These guidelines align with those set by CERT-IN in 2022, which already require companies to report cybersecurity breaches within six hours of identification or notification
The Department of Telecommunications (DoT) has issued new cybersecurity regulations requiring telecom companies to report incidents to the government within six hours of detection. These rules, outlined in the Telecom Cyber Security Rules, 2024, under the Telecom Act, also mandate companies to provide further details on the incident’s impact within 24 hours.
These guidelines align with those set by CERT-IN in 2022, which already require companies to report cybersecurity breaches within six hours of identification or notification. The new rules aim to bolster telecom security and ensure timely responses to potential threats.
According to the regulations, telcos must submit detailed information within 24 hours, including the number of users affected, the duration and geographic scope of the incident, the remedial measures taken, and the extent of the disruption to telecommunication services.
The rules also grant the government authority to request traffic data and other relevant information—excluding message content—from telecom companies to protect and enhance cybersecurity. Telecom operators may be directed to establish infrastructure to collect and store such data from designated points as needed.
Another key requirement is the appointment of a Chief Telecommunications Security Officer (CTSO), who must be an Indian citizen and resident. This officer will act as the primary liaison with the government, ensuring compliance with the new rules and overseeing the reporting of security incidents.
Additionally, telecom companies are required to implement a comprehensive cybersecurity policy. This policy must include security safeguards, risk management protocols, staff training, and best practices to strengthen telecom cybersecurity. The policy must also ensure periodic audits, network testing, risk assessments, and proactive identification and prevention of security incidents.
The rules further mandate that telecom operators maintain a rapid response system to address cybersecurity breaches, including mitigation strategies and forensic analysis to minimise the impact of incidents.
For equipment manufacturers, the rules specify that any device with an International Mobile Equipment Identity (IMEI) number must be registered with the government before its sale in India. Similarly, importers must register IMEI numbers for devices brought into India for sale, testing, research, or other purposes prior to import.
These updated regulations underscore the government’s focus on improving cybersecurity in the telecom sector by promoting proactive risk management and ensuring swift responses to potential threats.
