Critical Telecom Infrastructure Rules 2024: All you must know about new regulations for telecom entities
On November 22, the stringent new rules on Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 came into effect. They were established under Section 22(4) of the Telecommunications Act, 2023, by introducing these new rules, with an aim to make telecom networks more secure and protect the country from adverse implications in case these networks were disrupted for national security or health reasons and also for economy.
Under the new framework, entities in telecom must allow government-authorized personnel to inspect hardware, software, and data connected to certified CTI parts, which is part of a measure to make telecom networks better protected against cyber threats. The rules have stipulated that a Chief Telecom Security Officer shall be appointed to oversee the compliance and reporting of cyber security incidents within six hours, while in the first draft it was proposed that reports must be made within just two hours.
Rules are in consonance with the Telecom Cybersecurity Rules and CERT-In's directions issued in 2022. Experts have also pointed out that the six-hour window would not match international standards in response to cybersecurity. Another issue is also highlighted through regulatory overlaps. These involve the Telecommunications Act, the IT Act, and the Digital Personal Data Protection Act. A policy expert at Access Now noted that clarity was lacking with respect to when government checks could be triggered and if government-authorised personnel had access to personal subscriber data in those checks.
The new rules also mandate the telecommunication companies to hand over network architecture, audit on cybersecurity, and logs in real-time to the government. The logs with all other documents must be preserved for at least two years to detect anomalies. Also, if telecom companies plan to repair or upgrade their CTI networks through remote access, then prior permission from the government is needed with a 14-day review period for software and hardware upgradation.
The government aims to implement these new regulations through a secure digital portal, but accountability, transparency, and independent oversight of the process are a concern. All inspections and directions must be open to scrutiny to prevent misuse of power.
