Media Nama: National: Thursday, 25 September 2025.
The government should not
include the misuse of telecommunication services and identifiers within the
scope of the Telecom Cybersecurity rules, Reliance Jio had said in its comments
to the Department of Telecommunications (DoT). MediaNama had filed an RTI
seeking comments the government received on draft rules in 2024, but the
government only sent a response in August this year, much after it finalised
the rules.
“Any rules framed under Section 22(1) and Section 56(2)(v) [of the Telecommunication Act, 2023] must be strictly limited to the protection and cybersecurity of telecommunication networks and telecommunication services as defined by the Act,” Jio argued. For context, both Section 22(1) and Section 56(2)(v) of the Act give the government powers to make rules to protect telecom cybersecurity. Jio noted that the draft rules, which sought to prevent misuse of telecom services (such as fraud, impersonation, or cheating), went beyond the legislative scope of the Act by addressing broader issues.
The draft rules had stated that telcos must establish security operations centres (SOCs), either independently or in collaboration with each other, within a specified time period to monitor telecom cybersecurity incidents, attempts, and misuse of telecom services/networks. Jio explained that the concept of telecom service misuse includes information at the application layer, which is beyond the control of the telecom service provider. “Any requirement to be fulfilled by the SOC must be based on technical feasibility. This will ensure that TSPs (telecom service providers) are not held responsible for incidents that cannot be monitored or controlled by them,” Jio argued.
How did the government address this concern?
The government exempted SOCs from the responsibility of monitoring telecom service misuse under the notified rules. However, the DoT has since clarified that these rules serve as an overarching framework for telecom cybersecurity, covering telecom service providers as well as users misusing telecom resources (e.g., for digital fraud or other unlawful activities).
Further, the government addressed the technical feasibility issue in a draft amendment to the notified rules this year. These amendments introduce a new entity category within the scope of the rules called Telecom Identifier User Entities (TIUEs). These TIUEs will have to collect and share telecom identifier data with the central government, and the government may also require them to validate telecom identifiers using a government-run Mobile Number Validation (MNV) Platform. Through this amendment, the government appears to be shifting responsibility from telcos to TIUEs.
Other significant comments on the draft rules:
Don’t include spam within the scope of rules:
The draft rules stated that the DoT can take action against anyone who uses telecom services for purposes contrary to any provision of law in force. Airtel, in its comments, argued that the government should not include unsolicited commercial communication (UCC, spam) under these rules. It explained that the Telecom Regulatory Authority of India’s (TRAI) regulations already include measures to curb and penalise spam. The DoT did not include any such spam-related clarification within the notified rules. Jio had also raised concerns about the provision allowing the government to penalise people for using telecom services against laws in force, stating that this is not related to the objectives of cybersecurity as set out under the Telecom Act.
Limit the record-keeping timeline:
In both the draft and the notified rules, the government says it will specify the timeline for which telecom companies must maintain records/logs pertaining to security incidents or breaches. Vodafone Idea (Vi) suggested that the government should provide a clear duration for maintaining these logs within the rules themselves, in the interest of transparency. Vi recommended that the government require telcos to maintain logs for a period of six months to ensure that the record-keeping requirements are manageable.
Do not enforce permanent suspensions on specific telecom identifiers:
Jio argued that telecom identifiers are a limited resource, and any prohibition on their use could lead to wastage. As such, it urged the government to delete the provision allowing it to prevent services relying on telecom identifiers from using the identifiers it had acted upon for customer identification or service delivery.
On a similar note, telecom industry body Cellular Operators Association of India (COAI) pushed back against the DoT’s restriction on the re-issuance of suspended telecom identifiers for a period of 1–3 years, if the use of these identifiers endangered telecom cybersecurity. “Blocking telecommunication identifiers for a period of one year can contribute to the exhaustion of available identifiers, especially as the number of connected devices continues to grow,” COAI explained. It argued that the government should allow telcos to reallocate such identifiers after a period of 90 days. Both these provisions remain in the notified rules without any changes.
Note: Made changes in the first paragraph at 15:15 on 24/09/2025 after discussion with the editor to make it more comprehensive.
“Any rules framed under Section 22(1) and Section 56(2)(v) [of the Telecommunication Act, 2023] must be strictly limited to the protection and cybersecurity of telecommunication networks and telecommunication services as defined by the Act,” Jio argued. For context, both Section 22(1) and Section 56(2)(v) of the Act give the government powers to make rules to protect telecom cybersecurity. Jio noted that the draft rules, which sought to prevent misuse of telecom services (such as fraud, impersonation, or cheating), went beyond the legislative scope of the Act by addressing broader issues.
The draft rules had stated that telcos must establish security operations centres (SOCs), either independently or in collaboration with each other, within a specified time period to monitor telecom cybersecurity incidents, attempts, and misuse of telecom services/networks. Jio explained that the concept of telecom service misuse includes information at the application layer, which is beyond the control of the telecom service provider. “Any requirement to be fulfilled by the SOC must be based on technical feasibility. This will ensure that TSPs (telecom service providers) are not held responsible for incidents that cannot be monitored or controlled by them,” Jio argued.
How did the government address this concern?
The government exempted SOCs from the responsibility of monitoring telecom service misuse under the notified rules. However, the DoT has since clarified that these rules serve as an overarching framework for telecom cybersecurity, covering telecom service providers as well as users misusing telecom resources (e.g., for digital fraud or other unlawful activities).
Further, the government addressed the technical feasibility issue in a draft amendment to the notified rules this year. These amendments introduce a new entity category within the scope of the rules called Telecom Identifier User Entities (TIUEs). These TIUEs will have to collect and share telecom identifier data with the central government, and the government may also require them to validate telecom identifiers using a government-run Mobile Number Validation (MNV) Platform. Through this amendment, the government appears to be shifting responsibility from telcos to TIUEs.
Other significant comments on the draft rules:
Don’t include spam within the scope of rules:
The draft rules stated that the DoT can take action against anyone who uses telecom services for purposes contrary to any provision of law in force. Airtel, in its comments, argued that the government should not include unsolicited commercial communication (UCC, spam) under these rules. It explained that the Telecom Regulatory Authority of India’s (TRAI) regulations already include measures to curb and penalise spam. The DoT did not include any such spam-related clarification within the notified rules. Jio had also raised concerns about the provision allowing the government to penalise people for using telecom services against laws in force, stating that this is not related to the objectives of cybersecurity as set out under the Telecom Act.
Limit the record-keeping timeline:
In both the draft and the notified rules, the government says it will specify the timeline for which telecom companies must maintain records/logs pertaining to security incidents or breaches. Vodafone Idea (Vi) suggested that the government should provide a clear duration for maintaining these logs within the rules themselves, in the interest of transparency. Vi recommended that the government require telcos to maintain logs for a period of six months to ensure that the record-keeping requirements are manageable.
Do not enforce permanent suspensions on specific telecom identifiers:
Jio argued that telecom identifiers are a limited resource, and any prohibition on their use could lead to wastage. As such, it urged the government to delete the provision allowing it to prevent services relying on telecom identifiers from using the identifiers it had acted upon for customer identification or service delivery.
On a similar note, telecom industry body Cellular Operators Association of India (COAI) pushed back against the DoT’s restriction on the re-issuance of suspended telecom identifiers for a period of 1–3 years, if the use of these identifiers endangered telecom cybersecurity. “Blocking telecommunication identifiers for a period of one year can contribute to the exhaustion of available identifiers, especially as the number of connected devices continues to grow,” COAI explained. It argued that the government should allow telcos to reallocate such identifiers after a period of 90 days. Both these provisions remain in the notified rules without any changes.
Note: Made changes in the first paragraph at 15:15 on 24/09/2025 after discussion with the editor to make it more comprehensive.
.JPG)
.JPG)
