loader

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above
PROCEED TO WEBSITE
Close

Search

See all results for ""

Telecom Cyber Security Rules 2024 Finalized: Key Updates at a Glance

download
29-Nov-2024

On 21 November 2024, the Department of Telecommunications (DoT) issued the final Telecommunications (Telecom Cyber Security) Rules, 2024 (Rules), replacing the earlier draft released for public consultation on 28 August 2024 (see here for our ERGO on the draft rules).

The key changes incorporated in the final Rules are:

  1.  

Definition of ‘certified agency’. The Rules introduce the term 'certified agency', defined as an agency specified by the Central Government on the designated portal to carry out security audits. This ensures a standardised security audits, enhancing telecom cybersecurity through regulatory oversight.
  1.  

Creation of a digital ‘portal’. The Rules establish an online 'portal' to facilitate digital implementation, enabling the Central Government to issue orders, directions, and other communications. Telecom entities must use this portal to fulfil their reporting and information submission obligations. Introduction of this online portal significantly reduces time and costs associated with administrative paperwork.
  1.  

Changes in data collection and analysis rule. Rule 3 empowers the Central Government or its authorized agencies to request traffic data and other information from telecom entities. The Rules introduce a new limitation, explicitly excluding the content of messages from such data requests. Additionally, the Rules specify that collected data can only be used by the Central Government, its authorized agencies, or telecom entities for the purpose of ensuring cyber security. This change balances out the concerns associated with excessive surveillance and data access requests.
  1.  

Compliance with directions and standards. Telecom entities are now required to comply with directions and standards issued under the Rules, including adhering to specified timelines. These measures aim to prevent the misuse of telecom identifiers, equipment, networks, or services and to enhance cyber security across the telecom ecosystem.
  1.  

Reporting obligations. Telecom entities must submit a detailed report outlining the measures implemented to ensure cyber security. The Central Government can now also seek clarifications and issue directions, orders, or instructions to address identified risks.
  1.  

Temporary suspension of telecom identifiers. The Rules allow a person reasonable opportunity of being heard, if the Central Government passes an order to temporarily suspend or permanently disconnect the telecom identifier (i.e., series of digits, characters, etc. used to identify a user, an authorised entity or telecom service, network or equipment) of such person. For clarity, under the Rules, in circumstances deemed necessary and expedient in the public interest, the suspension can occur without prior notice. While such powers of Central Government may raise concerns about operational disruptions, the recent amendments also ensure fairness and due process in decisions to suspend or disconnect telecom identifiers.
  1.  

Reporting security incidents. The updated rules relax incident reporting requirement to 6 hours of becoming aware of an incident (as opposed to 6 hours from occurrence of the incident), with only relevant details of the affected system and description of the incident. Additionally, the requirement to furnishing additional information relating to the incident may be undertaken within 24 hours of becoming aware of such incident.

Comments

The Rules mark a significant shift in the telecom cybersecurity landscape, emphasizing robust compliance and cyber resilience. By introducing mandatory reporting, defining certified audit agencies, establishing a centralized digital portal, and ensuring fairness through procedural safeguards, these rules seek to balance out cybersecurity needs with the risk of arbitrary actions. The role of the Security Operations Centre has also been expanded to monitor attempts to cause telecom cyber security and security incidents, intrusions or breaches. While these measures bring increased compliance costs and obligations for telecom entities, they also work towards building a secure and trustworthy digital ecosystem which is crucial for India’s growing digital economy.

  • Harsh Walia (Partner); Sanjuktha A Yermal (Senior Associate) and Vanshika Lal (Associate)

For any queries please contact: editors@khaitanco.com

Harsh Walia (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2024 Khaitan & Co. All rights reserved.

Mumbai

One World Centre
10th, 13th & 14th Floor, Tower 1C
841 Senapati Bapat Marg
Mumbai 400 013, India

Mumbai

One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001

Delhi NCR (New Delhi)

Ashoka Estate
11th Floor, 1105 & 1106,
24 Barakhamba Road,
New Delhi 110 001, India

Kolkata

Emerald House
1B Old Post Office Street
Kolkata 700 001, India

Bengaluru

Embassy Quest
3rd Floor
45/1 Magrath Road
Bengaluru 560 025, India

Delhi NCR (Noida)

Max Towers,
7th & 8th Floors,
Sector 16B, Noida
Uttar Pradesh 201 301, India

Chennai

8th Floor,
Briley One No.30
Ethiraj Salai
Egmore
Chennai 600 008, India

Singapore

Singapore Land Tower
50 Raffles Place, #34-02A
Singapore 048623

Pune

Raheja Woods
03-108-111, 3 Floor
8, Central Avenue, Kalyani Nagar
Pune - 411 006, India

Gurugram (Satellite Office)

Suite No. 660
Level 6, Wing B,
Two Horizon Center
Golf Course Road, DLF 5
Sector 43, Gurugram
Haryana 122 002, India

Ahmedabad

1506 - 1508, B-Blockr
Navratna Corporate Parkr
Iscon Ambli Road, Ahmedabadr
Gujarat - 380058