Telecom Cybersecurity Rules 2024: Bold Step, Industry Seeks Clarity Designated agencies can access telecom traffic data for cybersecurity purposes, but text, audio, or video are excluded from the mandate
Opinions expressed by BIZ Experiences contributors are their own.
You're reading BIZ Experiences India, an international franchise of BIZ Experiences Media.
Cybersecurity is no longer a peripheral concern in India, as various government departments ramp up efforts to counter growing cyber threats. Recently, the Ministry of Communications and the Department of Telecommunications (DoT) made headlines by releasing the Telecom Cyber Security Rules, 2024, which authorize the government and designated agencies to access telecom traffic data and other information for cybersecurity purposes.
This data includes information such as type, routing, duration, and timing generated, transmitted, received, or stored within telecom networks. Notably, message content—such as text, audio, or video—is excluded from this mandate. The rules aim to enhance telecom cybersecurity and allow the dissemination of this data to any Central Government agency engaged in law enforcement or security activities.
Requirements for Telecom Operators
The new rules require telecom companies to establish infrastructure capable of collecting traffic data and providing it to the government at designated points for analysis, processing, and dissemination to authorized entities. Additionally, telecom operators must report initial cybersecurity incidents within six hours, with detailed reports submitted within 24 hours. These detailed reports must include the number of users affected, geographic impact, and remedial actions taken.
In contrast, the Cyber Incident Reporting for Critical Infrastructure Act in the U.S. and the European Union's cybersecurity regulations mandate a 72-hour timeframe for incident reporting. The shorter timeline prescribed in India has received mixed reactions from industry experts.
"While the six-hour timeline for reporting incidents is tight, it is achievable with efficient systems in place. That said, the responsibility to report crimes to the police or cyber cells should also rest with the citizen who experiences the crime, ensuring a streamlined and effective approach," noted Konark Trivedi, Founder and MD of Frog Cellsat Ltd.
Industry Voices: Praise and Concerns
The rules have been met with both praise and caution from industry leaders. Varinder Singh Jawanda, CEO of Millennium Automation Systems Limited (MASL), views the regulations as a decisive step. "Cybersecurity is the backbone of our digital economy, particularly for the telecom industry. With vast data volumes, critical infrastructure, and evolving threats at stake, such measures are imperative."
On the other hand, Ayush Jindal, Advocate at the Supreme Court, believes the rules, while promising long-term benefits, may pose short-term operational challenges. "The new set of rules will ensure that Indian operators are better prepared to withstand nuanced threats. While these measures might create immediate hurdles, they are vital for the long-term security of India's digital infrastructure," he shared.
Tony Verghese, Partner, JSA Advocates and Solicitors said, "The manufacture and import of equipment have also been restricted, with the requirement of registering the IMEI number before first sale of the equipment. This is a requirement even for equipment imported into the country. While manufacturers and importers are mandated to complete this registration, there is no clarity on what the requirements would be, should individuals purchase such equipment outside India and bring it into the country for their personal use. Currently, the Rules have no clarity in this regard, and I presume the government needs to clarify."
Coordination and Transparency
The regulations also mandate telecom companies to appoint a Chief Telecommunication Security Officer (CTSO) to oversee incident response and compliance. Furthermore, as per the guidance, the government can disclose the details of the incident to the public or ask telecom companies to disclose it.
Trivedi suggested additional proactive measures, stating, "For instance, telcos can immediately block a suspected phone number upon detecting cybercrime, preventing further misuse while investigations proceed."
While industry players and analysts acknowledge the potential long-term benefits, they also stress the need for clearer guidelines and efficient implementation to address practical challenges.
