- The Telecommunications (Telecom Cyber Security) Rules, 2024 require telecom entities to report cybersecurity incidents within 6 hours and full details within 24.
- A 2025–26 amendment adds a centralised Mobile Number Verification platform and a new compliance category: Telecommunication Identifier User Entities (TIUEs).
- This isn't just a "telecom company" problem — any business using telecom identifiers for customer verification may now fall under TIUE obligations.
If your business verifies customers using their mobile number — OTPs, SMS logins, app onboarding — a rule change most companies haven't read yet may now apply to you. India's telecom cybersecurity framework just expanded, and the compliance clock is shorter than almost any other regulation in the country.
Table of Contents
- What Do the Telecom Cyber Security Rules Actually Require?
- Who Is a "Telecommunication Identifier User Entity" and Why Does It Matter?
- What Should a Compliant Business Be Doing Right Now?
- Key Takeaways
- Frequently Asked Questions
- How iTechFixr Can Help
What Do the Telecom Cyber Security Rules Actually Require?
The Telecommunications (Telecom Cyber Security) Rules, 2024, notified under the Telecommunications Act, 2023, require telecom entities to report any cybersecurity incident to the government within six hours of detection, followed by a fuller description within 24 hours.
This is one of the tightest breach-reporting windows in the world — global comparisons like the EU's GDPR and US critical-infrastructure rules typically allow 72 hours. Beyond reporting, every telecom entity must adopt a documented cybersecurity policy covering risk management, staff training, network testing, and ongoing risk assessment, and must appoint a Chief Telecommunication Security Officer who is an Indian citizen and resident, reporting directly to the board. The rules also empower the government to temporarily suspend or permanently disconnect a telecom identifier (a phone number or similar) where it's found to endanger telecom cyber security through fraud, impersonation, or fraudulent messaging. Industry bodies like the Internet Freedom Foundation have flagged the six-hour window as genuinely difficult to operationalise without mature detection and escalation processes already in place — which is exactly why getting ahead of this now, rather than scrambling during an actual incident, matters.
Who Is a "Telecommunication Identifier User Entity" and Why Does It Matter?
A recent amendment to the Cyber Security Rules creates a new category called Telecommunication Identifier User Entities (TIUEs) — non-licensed businesses that use telecom identifiers like mobile numbers to identify customers or deliver services — and requires them to verify customer numbers through a new centralised Mobile Number Verification (MNV) platform.
This is the part most businesses outside the telecom sector are missing. You don't need to be a telecom operator to be caught by this. If your platform uses mobile-number-based login, OTP verification, or SMS-based identity checks as part of onboarding — which describes a huge share of Indian fintech, SaaS, e-commerce, and even healthcare-tech platforms — you may qualify as a TIUE and carry verification obligations under the MNV framework. The amendment was introduced specifically to close a gap where fraud and impersonation were happening through legitimate-looking services that relied on telecom identifiers without verifying them properly. In our compliance reviews for clients across the Pune-Pimpri-Chinchwad corridor, this is the single most common surprise: businesses that assumed telecom cybersecurity regulation was someone else's problem, only to find their customer-verification flow puts them squarely inside the new TIUE definition.
What Should a Compliant Business Be Doing Right Now?
Compliance starts with an honest classification exercise: determine whether your business is a telecom entity, a TIUE, or neither, then build your incident detection and reporting workflow around whichever six-or-24-hour clock applies to you.
1. Classify your obligation status first. Map every place your product uses a telecom identifier for verification or service delivery, and check it against the TIUE definition before assuming you're exempt.
2. Build a six-hour detection-to-report pipeline. This isn't a policy document exercise — it requires your monitoring, escalation, and decision-making chain to genuinely function inside six hours, which means rehearsing it, not just writing it down.
3. Appoint and document a security ownership role. Even outside the formal CTSO requirement for licensed telecom entities, having one accountable, board-visible owner for telecom-identifier security closes the most common compliance gap we see in audits.
4. Align with existing CERT-In obligations. CERT-In's own six-hour reporting requirement for broader cybersecurity incidents already set this precedent in India — businesses that built CERT-In-compliant processes will find Telecom Cyber Security Rules compliance considerably easier to layer on top.
5. Re-examine third-party and vendor verification flows. If you outsource SMS/OTP verification to a vendor, your compliance obligation doesn't disappear with the outsourcing — confirm contractually that your vendor meets MNV platform requirements.
Key Takeaways
- Don't assume telecom cybersecurity rules don't apply to you — if you verify customers via mobile number, check the TIUE definition carefully.
- Six hours is the real compliance bar, not 24 — build your detection pipeline to that tighter number.
- CERT-In's existing six-hour reporting framework is a useful template if you're starting from scratch.
- Review vendor contracts for SMS/OTP verification now; outsourcing the function doesn't outsource the compliance obligation.
Frequently Asked Questions
Q: Does my SaaS business count as a telecom entity under these rules?
A: Not automatically — but if your onboarding or login flow uses mobile number-based verification or OTPs, you may fall under the new TIUE category, which carries its own verification obligations through the Mobile Number Verification platform. It's worth a formal classification check rather than assuming either way.
Q: How does the six-hour reporting window compare to other regulations I might already follow?
A: It's stricter than most. CERT-In's existing cybersecurity incident rules also use a six-hour window, so if you're already CERT-In compliant, you have a head start. GDPR and most international frameworks allow up to 72 hours, which is why many Indian businesses underestimate how fast this clock actually moves.
Q: What happens if a business doesn't comply with the Telecom Cyber Security Rules?
A: The rules give government authority to suspend or disconnect non-compliant telecom identifiers, alongside standard regulatory penalties. For TIUEs specifically, failing to verify customer identifiers through the MNV platform creates both a compliance and a fraud-liability exposure — something iTechFixr increasingly flags in client compliance reviews.
How iTechFixr Can Help
Need a compliance-ready risk framework? Let's map your gaps together. iTechFixr helps businesses determine their exact obligation status under the Telecom Cyber Security Rules and builds the detection-to-reporting pipeline needed to genuinely meet the six-hour window — not just document it on paper.
