Telecom Cyber Security Rules 2024

DoT Notifies New Telecom Cyber Security Rules 2024: Key Highlights

India’s telecommunications sector is the backbone of the country’s digital economy, connecting billions of users daily. However, with this vast network comes the growing challenge of crimes, cyber threats and scams, such as phishing attacks and fraud schemes like “digital arrests,” which exploit gaps in telecom security to deceive unsuspecting users.

The Department of Telecommunications, under the Ministry of Communications, notified the Telecom Cyber Security Rules, 2024 on November 21, 2024, to tackle these issues. These rules provide a detailed framework to protect telecom networks from cyberattacks, ensure the responsible use of telecom equipment, and prevent the misuse of telecommunication services for scams and fraudulent activities. The government aims to strengthen public trust and create a safer telecom environment for all by holding telecom operators accountable and mandating robust security measures.

These rules also target the loopholes that allow bad entities to manipulate telecom systems. The new rules set strict guidelines for operators, introduce rapid reporting mechanisms for security incidents, and require companies to adopt advanced cyber security practices, ensuring a proactive approach to threats.

Talk to sales - AuthBridge

Key Highlights Of The Telecom Cyber Security Rules, 2024

The Telecom Cyber Security Rules, 2024, set a detailed framework to enhance the safety and resilience of India’s telecommunications infrastructure. These rules address a variety of challenges by introducing stringent security measures, clear reporting mandates, and increased accountability for telecom entities. Below are the key highlights:

Comprehensive Cyber Security Policies

Telecom operators are required to establish a robust cyber security policy. This policy must focus on key areas, including:

  • Risk Management: Implementing measures to identify vulnerabilities and prevent potential risks.
  • Network Testing: Conducting vulnerability assessments, penetration testing, and hardening of telecom networks.
  • Incident Response: Establishing rapid action systems to mitigate the impact of breaches.
  • Forensic Analysis: Investigating incidents to strengthen defences and prevent future occurrences.

Appointment Of Chief Telecommunication Security Officers (CTSOs)

Every telecom entity is mandated to appoint a Chief Telecommunication Security Officer (CTSO). The necessary conditions needed to satisfy anyone who is to be appointed as a CTSO are:

  • Be a citizen and resident of India.
  • Oversee the implementation of the telecom cyber security framework.
  • Coordinate with the government on compliance and security-related matters.

This role ensures dedicated oversight and accountability within each telecom organisation.

Reporting Cyber Security Incidents

Timely reporting of security incidents is a cornerstone of these rules. Telecom operators must:

  • Notify the government within six hours of identifying a security breach.
  • Submit a detailed report within 24 hours, including:
    • Number of users affected.
    • Geographical scope and duration of the incident.
    • Mitigation steps were taken to address the issue.

The government may disclose incidents in the public interest or direct telecom operators to undertake remedial measures and audits.

Data Collection And Analysis Protocols

The government or authorised agencies are empowered to collect and analyse telecom data (excluding message content) for enhancing cyber security. Key requirements include:

  • Telecom Operators’ Obligations: Establish infrastructure to collect and share data with the government from designated points.
  • Data Analysis: Use the collected data to identify risks and take preventive measures.
  • Confidentiality Safeguards: Ensure strict protection against unauthorised access to sensitive information.

Provisions For Telecommunication Identifiers And Equipment

To address misuse of telecommunication equipment and identifiers:

  • Registration Requirements: Manufacturers and importers must register equipment identifiers such as IMEI numbers with the government before sale or import.
  • Tampering Prohibition: Altering or misusing identifiers is strictly prohibited.
  • Blocking Measures: Telecom entities may block devices with tampered identifiers to prevent misuse.

Establishment Of Security Operations Centres (SOCs)

Telecom operators must establish Security Operations Centres (SOCs) to monitor and address cyber security threats. The SOCs will:

  • Track security incidents, breaches, and intrusions.
  • Maintain detailed logs of operations, threats, and response measures.
  • Support government investigations by providing necessary data.

The establishment of SOCs is a significant step toward creating a proactive defence mechanism within telecom networks.

Repository Of Suspended Identifiers

The government will maintain a repository of telecom identifiers that have been suspended or disconnected due to violations of cyber security rules. Entities linked to these identifiers may face:

  • Access Restrictions: Being barred from telecom services for up to three years.
  • Wider Compliance Measures: The repository may also be shared with other service providers to prevent misuse.

Oversight And Compliance

The government holds the authority to:

  • Conduct security audits of telecom entities through certified agencies.
  • Issue directives for implementing security measures within stipulated timelines.
  • Enforce compliance mechanisms through a digital platform, ensuring telecom operators report and adhere to guidelines efficiently.

Impact Of The Telecom Cyber Security Rules, 2024

The Telecom Cyber Security rules are not just about compliance; they aim to create a safer and more resilient telecom environment for operators and users alike. Let’s look at what they mean for the industry and the people it serves.

Building Stronger Defences for Telecom Operators

Telecom companies will now have to adopt robust cyber security measures, including regular network testing, risk assessments, and detailed action plans for handling security incidents. These requirements are designed to prevent misuse and enhance the security of telecom services. As the rules state, “Every telecommunication entity shall ensure compliance with the directions and standards… for ensuring telecom cyber security.”

By implementing these measures, telecom operators will be better equipped to handle modern cyber threats, minimising the risk of service disruptions or data breaches.

Clear Accountability Through Dedicated Cyber Security Officers

One of the standout features of the new rules is the mandatory appointment of a Chief Telecommunication Security Officer (CTSO) in every telecom organisation. This officer will be responsible for implementing security policies, coordinating with the government, and ensuring compliance.

Having a dedicated person for this role ensures accountability and gives companies a clear point of contact for all security-related matters. It’s a practical step toward improving how security is managed within the sector.

Faster Responses To Threats

The new rules introduce strict timelines for reporting security breaches. Telecom operators must notify the government within six hours of identifying an incident and provide a detailed report within 24 hours.

This quick reporting framework ensures that potential threats are addressed before they escalate, helping prevent widespread disruptions. Additionally, the government’s ability to direct further audits or investigations adds an extra layer of scrutiny to make sure incidents are handled thoroughly.

Protecting Data And Preventing Misuse

Data privacy is a key concern addressed by these rules. While the government or authorised agencies can collect and analyse certain types of telecom data to enhance security, the rules clearly state, “Any data so disseminated or shared shall not be used for any purpose other than for ensuring telecom cyber security.”

This clause reassures users that their personal information won’t be misused, fostering trust in the telecom ecosystem.

Stamping Out Fraudulent Activities

With stringent regulations on telecom equipment identifiers, such as IMEI numbers, the government is cracking down on the misuse of telecom devices. Manufacturers and importers must now register these identifiers before selling or importing devices. Additionally, tampering with or altering identifiers is strictly prohibited, and such devices can be blocked from accessing networks.

These measures will go a long way in tackling issues like fraudulent device usage and unauthorised network access.

Proactive Monitoring With Security Operations Centres

Telecom companies are now required to set up Security Operations Centres (SOCs) to monitor and manage cyber threats. These centres will handle tasks like tracking security incidents, analysing threats, and maintaining detailed logs to support investigations.

This step ensures that telecom operators are not just reacting to threats but actively working to prevent them. It’s a proactive approach that strengthens the overall resilience of telecom networks.

Empowering Users And Boosting Trust

For users, these rules are a big win. By holding telecom operators accountable for their security practices, the government is ensuring a safer digital environment. Whether it’s protecting personal data or ensuring uninterrupted service, these measures are designed with user safety in mind.

The Telecom Cyber Security Rules, 2024, send a strong message: India’s telecom industry is committed to staying one step ahead of cyber threats. These regulations not only address today’s challenges but also prepare the industry for the risks of tomorrow.

Conclusion

For telecom operators, the rules signal a shift toward proactive security management. Measures like mandatory security policies, the appointment of Chief Telecommunication Security Officers, and the establishment of Security Operations Centres will not only protect their networks but also enhance their ability to respond to threats swiftly and effectively.

For users, the new framework promises greater trust and safety. By prioritising data protection and ensuring the integrity of telecom services, the government has reaffirmed its commitment to creating a secure digital environment.

Moreover, these rules are forward-looking, addressing current vulnerabilities while anticipating future challenges in an increasingly interconnected world. With the telecommunications sector forming the backbone of India’s digital economy, these measures are not just about security—they’re about enabling growth and innovation on a strong foundation of trust and resilience.

FAQs on the Telecom Cyber Security Rules, 2024

Cyber Security Group under the Ministry of Electronics and Information Technology, Government of India is the governing body of cyber security in India.

CERT stands for Computer Emergency Response Team. 

These rules establish a legal framework for enhancing and ensuring telecom cyber security in India, including policies, safeguards, and measures for secure telecommunication networks and services.

The rules came into effect on the date of their publication in the Official Gazette, November 21, 2024.

All telecommunication entities, including service providers, network operators, equipment manufacturers, and importers, are covered.

  • Report incidents to the Central Government within 6 hours of detection.
  • Submit detailed reports within 24 hours, including user impact, geographical scope, and remedial actions taken.

The CTSO is responsible for coordinating with the government on cyber security compliance and incident reporting. The officer must be a citizen and resident of India.

The government can collect traffic and other data (excluding message content) to enhance cyber security, with safeguards for confidentiality and unauthorized access prevention.

Collected data is stored securely, shared only for telecom cyber security purposes, and subject to strict confidentiality safeguards.

Identifiers include International Mobile Equipment Identity (IMEI) numbers, Electronic Serial Numbers (ESNs), or other unique signals used to identify telecom equipment.

  • Manufacturers must register IMEI numbers with the Central Government before sale.
  • Importers must register IMEI numbers prior to importing equipment into India.

Tampering, altering, or using fraudulent telecommunication identifiers is strictly prohibited.

Yes, the government can temporarily suspend or permanently disconnect identifiers if they pose a cyber security risk.

Tampering is a punishable offense, and the equipment may be blocked from telecom networks or services.

Entities must maintain logs and records for a period specified by the government, which may extend up to three years.

Hi! Let’s Schedule Your Call.

To begin, Tell us a bit about “yourself”

The most noteworthy aspects of our collaboration has been the ability to seamlessly onboard partners from all corners of India, for which our TAT has been reduced from multiple weeks to a few hours now.

- Mr. Satyasiva Sundar Ruutray
Vice President, F&A Commercial,
Greenlam

Thank You

We have sent your download in your email.

Case Study Download

Want to Verify More Tin Numbers?

Want to Verify More Pan Numbers?

Want to Verify More UAN Numbers?

Want to Verify More Pan Dob ?

Want to Verify More Aadhar Numbers?

Want to Check More Udyam Registration/Reference Numbers?

Want to Verify More GST Numbers?