Connect with us

Perspective

India’s new authorisation regime and the DPDP imperative — A twin regulatory reset for the telecom sector

India’s telecom regulatory framework is undergoing its most consequential transformation since the colonial-era Indian Telegraph Act, 1885. With the enactment of the Telecommunications Act, 2023 and the operationalisation of the Digital Personal Data Protection (DPDP) regime, the sector is witnessing a fundamental reset—both in how telecom services and networks are authorised, and how personal data is collected, processed, and protected.

Together, these two developments are redefining regulatory accountability for telecom operators, Virtual Network Operators (VNOs), enterprise communication providers, cloud telephony players, and emerging digital communications platforms.

From licensing to authorisation — A structural shift
For over a century, telecom operations in India were governed through a licence-based model, culminating in the Unified Licence (UL) framework. While effective in its time, the model became increasingly ill-suited for a converged digital ecosystem characterised by cloud networks, CPaaS, UCaaS, satellite communications, IoT, and software-defined infrastructure.

The Telecommunications Act, 2023 replaces this legacy system with a lean, authorisation-based regime. Instead of voluminous licences embedding every operational and financial condition, authorisations now contain only essential permissions. Detailed compliance obligations, security directives, and financial terms are to be prescribed through rules and subordinate legislation.

Crucially, the Act draws a clear regulatory distinction between:

  • Provision of telecommunication services (Section 3(1)(a)), and
  • Establishment and operation of telecommunication networks (Section 3(1)(b)).

This separation formally recognises infrastructure-as-a-service, cloud-hosted networks, and neutral network providers as distinct regulatory actors-an acknowledgement long overdue.

A broader, more granular authorisation framework
Under the new regime, telecom services are categorised into Main, Miscellaneous, and Captive telecommunication service authorisations, alongside a parallel framework for Network Service Authorisations.

Notably, new categories such as Enterprise Communication Service, Cloud-hosted Telecommunication Network (CTN) Provider, and Digital Connectivity Infrastructure Provider (DCIP) directly address business models that were previously operating in regulatory grey zones.

For VNOs and enterprise-focused players, the changes are particularly significant:

  • Category B VNO licences are replaced by Wireline Access Service Authorisation.
  • CPaaS and cloud EPABX providers now have a dedicated Enterprise Communication Service Authorisation, with pan-India service scope and no entry fee.
  • Network-only providers can operate under CTN authorisation without revenue-linked authorisation fees.

Lower entry barriers, expanded service areas, and clearer role demarcation together signal a more facilitative but also more transparent regulatory approach.

Migration — Opportunity with accountability
The Government has also notified detailed migration rules to enable existing licensees to transition to the new framework. While migration is financially neutral in many cases—given adjustment of previously paid entry fees it comes with a critical condition: all existing licences held by an entity must migrate together.

Equally important, migration does not extinguish past liabilities. Outstanding dues, penalties, and compliance obligations continue to apply even after the grant of authorisation. In effect, the new regime simplifies structure, not responsibility.

DPDP rules — Data protection moves from theory to practice
Running parallel to telecom reform is the implementation of the Digital Personal Data Protection framework, with rules notified in November 2025. For telecom entities, this is not a peripheral compliance issue-it strikes at the core of operations.

Telecom service providers and VNOs are unequivocally classified as Data Fiduciaries, given the volume and sensitivity of personal data they process ranging from KYC and billing information to usage records and enterprise user details.

The DPDP rules impose clear obligations:

  • Processing must be based on lawful purpose or valid consent.
  • Reasonable security safeguards are mandatory.
  • Data breach notifications to both customers and the Data Protection Board are compulsory.
  • Defined data retention limits, including a minimum one-year retention even after service termination, must be observed.
  • Enhanced obligations apply to entities designated as Significant Data Fiduciaries, including audits and impact assessments.

Non-compliance carries severe financial exposure, with penalties running up to ₹250 crore.

Telecom law and DPDP — Complementary, not conflicting
A common concern among operators is the perceived overlap between telecom security obligations and DPDP requirements. The rules address this explicitly: where DPDP obligations intersect with telecom or national security mandates, the latter prevail.

In practice, this means DPDP does not dilute lawful interception, KYC, or data retention obligations under telecom law but it does impose discipline, transparency, and accountability around everything else.

Strategic takeaway for the industry
The combined effect of the new authorisation regime and DPDP rules is unmistakable: regulatory compliance is shifting from form-driven licensing to substance-driven governance.

Authorisation choices must now align closely with actual business models. Data protection can no longer be treated as a contractual afterthought or vendor responsibility. Boards and senior management must engage directly with both frameworks, as regulatory exposure is now operational, financial, and reputational.

For the telecom and digital communications sector, this moment represents not just compliance risk, but a strategic inflection point. Those who adapt early structurally and culturally will find the new regime more predictable, scalable, and future-ready than the one it replaces.

Click to comment

You must be logged in to post a comment Login

Leave a Reply

error: Content is protected !!