The government emphasised that collected data would be safeguarded against unauthorised access
The government has introduced new telecom cybersecurity rules aimed at bolstering the security of India’s communication networks and services. These regulations outline stringent measures for telecom operators, including timelines for reporting security incidents, mandatory disclosures, and the adoption of a comprehensive cybersecurity policy.
The rules empower the central government or its authorised agencies to request traffic data and other non-content-related information from telecom entities to ensure cybersecurity. Telecom operators must also implement policies encompassing security safeguards, risk management strategies, training programmes, network testing, and risk assessments.
The government emphasised that collected data would be safeguarded against unauthorised access. “The central government, or any agency authorised by it, may… seek from a telecommunication entity traffic data and any other data, other than the content of messages… and direct the establishment of necessary infrastructure and equipment for collection and provision of such data from designated points,” the notification stated.
Authorities collecting data under the new rules and those with access to it are required to implement robust safeguards to maintain strict confidentiality, preventing any misuse or unauthorised access.
Key Obligations For Telecom Entities
The rules outline several obligations for telecom operators to enhance cybersecurity. Telecom entities are prohibited from engaging in activities that could compromise telecom security, such as misusing equipment, transmitting fraudulent messages, or engaging in activities contrary to prevailing laws.
The rules mandate the adoption of a telecom cybersecurity policy incorporating measures for network testing, vulnerability assessments, and rapid action systems to handle security incidents. Such policies must also include forensic analyses to learn from incidents and strengthen future safeguards.
Reporting & Incident Management
Telecom operators are required to appoint a Chief Telecommunication Security Officer (CTSO) responsible for overseeing cybersecurity measures. Security incidents must be reported to the central government within six hours of detection. Reports should include details about the affected system and a comprehensive analysis, including the number of users impacted, the duration and geographical extent of the disruption, and remedial measures.
Within 24 hours of becoming aware of an incident, telecom entities must provide additional details, including the impact on network functioning and the measures taken to address the issue.
Equipment Registration & Compliance
Manufacturers of equipment with International Mobile Equipment Identity (IMEI) numbers must register these with the government before the first sale of such devices in India.
The rules define a telecommunications entity as any individual or organisation providing telecom services or managing a telecom network, including those holding necessary authorisations.
These regulations are expected to create a robust cybersecurity framework for India’s rapidly expanding telecommunications sector, ensuring the safety of users and the resilience of the nation’s critical communication infrastructure.
