Leading industry bodies, including the Broadband India Forum (BIF), the Internet and Mobile Association of India (IAMAI), NASSCOM, and CUTS International, have voiced serious concerns regarding the Department of Telecommunications (DoT)’s proposed Draft Telecommunication (Telecom Cyber Security) Amendment Rules, 2025. They caution that these draft rules could lead to excessive regulations, increased compliance burdens, and heightened privacy risks for India’s digital economy. The DoT aims to strengthen cyber security and reduce telecom-related fraud with these amendments.
However, industry stakeholders argue that the proposed amendments significantly overstep the legislative scope of the Telecom Act, 2023. A primary concern is the creation of a new category of regulated entities: “Telecommunication Identifier User Entities” (TIUEs). This move would extend telecom regulations to a broad spectrum of non-telecom digital service providers. IAMAI, in its submission, highlights that the proposed definition of TIUEs could bring nearly all digital platforms using mobile numbers – including e-commerce apps, delivery services, digital wallets, and even schools or hospitals – under the purview of telecom regulations.
Echoing similar concerns, BIF contends that the creation and regulation of TIUEs was “not envisaged” in the Telecom Act, 2023. They argue that imposing binding obligations through delegated legislation exceeds constitutional limits. BIF further notes that “TIUEs do not operate at the network layer” and neither assign nor manage telecom identifiers. Consequently, the proposed rules are deemed irrelevant to their operations. The industry bodies believe that the draft rules, in their current form, could stifle innovation and hinder the growth of India’s digital economy.
A central point of contention lies in the broad definition of “telecommunication identifier.” Industry bodies express concerns that the draft rules could interpret this definition so widely that it encompasses virtually any online service that utilises a phone number for user authentication or communication. This expansive interpretation, they argue, would subject a vast array of businesses, far beyond traditional telecom operators, to stringent cyber security regulations and compliance requirements.
Another key provision under scrutiny involves the mandated security practices for TIUEs. The draft rules outline a series of obligations, including implementing robust data encryption, conducting regular security audits, and reporting cyber security incidents to the DoT. Industry representatives argue that these requirements are overly prescriptive and do not adequately consider the diverse nature and risk profiles of different TIUEs. They fear that a one-size-fits-all approach could place an undue burden on smaller businesses and startups, potentially hindering their ability to compete effectively.
Furthermore, the proposed data localisation requirements have raised concerns. The draft rules stipulate that certain categories of user data must be stored within India. While the intent behind this provision is to enhance data security and privacy, industry stakeholders worry about the potential costs and complexities associated with complying with such requirements. They argue that forced data localisation could increase operational expenses, limit access to global cloud services, and potentially fragment the digital ecosystem. These concerns highlight the need for a more nuanced and risk-based approach to data governance.
The potential impacts of these draft rules on India’s digital landscape are significant, according to industry bodies. The primary concern revolves around increased compliance costs. Many smaller companies and start-ups may lack the resources to implement the stringent cyber security measures and reporting mechanisms mandated by the proposed regulations. This could create a barrier to entry, stifling innovation and hindering the growth of the digital economy.
Furthermore, the broadened scope of telecom regulations raises concerns about potential overlaps and inconsistencies with existing legal frameworks, particularly the Information Technology Act, 2000 and the upcoming Digital Personal Data Protection Act, 2023. This regulatory uncertainty could create confusion among businesses and lead to increased litigation. Industry experts suggest that a more harmonised and coordinated approach to cyber security regulation is needed to avoid duplication and ensure clarity.
Another potential impact is on user privacy. The draft rules grant the DoT extensive powers to access and monitor user data for cyber security purposes. While the intention is to protect users from online threats, there are concerns that these powers could be misused or lead to excessive surveillance. Industry bodies emphasise the need for robust safeguards to protect user privacy and ensure transparency in data collection and usage practices. They advocate for a clear and well-defined legal framework that balances the need for cyber security with the fundamental right to privacy.
The industry also fears a chilling effect on foreign investment. The increased regulatory burden and data localisation requirements could make India less attractive as a destination for foreign companies seeking to expand their digital operations. This could have a detrimental impact on India’s competitiveness in the global digital economy. Stakeholders urge the government to carefully consider the potential economic consequences of the draft rules and to engage in meaningful consultations with industry before finalising the regulations. A balanced approach is crucial to fostering a thriving and secure digital ecosystem.