The Unique Identification Authority of India (UIDAI) has issued updated guidelines on the hosting of Aadhaar Data Vaults, Hardware Security Modules, and applications handling Aadhaar authentication transactions via Circular No. 8 of 2025 (dated 18/07/2025). These updates continue from earlier directives published on July 25, 2017 (Circular No. 11020/205/2017-UIDAI (Auth-I)) and June 22, 2017 (Circular No. 11020/204/2017-UIDAI (Auth-I)).
Effective immediately, these mandates aim to strengthen the security of Aadhaar data amid growing cyber risks, directly impacting Regulated Entities (REs) and Authentication Service Agencies (ASAs) that manage sensitive identity information.
While the changes may appear technical at first, they have a direct impact on how organisations handle identity verification, data storage, and cryptographic processes. With stricter requirements for encryption, audits, and access controls, REs must adapt quickly to preserve trust and ensure continuity in their digital services.
Core Updates: Why These Guidelines Reshape Aadhaar Compliance
UIDAI’s revised directives focus on secure storage, cryptographic operations, and application hosting, leaving no room for non-compliance. Here’s what REs and ASAs need to know:
1. Mandatory Aadhaar Data Vault (ADV)
All REs storing Aadhaar numbers, UID Tokens, or related eKYC data (e.g., demographic details) must implement an ADV. Storing such data outside the vault, including raw inputs from authentication requests, is strictly prohibited. This implies that ADV must be implemented not only by local AUA entities but also by Sub-AUA entities.
2. Hosting Options
UIDAI mandates that ADV be hosted in a secure and compliant environment, and permits REs to select from the hosting options specified below:
- On-premises hosting within the DC / DR setup of RE.
- On a MeitY-empanelled Government Community Cloud (GCC) platform.
- Via ADV-as-a-service from a compliant provider.
3. Cloud Compliance
For GCC or ADV as-a-service setups, annual SOC 2 Type II audits are mandatory to ensure robust infrastructure.
The scope of this notification extends to the following areas:
- Functional mandates governing ADV deployment
- Functional mandates governing HSM usage
- Functional mandates governing authentication applications
Functional Mandates related to ADV Deployment & its Implications
Outlined below are the techno-functional mandates applicable to REs, along with their corresponding implications for implementation prerequisites:
1. ADV setup of RE must be logically segregated
Implications for RE: REs opting for ADV as-a-service must ensure that their ADV instance is logically segregated from other instances by the service provider.
2. Usage of AES-256 or stronger encryption
Implications for RE: Self-explanatory.
3. Mandatory deployment of ADV in HA mode
Implications for RE: REs must ensure that the service provider implements a segregated ADV instance in both primary and secondary environments, synchronised in real time to guarantee High Availability (HA).
4. Usage of robust IAM
Implications for RE: REs must ensure that permitted applications access the ADV only through secure APIs or microservices, subject to multi-level checks such as multi-factor authentication and robust Identity and Access Management (IAM). REs must also ensure that all access activities are logged and monitored to prevent unauthorised access.
Functional Mandates related to Hardware Security Module (HSM)
The functional mandates related to the mandatory usage of Hardware Security Modules (HSMs) for cryptographic operations, along with the corresponding implications on implementation prerequisites for REs, are as follows:
HSMs must be:
1. FIPS 140-2 Level 3 certified or higher
Implications for RE: UIDAI has now clearly defined the minimum security requirements for cryptography used in HSM infrastructure. HSMs employing Federal Information Processing Standard (FIPS) cryptography below 140-2 Level 3 will be treated as non-compliant.
2. Logically isolated
Implications for RE: REs using HSM as-a-service must ensure the following:
- The service provider must provide a dedicated HSM partition or slot (sometimes called a logical partition) to the RE.
- Encryption keys of REs must be kept in a separate partition and must not be stored or processed together with another entity’s keys.
- The service provider offering HSM as-a-service may share the physical HSM across multiple clients (multi-tenant). However, logical isolation must be implemented for each entity to ensure cryptographic separation.
3. Capable of key generation, secure storage, multi-factor access, and audit logging
Implications for RE: Self-explanatory.
4. Equipped with key rotation and anti-tampering mechanisms
Implications for RE: Self-explanatory.
Authentication Applications
The regulation states that “Aadhaar Authentication Applications or any module handling Aadhaar Authentication Data shall only be hosted on-premises or on MeitY-empanelled Cloud, as listed at https://www.ambud.meity.gov.in.”
Implications for REs: All REs intending to integrate Aadhaar KYC functionality with their customer or agent-facing platforms (such as websites, FOS apps, LOS apps, etc.) must not host these applications on non-MeitY cloud environments such as AWS, Azure, GCP, IBM Cloud, or Oracle Cloud.
These rules, approved by UIDAI’s competent authority, require immediate compliance to safeguard Aadhaar data and ensure service continuity.
Why Compliance with UIDAI’s New Rules Is Non-Negotiable for REs?
1. Operational Continuity
Failure to implement compliant ADVs, host peripheral applications on MeitY-compliant cloud, and use HSMs for cryptographic operations could halt critical identity verification processes. This may affect customer onboarding and service delivery, and UIDAI may not renew the AUA / Sub-AUA licence of non-compliant entities.
2. Regulatory Penalties
Non-compliance with UIDAI’s security and privacy protocols may result in fines and reputational damage due to violations of the Aadhaar Act and related UIDAI directives.
3. Security Vulnerabilities
Inadequate encryption or the use of suboptimal access control policies increases the risk of cyber threats, exposing sensitive Aadhaar data.
4. Cost and Complexity
Setting up compliant infrastructure, conducting audits, and ensuring scalability require significant investment and expertise.
How REs Can Stay Ahead of the Curve
This is not a distant regulatory horizon; it is actionable now, with potential disruptions for non-compliant setups. Here is a step-by-step roadmap to begin and ensure compliance:
1. Audit Your Current Infrastructure
Review where your ADVs, HSMs, and Aadhaar Authentication Applications are hosted today. Identify gaps in encryption, audits, or hosting to prioritise fixes.
2. Sign Up for ADV as-a-Service
Engage a reliable and credible service provider offering ADV as-a-service and integrate ADV with your KYC platform at the earliest opportunity.
3. Migrate Aadhaar Authentication Applications to MeitY Certified Cloud
REs with AUA / Sub-AUA licences, or those intending to obtain them, should migrate their Aadhaar Authentication Applications to MeitY-certified cloud environments to ensure regulatory compliance.
4. Implement Aadhaar Fraud Management Module
REs with AUA / Sub-AUA licences, or those planning to obtain them, must implement the Aadhaar Fraud Management Module as mandated by UIDAI.
5. Ramp Up Security and Compliance
Integrate HA/DR, IAM, and monitoring tools. Schedule your first SOC 2 audit if going cloud-based and test key rotation processes.
6. Train and Document
Update your teams on these protocols and refresh compliance documentation. Simulate scenarios to ensure smooth authentication flows.
By acting proactively, REs can turn these mandates into strengths, enhancing data resilience, regulatory compliance, and customer confidence.
Summing Up
At ECS, we view UIDAI’s updated guidelines as an opportunity for Regulated Entities (REs) to streamline Aadhaar data management and enhance security. With our expertise in Aadhaar-based digital identity solutions, we provide end-to-end support to help REs achieve seamless compliance with UIDAI’s evolving mandates.
With ECS’s native Aadhaar Data Vault (ADV) and Aadhaar Data Vault as-a-Service (ADVAAS), you get:
• Flexible Hosting Options: Deploy on your DC, DR, or cloud infrastructure with seamless HSM integration.
• Comprehensive Aadhaar Data Control: Securely vault Aadhaar numbers, UID tokens, and related documents.
• Automated Key Management: Rotate encryption and decryption keys without operational downtime.
• Multi-Database Compatibility: Supports Oracle, MS SQL, MySQL, and MongoDB.
• Scalable Architecture: Enables horizontal and vertical scaling with HA compliance.
• Full UIDAI Alignment: Meets all technical and functional requirements under the latest guidelines.
In addition to the ADV application, ECS also offers a fully compliant Aadhaar Fraud Management Module to help REs comply with UIDAI directives.
To meet UIDAI’s requirements while streamlining processes, reducing costs, and building trust through secure Aadhaar data management, please contact our colleague Amit Joshi at 9820875525 / 7208155528 or via email at amit@eastcs.com.