The draft rules also propose creation of a national International Mobile Equipment Identity (IMEI) database that will list tampered or blocked identifiers; second-hand mobile resellers will need to check this list before every sale, paying Rs 10 per IMEI. IMEI numbers are unique serial numbers attached to phones and other personal electronics that use SIM cards.
ALSO READIndia risks $11 bn hit if Russian crude access tightens
l Increased cost of user verification
THE PROPOSED MOBILE Number Validation (MNV) system imposes additional costs that are likely to be untenable for startups and MSMEs. “The proposed fee of Rs 1.5-3 per verification request via the MNV platform is nearly 30 to 60 times higher than the prevailing cost of existing one-time password (OTP)-based verification, which is basically under Rs 0.1 per request,” IT body NASSCOM said in a letter to DoT. Platforms which handle millions of authentications each month may incorporate these expenses into their pricing models, subtly raising the cost of access for users. For example, if 10% of Zomato’s ~4.39 million daily users require validation, it can cost Rs 24 crore each year.
Further, since MNV doesn’t stop issues like SIM-swapping or spoofing, it adds cost without delivering proportionate security improvements.
l Fears of regulatory overreach
THE MOVE TO bring in every kind of entity that uses mobile numbers for user identification under the ambit of the telecom cyber security rules has raised alarm. This classification is excessively wide and vague, say industry bodies, as it brings non-telecom digital entities under the ambit of telecom regulation for the first time. Many of them do not operate or manage telecom infrastructure and are already supervised by other sectoral regulators such as the Reserve Bank of India, Securities & Exchange Board of India, or the ministry of electronics and information technology.
The Internet and Mobile Association of India (IAMAI) has said that the inclusion of digital businesses under the proposed amendments are in violation of the scope of the Telecom Act and amounts to regulatory overreach. Directing OTT platforms to suspend the use of specific telecom identifiers for user identification or service delivery without prior notice to the user could result in “arbitrary and unjustified user deactivation and service discontinuity, leading to business disruption, commercial loss and customer dissatisfaction,” the body wrote its submission to the telecom department.
l IMEI controls may duplicate regulation
THE PROPOSED CREATION of a national IMEI database for tampered or restricted devices raises concerns of over-delegation without clear statutory backing. It shifts the regulatory approach from pre-sale checks to intensive post-market surveillance, placing significant compliance burdens on fragmented, small-scale sellers. Without proper legal safeguards, this system risks duplicating regulation and becoming logistically unviable. Similarly, IMEI-based controls may fall short in tackling fraud involving low-cost burner phones, designed for temporary use,which often carry valid, non-tampered identifiers. Since these devices don’t trigger tampering alerts, they can easily bypass detection.
ALSO READTariff turbulence for markets: Experts
l How to ensure a safer digital economy
DESPITE THE CRITICISM, stakeholders agree that the intent behind the draft rules is legitimate—enhancing cybersecurity, reducing fraud, and improving user trust in digital platforms. If the rules are refined to reflect stakeholder feedback, they could play a constructive role in India’s digital future. For instance, tiered compliance obligations based on the size and risk profile of TIUEs could make the system more proportionate and fair. Sandboxed or phased rollouts may also help mitigate disruption while still testing security protocols. Alongside, by clarifying data protection safeguards and aligning with existing privacy laws, the government could balance its fraud-prevention goals with constitutional rights. There is merit in pursuing centralised mechanisms to flag compromised identifiers—if implemented with strong oversight. If recalibrated carefully, the rules could serve as a foundational framework for digital safety, helping India lead in secure and inclusive digital transformation.