Since the pandemic, India’s digital infrastructure has witnessed unprecedented growth, driving a sharp rise in the demand for stronger cybersecurity measures. In line with this, the government recently introduced the Telecommunications (Telecom Cybersecurity) Rules, 2024 to safeguard the country telecommunications sector from ever-evolving cyberthreats. Released under the Telecommunications Act, 2023, the rules establish a comprehensive framework aimed at securing telecom networks, protecting user data and ensuring swift responses to cyber-incidents. By superseding the Prevention of Tampering of Mobile Device Equipment Identification Number Rules, 2017 and its amendments, the new rules uphold continuity for actions under previous frameworks while introducing a more cohesive and robust approach to cybersecurity.

At their core, the rules focus on strengthening telecom network security, mitigating risks from cyber-incidents and fraud, and preventing the misuse of telecom services. They also provide clear guidelines for stakeholders such as telecom operators, manufacturers and importers, ensuring accountability and compliance across the board.

Key provisions

The Telecom Cybersecurity Rules, 2024 delineate detailed measures for telecom entities to enhance their cybersecurity practices. Key provisions include:

Mandatory cybersecurity policies: Each telecom entity is required to adopt a robust cybersecurity policy encompassing risk management approaches and mitigation strategies; network testing through hardening, vulnerability assessments and penetration testing; forensic analysis of security incidents to derive actionable insights; and rapid-response mechanisms to minimise the impact of breaches.

Appointment of chief telecommunication security officer (CTSO): The rules mandate the appointment of a CTSO by all telecom entities. The officer, who must be an Indian resident, will act as a bridge between the entity and the government, ensuring seamless compliance and immediate reporting of security incidents.

Real-time incident reporting: Entities are required to report security incidents to the government within six hours of occurrence. These reports should include details about affected users, the geographic impact and mitigation steps. Public disclosure may also be mandated, if deemed necessary, to protect users.

Data collection and analysis: To anticipate and address vulnerabilities, the government may collect and analyse telecom traffic data. While ensuring strict safeguards against misuse or unauthorised access, this data will enable pre-emptive measures and informed policymaking.

Registration of equipment and International Mobile Equipment Identity (IMEI) numbers: Manufacturers and importers must register IMEI numbers for devices before sale or import. This move is aimed at curbing the circulation of tampered or fraudulent devices, enhancing the traceability and security of telecom equipment.

Prohibition of cybersecurity threats: The rules prohibit activities that endanger telecom cybersecurity, including fraud, impersonation and tampering with telecom equipment identifiers. Telecom operators are required to establish security operations centres to monitor threats, log incidents and coordinate responses with law enforcement agencies. This proactive approach should ensure timely identification and mitigation of risks. In cases of non-compliance, the government can suspend or terminate telecom services linked to compromised identifiers. Furthermore, a repository of violators will be maintained, and restrictions on their access to telecom services may last for up to three years. These measures should act as a deterrent against misuse while ensuring the safety of legitimate users.

Cybersecurity audits: Periodic cybersecurity audits will be conducted by certified agencies to ensure adherence to mandated standards. These audits will not only assess the resilience of telecom networks but also help identify areas for improvement.

The rules further promote the adoption of digital tools for efficient compliance. This includes systems for data collection, incident reporting, equipment registration and monitoring telecom operations.

Industry implications

The rules are a dual-edged sword for stakeholders in the telecom sector, introducing both opportunities and challenges. The rules are likely to push operators to enhance their cybersecurity capabilities and adopt proactive measures to counter emerging threats. But stricter compliance mandates will require substantial investments in advanced security infrastructure and skilled personnel to meet the regulatory requirements.

Meanwhile, manufacturers and importers will benefit from greater accountability through mandatory equipment registration, particularly of IMEI numbers. This will help in reducing fraud, streamlining equipment traceability and creating a more secure supply chain.

For consumers, the rules bring a renewed focus on cybersecurity, reinforcing trust in digital services and ensuring safer interactions across telecom networks.

Preparing for future challenges

The Telecommunications (Telecom Cybersecurity) Rules, 2024 are not merely a response to current threats but a forward-looking initiative. With the roll-out of 5G services and the increasing adoption of IoT devices, the telecom sector is poised for exponential growth. By establishing clear guidelines, fostering collaboration and emphasising accountability, the rules are paving the way for a more resilient telecom ecosystem.