The Department of Telecommunications (DoT) has notified the Telecom Cyber Security Rules, 2024, which now require all telecom entities to report any cybersecurity incidents to the central government within six hours of becoming aware of them. This regulation aims to enhance the country’s cybersecurity framework and ensure a swift response to incidents that pose risks to telecom networks and services.
The new rules, effective immediately, are in line with similar measures taken by the government in recent years across various sectors, including the 2022 directions from the Indian Computer Emergency Response Team (CERT-In). As per the Telecom Cyber Security Rules, 2024, telecom entities must not only report incidents within this six-hour window but must also provide a detailed description of the affected system, the nature of the cybersecurity breach, and any other pertinent information.
The notified rules supersede the Prevention of Tampering of the Mobile Device Equipment Identification Number Rules, 2017, and have been issued under Sections 22 and 56(2)(v) of the Telecommunications Act, 2024. Telecom operators will now also be required to appoint an Indian chief telecommunication security officer, adopt a robust cybersecurity policy, and conduct periodic audits to ensure the security of their networks and services.
In addition to the immediate reporting requirements, the rules specify that telecom entities must provide more detailed information within 24 hours after being made aware of the incident. This includes the number of users affected, the duration of the incident, the geographical area impacted, and the extent to which the network and services were disrupted. While the draft rules had asked for information on the economic and societal impact of such incidents, the final version does not include that requirement.
As part of the new framework, a dedicated portal will be created for the digital submission of reports, similar to other recent government initiatives aimed at improving transparency and accountability. However, some experts have raised concerns about the language used in the rules. Chima, a security expert, stated that the rules should be laid before Parliament for further discussion and scrutiny, particularly around the unspecified role of the “certified agency” responsible for conducting security audits after incidents.
Another point of contention is the broad language in Rule 3 regarding the collection and analysis of data. The rule permits the collection of “any other data,” which some critics argue is overly vague and could lead to concerns around privacy and surveillance. Additionally, while the rules prohibit the collection of the “content of messages,” the distinction made between data and metadata has been criticized as creating a false sense of security.
The new rules come amid growing concerns over cyber threats and the increasing dependence on digital infrastructure in India. With cybersecurity becoming an urgent priority for both businesses and governments, these regulations aim to strengthen the security posture of telecom entities and ensure a timely response to cyber incidents.
Source By Agencies
