Dated: 22nd October, 2025

The Ministry of Electronics and Information Technology invites feedback on the draft amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

The Government of India remains committed to ensuring an Open, Safe, Trusted and Accountable Internet for all users of Internet-enabled services. With the increasing availability of generative AI tools and the resulting proliferation of synthetically generated information (commonly known as deepfakes), the potential for misuse of such technologies to cause user harm, spread misinformation, manipulate elections, or
impersonate individuals has grown significantly.

Recognising these risks, and following extensive public discussions and parliamentary deliberations, MeitY has prepared the present draft amendments to the Information Technology (Intermediary Guidelines  and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”). The draft aims to strengthen due diligence obligations for intermediaries, particularly social media intermediaries (SMIs) and significant social media intermediaries (SSMIs), as well as for platforms that enable the creation or modification of synthetically generated content.

2. The proposed amendments as outlined in the draft notification introduce:

• A clear definition of “synthetically generated information”;
• Labelling and metadata embedding requirements for such information to ensure users can distinguish synthetic from authentic content;
• Visibility and audibility standards requiring that synthetic content be prominently marked, including a minimum 10% visual or initial audio duration coverage; and
• Enhanced verification and declaration obligations for SSMIs, mandating reasonable technical measures to confirm whether uploaded content is synthetically generated and to label it accordingly.

These amendments are intended to promote user awareness, enhance traceability, and ensure accountability while maintaining an enabling environment for innovation in AI-driven technologies.

3. The Draft Notification for amendments, along with an Explanatory Note of the amendments in plain and simple language to facilitate ease of understanding are available on Ministry’s website at the following link:

https://www.meity.gov.in/documents/act-and-policies/amendments-to-the-information-technologyintermediary-guidelines-and-digital-media-ethics-code-rules-2021-it-rules-2021-IjN4QjMtQWa?pageTitle=Amendments-to-the-Information-Technology-(Intermediary-Guidelines-andDigital-Media-Ethics-Code)-Rules,-2021-(IT-Rules,-2021) 

The consolidated text of the IT Rules, 2021 as they would stand after the amendments proposed (with the amendments shown in coloured text) is also placed at above link for ease of reference.

4. The submissions will be held in fiduciary capacity in MeitY and shall not be disclosed to any one at any stage, enabling persons to submit feedback/comments freely without any hesitation.

5. The feedback/comments on the draft rules in a rule wise manner may be submitted by email to itrules.consultation@meity.gov.in in MS Word or PDF format by 6th November, 2025.

Consolidated amended copy of the Guideline

FDPPI is a “Not for Profit” organization by the professionals and for the professionals and always believes in providing more than value for money in its programs.

Since the registered participants  are senior  pros, we need  to accommodate more discussions during the  two day training program for C.DPO.DA. on November 1 and 2. Hence it has  been decided to provide some background videos on DPDPA, DPDPA Rules as well as GDPR.

When the new DPDPA Rules are released, there will be a separate session on the rules online  which could be a three  hour session on a Sunday .

In order to further provide post training engagement, all the participants will be provided with one year complimentary membership of FDPPI worth Rs 6000/-.

Additionally, from out of the participants FDPPI will create two Special Interest Groups one on the New DPDPA Rules so that  the Group could identify the pain points related to different  sectors and create documents that can be shared with the  DPB and MeitY, and the second on evaluation of the Data Discovery, Classification and Consent Management software available for Data Fiduciaries  with reference to DPDPA requirements and generate customization guidelines for the  Data Fiduciaries.

With this unique approach, the C.DPO.DA. program of FDPPI will be unique and  bring   more value.

Details of the program are available below at with registration at www.fdppi.in

Naavi

It is estimated that there are around 5000 active professionals in India who are certified as Lead auditors for conducting ISO 27001 audits. The actual number may be higher and there are a number of persons who are not active as auditors but have gone through the certification process.

With the release of ISO 27701:2025 as a certifiable audit, many of them are now equipping themselves to take up the ISO 27701 audit and there will be many clients in EU who would ask their data processors in India whether they are certified under ISO 27701.

It is therefore time to discuss how companies in India should respond to these queries particularly when the  Indian DPDPA 2023 is getting ready for implementation and professionals need to be ready to be DPOs in India and Data Auditors for Indian Significant Data Fiduciaries.

With the increased use of AI in business, AI related risks for Data Fiduciaries is a reality and the risk is considered unpredictable and therefore significant. Hence the number of Significant Data Fiduciaries in India is likely to be very large and we need thousands of DPOs and  hundreds of Data Auditors.

I therefore urge professionals to think  whether they should no prioritize for Indian DPO training or ISO 27701 training.

At FDPPI, we are interested in making existing ISO 27001 auditors in India to upgrade themselves to be DPDPA auditors first before anything else. It is our desire that during 2026-27, at least 1000 ISO 27001 auditors should be certified as C.DPO.DA. professionals (Certified Data Protection Officer and Data Auditor).

Kindly remember that the foreign vendors who ask us about ISO 27701 audits need to be informed that

1. If I am an Indian Data Processor for a EU Data Controller and am processing the personal data with a GDPR stake, I will take such steps as are necessary to mitigate the risk of GDPR non compliance to levels which are significantly low
2. We shall initiate measures of security which  are recommended under DPDPA to ensure that the risks are reduced substantially which will be suitably insured.

In the meantime train atleast one of your designated DPOs under FDPPI to be a C.DPO.DA. so that you can understand and implement measures to be compliant with the laws of India.

Since getting a ISO 27701 certificate is not an insurance against data risks, the measures to be initiated by us under DPDPA 2023 shall be enough assurance against the risks envisaged for which the vendor is suggesting ISO 27701.

Naavi