Digital industry slams telecom cybersecurity rules for overreach, cost burden and privacy risks

Digital industry slams telecom cybersecurity rules for overreach, cost burden and privacy risks

India’s top digital and technology industry groups have pushed back strongly against the government’s proposed Telecom Cyber Security rules, warning they represent regulatory overreach, impose crushing compliance burdens, and risk infringing user privacy.

Stakeholders have called on the Department of Telecommunications (DoT) to pause and re-evaluate the proposed rules, conduct broader stakeholder consultations, and align the framework with existing laws and global best practices.

In detailed submissions to the Department of Telecommunications (DoT), bodies including the Internet and Mobile Association of India (IAMAI), NASSCOM, Broadband India Forum (BIF), and CUTS International have called for a thorough rethink of the Draft Telecommunication (Telecom Cyber Security) Amendment Rules, 2025.

The rules, they argue, extend well beyond the intended scope of the Telecom Act, blur the lines between telecom and digital services regulation, and threaten to disrupt core digital business operations across the board.

At the centre of the backlash is the proposed introduction of a new category of regulated entities, Telecommunication Identifier User Entities (TIUEs), which would include any business or platform using telecom identifiers like mobile numbers for services or user authentication. Critics say this sweeping definition could rope in everything from food delivery apps and ecommerce platforms to hospitals, schools, and even small offline retailers that collect customer phone numbers.

IAMAI called the move “a clear case of regulatory overreach,” arguing that the telecom regulator has no statutory basis to extend oversight to platforms that neither provide telecom services nor operate telecom infrastructure. “By attempting to bring the entire digital economy under telecom regulation, the proposal amounts to creating a parallel compliance regime with no legal mandate,” IAMAI said in its submission.

NASSCOM added that many digital platforms that would fall under the new rules rely on mobile numbers for essential services like user onboarding and notifications. Subjecting them to telecom-style regulation would impose “significant changes to product design, backend systems and workflows,” and could destabilise services used by millions.

Cost Burden and Redundancy in Regulation

The proposed Mobile Number Validation (MNV) framework has triggered alarm for its pricing model, which requires digital services to validate user mobile numbers through a centralised platform at a per-query cost of Rs 1.5–Rs3. IAMAI noted this was 30 to 60 times higher than the current cost of OTP-based verification.

“For platforms processing millions of transactions or authentications monthly, especially startups and MSMEs, this is economically unsustainable,” NASSCOM warned. CUTS said the cost could end up being passed on to end-users, subtly raising the price of digital services across both urban and rural India.

Multiple submissions also flagged the duplicative nature of the proposed rules, pointing to existing regulations under the Information Technology Act, RBI, SEBI, IRDAI and other sectoral bodies. BIF said the new rules risk “regulatory fragmentation,” undermining India’s push for ease of doing business.

Doubts Over Efficacy and Privacy Safeguards

Several stakeholders also questioned whether the proposed cybersecurity measures would be effective at all in curbing telecom-related fraud. CUTS argued that fraudsters could still bypass MNV checks through SIM swapping or using stolen credentials paired with valid telecom identifiers. Burner phones and compromised SIMs would remain major loopholes, it warned.

Privacy concerns loom large too. The draft rules give the government broad access to “data related to telecommunication identifiers” held by TIUEs, without clearly defining the limits or safeguards. BIF and CUTS said such provisions lack transparency and could enable unlawful data collection, running afoul of constitutional protections affirmed in the Puttaswamy privacy judgment.

“There is no clarity on what data will be shared, how frequently, or what checks exist to prevent misuse. This raises serious concerns about user profiling and privacy violations,” BIF noted.