New Delhi [India] July 30 : Leading industry associations including the Broadband India Forum (BIF), Internet and Mobile Association of India (IAMAI), NASSCOM and CUTS International have raised serious concerns over the Department of Telecommunications (DoT) proposed Draft Telecommunication (Telecom Cyber Security) Amendment Rules, 2025, cautioning that the amendments could result in excessive regulation, compliance burden, and privacy risks for India's digital economy.

DoT's draft rules are aimed to strengthen cyber security and reduce telecom-related frauds.

However, industry stakeholders argue that the proposed amendments significantly exceed the legislative scope of the Telecom Act, 2023, by creating a new class of regulated entities -- "Telecommunication Identifier User Entities" (TIUEs) -- and extending telecom regulation to a wide range of non-telecom digital service providers.

IAMAI, in its submission, said the proposed definition of TIUEs would bring nearly all digital platforms using mobile numbers -- including e-commerce apps, delivery services, digital wallets and even schools or hospitals -- under telecom regulations. "This amounts to regulatory overreach and creates a parallel compliance regime with no statutory mandate," it stated.

Echoing similar concerns, BIF argued that the creation and regulation of TIUEs was "not envisaged" in the Telecom Act, 2023 and imposing binding obligations through delegated legislation exceeds constitutional limits. "TIUEs do not operate at the network layer," BIF noted, adding that they neither assign nor manage telecom identifiers, making the proposed rules irrelevant to their operations.

CUTS International went a step further, and said that "every person using a mobile phone can be held responsible for its telecom cyber security," describing the rules as disproportionately expansive and likely to bring thousands of unintended entities under telecom oversight.
Industry stakeholders also flagged overlapping obligations with existing frameworks under the Information Technology Act, RBI, SEBI and IRDAI, stating that this could result in regulatory fragmentation. "Such duplication creates regulatory uncertainty and unnecessary compliance burden on entities impacting ease of doing business." noted BIF.

The proposed Mobile Number Validation (MNV) framework, which mandates digital platforms to verify users' mobile numbers through a centralised system, also criticised for being prohibitively expensive. The draft envisages a fee of Rs 1.5 to Rs 3 per validation request.

IAMAI pointed out that for startups and MSMEs with millions of users, this cost could scale to several million rupees annually.

NASSCOM too highlighted that MNV compliance would necessitate "significant changes" to platform infrastructure and warned of adverse impacts on essential services and user experience. "Such a pricing structure is economically unsustainable," it added.

CUTS cautioned that MNV could be circumvented by fraudsters using SIM-swapped numbers or burner phones, thereby undermining its effectiveness. It also flagged the risk of increased service costs for end-users if platforms pass on the compliance burden.

Both BIF and CUTS also raised privacy concerns over vague provisions allowing government access to user data.

They stressed the absence of safeguards and potential conflicts with the Supreme Court's Puttaswamy judgment on privacy.

The stakeholders urged the DoT to conduct a comprehensive consultation, legal review, and impact assessment before finalising the amendments.