Following the publication of the draft rules under Section 56 of the Telecommunications Act 2023, on 25th June 2025 and after obtaining public comments, the Ministry of telecommunications has issued the final rule on 22nd October 2025 called ” Telecommunications (Telecom Cyber Security) amendment Rules 2025 which have come into force from October 22nd, 2025.
Most of the provisions of the Telecommunications Act were directed towards licensed Telecommunication companies (also refer here for details of the Act) . However some parts of the Act applied to OTT platforms and Messaging Platforms.
The Tele Communications Act 2023 which was passed by the Parliament in December 2023 and received presidential assent on December 24, 2023. Some sections of the Act were notified for effect on 26 th June 2024 and More on July 5th 2024.
The compendium rules notified till date are
| S.No | Title | Date | Download |
|---|---|---|---|
| 1 | Gazette Notification of Telecommunications – Telecom Cyber Security – Amendment Rules 2025 | 10/22/2025 |
|
| 2 | Gazette Notification of Declaration of Submarine Cables as Critical Telecommunication Infrastructure | 10/17/2025 |
|
| 3 | Telecommunications Procedures and Safeguards for Lawful Interception of Messages Amendment Rules, 2025 | 09/15/2025 |
|
| 4 | Gazette Notification of declaration of Critical Telecommunication Infrastructure under the Telecommunications Act, 2023 | 07/22/2025 |
|
| 5 | Telecommunications- Removal of Difficulties Amendment Order, 2025 | 07/03/2025 |
|
| 6 | Telecommunications Framework to Notify Standards, Conformity Assessment and Certification Rules, 2025 | 05/21/2025 |
|
| 7 | Gazette Notification regarding Notification of BharatNet as special project under rule 12-1 of the Telecommunications Right of Way Rules, 2024 | 01/06/2025 |
|
| 8 | Telecommunications Procedures and Safeguards for Lawful Interception of Messages Rules, 2024 | 01/03/2025 |
|
| 9 | Telecommunications-Temporary Suspension of Services Rules, 2024 | 11/27/2024 |
|
| 10 | Telecommunications – Critical Telecommunication Infrastructure Rules, 2024 | 11/27/2024 |
|
| 11 | Telecommunications – Telecom Cyber Security Rules, 2024 | 11/27/2024 |
|
| 12 | Gazette Notification of Telecommunications Amateur Services Rules, 2024 | 10/29/2024 |
|
| 13 | Gazette Notification of Telecommunications Commercial Radio Operator Certificate of Proficiency to Operate Global Maritime Distress and Safety System Rules, 2024 | 10/29/2024 |
|
| 14 | Telecommunication Right of way Rules, 2024 | 09/17/2024 |
|
| 15 | Telecommunications Administration of Digital Bharat Nidhi Rules, 2024 | 08/30/2024 |
|
| 16 | THE TELECOMMUNICATIONS ACT, 2023 | 01/01/2024 |
|
Now this Notification GSR 771(E) dated 22nd October 2025 which is called Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 brings in further important changes that could impact both ITA 2000 and DPDPA applicability to some entities.
This latest notification should be read with the earlier notification of 21st November 2024.
The rules defines a new entity named TIUE which will be an intermediary under ITA 2000 and Data Fiduciary under DPDPA. It is defined as
“TIUE (telecommunication identifier user entity)‖ means a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning, or delivery of services‘”
Since most services use Mobile Number as an “Identity” parameter,, all such entities would be considered TIUEs. Such entities are already covered under the concept of “Due Diligence” in the Intermediary Guidelines of ITA 2000 or Obligations of Consent under DPDPA, the new rule under Telecommunications act adds another procedural check point for compliance and hence comes under DGPSI-Full version.
As per the amendments, Government will have powers to “seek data related to telecommunication identifiers used by a TIUE in the form and manner as specified on the portal; “. This will be an add on to Section 69B of ITA 2000.
Government can also direct such TIUEs “to establish necessary infrastructure and equipment for collection and provision of such data from designated points to enable its processing and storage”
The rule “Every telecommunication entity shall ensure compliance with the directions and standards, including timelines for their implementation, as may be issued by the Central Government for the prevention of misuse of telecommunication identifiers or telecommunication equipment or telecommunication network or telecommunication services for ensuring telecom cyber security” will now apply to TIUEs also.
Rule 5(6) which now states “Where the Central Government considers that immediate action under sub-rule (5) is necessary or expedient in the public interest, it shall without issuing a notice under sub-rule (2), pass an order recording the reasons thereof,
with appropriate directions to the telecommunication entity to temporarily suspend use of the relevant telecommunication identifier.”
will be replaced by
―(6) Where the Central Government considers that immediate action under sub-rule (5) is necessary or expedient in the public interest, it shall without issuing a notice under sub-rule (2), pass an order recording the reasons thereof, with appropriate direction—
(a) to the telecommunication entity to temporarily suspend use of the relevant telecommunication identifier; and
(b) to the TIUE to temporarily suspend use of the relevant telecommunication identifier for identification of or for delivery of message or services to its customers or users.‖;
In rule number (8) following clause will be substituted for the existing clause
―Provided that any modification of the order under sub-rule (6) may also include an order directing:
(a) the telecommunication entity to permanently disconnect the use of the relevant
telecommunication identifier as specified under clause (b) of sub-rule (5); and
(b) the TIUE to prohibit or circumscribe the use of relevant telecommunication identifiers for identification of its customers or users, or for delivery of message or services, in the manner as may be specified in such order to enable the reuse of relevant telecommunication identifiers.
This will be an extension to the powers 69A of ITA 2000.
The rule “The Central Government may, if it considers necessary, or pursuant to any request made by any person providing services that are linked to telecommunication identifiers, share the list of telecommunication identifiers that have been acted upon pursuant to orders under sub-rule (5), or sub-rule (6), or sub-rule (8), or sub-rule (9), with such persons and, by order, direct such persons to also prohibit or circumscribe the use of such telecommunication identifiers for identification of their customers or for delivery of services, in the manner as may be specified in such order.” will now apply to TIUEs
The Government is also setting up a platform called “MNV Platform” for Mobile number validation to which all authorized entities and licensees need to participate.
An IMEI data base is also mandated to be maintained by all entities engaged in the sale and purchase of telecom equipment.
The MNV will be a “Significant Data Fiduciary” under DPDPA.
A summary of compliance requirements collated by one of the members of FDPPI are as follows:
Security Flag and Suspension Mechanism:
If the government flags a phone number for security reasons, both licensed telecom operators and TIUEs can be ordered to suspend the number’s use, potentially cutting off a user across multiple platforms simultaneously.
Emergency Action Without Prior Notice:
Authorities may act without prior notice in the interest of public safety or security, provided reasons are recorded .
IMEI Verification for Used Mobile Devices:
Buyers and sellers of used mobile phones must verify device IMEIs against a government database.
The database will list tampered, stolen, blacklisted, or fraud-linked devices.
Sale or purchase of blacklisted IMEIs is prohibited.
Device manufacturers cannot reuse existing IMEIs for new or imported devices.
Implementation Modalities Pending:
Financial, procedural, and data submission details (including any fees or portal-based compliance processes) will be defined through a dedicated online portal, which is yet to be launched.
Key Takeaway
The continued inclusion of potential compliance obligations for TIUEs sets a concerning precedent. By linking user verification and suspension powers to phone-number-based identification, the rules effectively extend the telecom cybersecurity framework to digital platforms and internet-based businesses — including those in fintech, e-commerce, OTT, edtech, mobility, logistics etc.
This development raises important questions regarding proportionality, scope, and operational impact for non-licensed entities that rely on mobile numbers for user authentication.
…More to follow
Naavi
