Telecommunications (Telecom Cyber Security) Rules, 2024 Notified

The Department of Telecommunication has notified the Telecommunications (Telecom Cyber Security) Rules, 2024, on November 22, 2024, which mandate that telecom companies report cyber security incidents within six hours of becoming aware of such incidents and furnish more information within 24 hours. The rules also provide sweeping powers to the central government or an agency authorised by it to collect, share, and analyse data, other than the contents of messages, for protecting and ensuring telecom cyber security.

The rules also mandate that telecommunication entities shall ensure compliance and implement measures to ensure telecom cyber security, including policy changes, testing, timely responses, forensic analysis, periodic audits, establishing facilities such as Security Operations Centres (SOCs), etc. In addition, telecommunication entities are required to appoint a Chief Telecommunication Security Officer who shall be responsible for coordinating with the Central Government on behalf of the telecommunication entity for the implementation of these rules, including compliance with any reporting requirements or reporting of security incidents.

The rules empower the Central Government to temporarily suspend use of the relevant telecommunication identifier or permanently disconnect it if its use is found to have endangered telecom cyber security after providing an opportunity of being heard to the person to whom it has been issued. The Central Government may maintain a repository of persons and telecommunication identifiers that have been acted upon and may direct telecommunication entities to prohibit or limit the access to telecommunication service to such persons for a period not exceeding three years from the date of such order.

Moreover, manufacturers and importers of equipment having an International Mobile Equipment Identity (IMEI) number are required to register the IMEI number of such equipment manufactured in India or imported into India with the Central Government prior to the first sale of such equipment or import. Directions may be issued to block or provide assistance as required in relation to tampered equipment. The Central Government would notify a portal for the purpose of digital implementation of these rules.

Experts have flagged that the rules cast excessive compliance burdens on telecommunication entities and also raise privacy concerns.