On August 28, 2024, the Ministry of Communications (Department of Telecommunications) announced the draft Telecommunications (Telecom Cyber Security) Rules, 2024 in the Official Gazette. The proposed rules aim to enhance the cybersecurity framework for telecommunication networks and services by outlining comprehensive guidelines on data collection, security measures, and incident reporting.
Key Objectives of the Draft Rules  : The draft rules, introduced under the Telecommunications Act, 2023, are designed to replace the outdated Prevention of Tampering of the Mobile Device Equipment Identification Number Rules, 2017, and its 2022 amendment, aligning the sector with modern cybersecurity needs.
Core Definitions   
- Telecom Cyber Security  : Involves tools, policies, guidelines, and technologies aimed at protecting telecommunication networks and services.
- Chief Telecommunication Security Officer (CTSO)  : A designated officer responsible for ensuring compliance with these cybersecurity rules within telecommunication entities.
- Telecommunication Entity  : Refers to any organization involved in providing telecommunication services or managing telecommunication networks.
Data Collection and Security Protocols   
The draft rules empower the Central Government and authorized agencies to collect and analyze traffic data from telecommunication entities to improve cybersecurity. The data can be shared with relevant law enforcement agencies under stringent safeguards, ensuring that it is used solely for cybersecurity purposes.
Cybersecurity Obligations for Telecom Entities   
- Prohibition of Misuse  : Entities must prevent any actions that could compromise telecom cybersecurity, including fraudulent activities and security incidents.
- Mandatory Security Measures  : Telecommunication entities are required to implement robust cybersecurity policies, conduct regular testing, and report security incidents promptly.
- Security Operations Centers (SOC)  : Entities must establish or collaborate on SOCs to monitor and respond to cybersecurity threats effectively.
Incident Reporting and Public Disclosure   
Telecommunication entities must report security incidents within six hours of occurrence, detailing the impact and response measures taken. The Central Government retains the right to disclose significant incidents to the public if deemed necessary.
Telecommunication Equipment and Identifier Regulations   
Manufacturers and importers of telecommunication equipment must register IMEI numbers with the Central Government before sale or import. The rules also prohibit tampering with telecommunication identifiers, with measures in place to block compromised equipment.
Public Consultation and Implementation   
The draft rules are open for public comments for 30 days from their publication date. Stakeholders are encouraged to review the proposed regulations and provide feedback to help shape the final version.
The introduction of the Telecommunications (Telecom Cyber Security) Rules, 2024, marks a critical step in fortifying India's telecommunication networks against cyber threats. By setting clear guidelines on data handling, security measures, and incident response, the rules aim to safeguard the nation’s telecom infrastructure and ensure the integrity of communication services.
Read the full draft here : Telecommunication Cybersecurity Draft 2024