The enforcement of the Telecommunications Act, 2023 marked a long-overdue reset of India’s telecom laws. The act scrapped colonial-era frameworks, such as the Indian Telegraph Act, 1885 and the Indian Wireless Telegraph Act, 1933, replacing them with a single, modern legal structure. The new act covered critical elements, including authorising services, allocating spectrum, settling disputes, enhancing national security, ensuring regulatory accountability and facilitating digital infrastructure resilience.

The Telecommunications Act, 2023 recognised telecom’s role as more than just an economic driver. It framed it as critical infrastructure, something deeply tied to national security and public trust. The act also highlighted the need to identify and secure critical telecommunications infrastructure. Section 22(1) of the act gave the central government the authority to lay down rules to protect telecom networks and services from cyber threats. Section 22(2) went a step further, enabling the government to collect, analyse and act on traffic data flowing through telecom networks, tools that are essential in anticipating and containing digital threats.

On the back of those provisions, the government rolled out the Telecommunications (Telecom Cyber Security) Rules, 2024. These rules laid out a structure for securing telecom networks, including policies and risk management, safeguards and response mechanisms. Parallelly, the government notified the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024. These rules specifically apply to service providers whose networks or components are tagged as critical telecommunications infrastructure (CTI) by the Department of Telecommunications (DoT). It also includes mandatory security standards, risk assessments and real-time response mechanisms for any cyber incident. These rules are meant to create a line of defence, one that protects both infrastructure and individual privacy.

Given the stakes involved, the Committee on Subordinate Legislation stepped in to examine whether the cybersecurity and CTI rules are aligned with constitutional principles like transparency and accountability. It held three rounds of discussions, in February and March 2025, with officials from the Ministry of Communications and several industry bodies. It also sent out detailed questionnaires to gather additional inputs from relevant ministries and stakeholders.

In a report tabled in the Rajya Sabha, the Committee on Subordinate Legislation reviewed the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 and Telecommunications (Telecom Cyber Security) Rules, 2024.

A look at some of the salient observations and recommendations of the report…

Telecommunications (Telecom Cyber Security) Rules, 2024

Security incident definition and tiered reporting

The committee examined Rule 2(e), which defines a “security incident” as an event that poses a real or potential risk to telecom cyber­security. Some concerns were raised regarding the breadth of this definition and whether it aligns with existing frameworks set up by the Indian Computer Emergency Response Team (CERT-In) or global norms. In response, DoT referenced definitions from the National Institute of Standards and Technology (US) and a Ministry of Electronics and Information Technology notification from April 29, 2016 to argue that the definition reflects global best practices. DoT also clarified that this broad framing stems from its expanded role under the Allocation of Business Rules, 1961, which now include oversight of telecom network security.

Taking note of the submissions, the committee supports the broad definition of a “security incident” under Rule 2(e) as a neces­sary measure to safeguard critical telecom infrastructure. However, to address concerns about its scope and ensure practical implementation, the committee observes that DoT may consider refining the definition and may evaluate it for introducing a tiered incident classification system to prioritise the reporting of major incidents, ensuring a balanced approach to telecom cybersecurity.

Data collection boundaries

The committee reviewed Rule 3(1)(a), which permits the central government to seek traffic data and other forms of data, excluding message content, from telecommunication entities, as specified through a designated portal. It raised concerns about the phrase “any other data”, noting that its broad and undefined scope could create ambiguity and heighten the risk of privacy infringements.

In this regard, the committee recommends that DoT should explicitly define the categories of data permissible for collection, limiting it to what is strictly necessary for telecom cybersecurity.

“Fraudulent” message clarity

The committee examined Rule 4(2)(b), which restricts telecommunication entities from transmitting messages deemed fraudu­lent. It pointed out that the rule does not define what constitutes a “fraudulent” message, leaving the term open to interpretation. This vagueness could lead to inconsistent enforcement and raise the possibility of individuals facing consequences for unknowingly forwarding such content.

In view of this, the committee recommends that to address concerns about the broadness of the term “fraudulent” and risks to innocent senders, DoT may take necessary action to explicitly define the term, establish clear criteria and processes for determining fraudulence, and provide robust support for telecommunication entities and users.

Telecommunications Rules, 2024

Inspection of CTI infrastructure

The committee noted that Rule 5(1) author­ises the government to inspect hardware, software and data related to CTI. It was informed that such inspections are an extension of existing field inspections conducted by DoT units to ensure compliance by telecom entities. The committee also noted the submission that security incidents would follow standard processes, including reporting and mitigation. It observed that such inspections enable proactive identification of vulnerabilities or non-compliance, thereby reducing the risk of disruptions or cyberattacks on CTI. Accordingly, the committee endorsed the inspection provisions under the rules as a critical mechanism to ensure compliance and security of telecom infrastructure.

However, to enhance effectiveness and address concerns about operational disruptions, the committee recommends DoT adopt a hybrid inspection framework combining routine and incident-triggered inspections, supported by clear guidelines, standardised protocols and stakeholder engagement.

Incident reporting timelines

The committee noted that Rule 7(1)(j) mandates telecom service providers (TSPs) to report security incidents to the central government within six hours of becoming aware of the incident, with a detailed report to follow within 24 hours. It further noted that this aligns with the existing CERT-In guidelines, which also require incident reporting within six hours of awareness. While recognising that this CTI-specific requirement is a necessary step to strengthen secur­ity, the committee observed that triggering the timeline from the “occurrence” of an incident, as opposed to “awareness” under CERT-In, poses practical challenges.

Given that incidents may go undetected for some time due to their complexity or monitoring delays, the committee recommends that to improve practicality and reduce the compliance burden, DoT may consider aligning the reporting timeline with CERT-In’s “awareness” trigger, streamlining reporting processes to avoid duplication and providing robust support to TSPs. The committee also notes that this will bring similarity in provisions in both the rules.

Security risks from foreign equipment

The committee noted that a significant portion of India’s telecom network infrastructure relied on equipment from Chinese manufacturers, raising serious cybersecurity and national security concerns due to the risk of embedded vulnerabilities, backdoors or unauthorised data access. These risks were especially critical, given the borderless nature of cyber threats and the strategic importance of telecom networks as critical infrastructure. While the Critical Telecom Infrastructure and Telecom Cyber Security Rules, 2024 provided a robust framework to address such concerns, the committee observed that specific, targeted actions were required to mitigate the risks posed by foreign, particularly Chinese-made, equipment.

In this regard, the committee recommends that to address the security risks associated with such telecom equipment, a phased “rip and replace” strategy should be implemented. This strategy could involve systematically identifying, removing and replacing high-risk equipment with trusted, preferably indigenous, alternatives while strengthening supply chain security and enforcement mechanisms. This will also allow India to position itself as a global leader in secure telecom manufacturing.

Outlook

The report strikes the right tone on ­several critical issues, especially in pushing for clarity, proportionality and accountability in implementing the cybersecurity rules. It acknowledges the real-world complexities telecom operators face and pushes back against overly rigid compliance timelines and ambiguous mandates. This is a welcome shift from a one-size-fits-all enforcement to a more calibrated, risk-based approach.

It pushes the government to move beyond intent and address the gaps in implementation, industry coordination and monitoring infrastructure. With the stakes tied so closely to national security and public trust, translating these observations into enforceable, balanced action will be key. The real test will lie in how transparently and fairly they are executed, and not just in how the rules are framed.

Harshita Kalra