India introduces new rules for critical telecom infrastructure
Compliance requires detailed documentation, government approval for remote repairs and upgrades, and adherence to Indian Telecommunication Security Assurance Requirements.
The government of India introduced the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024, on 22 November, which require telecom entities designated as Critical Telecommunication Infrastructure (CTI) to grant government-authorised personnel access to inspect hardware, software, and data. These rules are part of the Telecommunications Act, 2023, empowering the government to designate telecom networks as CTI if their disruption could severely impact national security, the economy, public health, or safety.
The rules mandate that telecom entities appoint a Chief Telecom Security Officer (CTSO) to oversee cybersecurity efforts and report incidents within six hours, a revised deadline from the original two hours proposed in the draft rules. This brings the telecom sector in India in line with existing Telecom Cyber Security Rules and CERT-In directions, though experts argue that the six-hour window does not meet global standards and may contribute to over-regulation.
Telecom networks are already governed under the Information Technology Act, creating potential overlaps with other regulatory frameworks such as the National Critical Information Infrastructure Protection Centre (NCIIPC). The rules also raise concerns about inspection protocols and data access, as they lack clarity on when inspections can be triggered or what limitations should be placed on government personnel accessing sensitive information.
Experts have also questioned the accountability measures in case of abuse of power and the potential for government officials to access the personal data of telecom subscribers during these inspections. To implement these rules, telecom entities must provide detailed documentation to the government, including network architecture, access lists, cybersecurity plans, and security audit reports. They must also maintain logs and documentation for at least two years to assist in detecting anomalies.
Additionally, remote maintenance or repairs from outside India require government approval, and upgrades to hardware or software must be reviewed within 14 days. Immediate upgrades are allowed during cybersecurity incidents, with notification to the government within 24 hours. A digital portal will be established to manage these rules, but concerns about the lack of transparency in communications have been raised. Finally, all CTI hardware, software, and spares must meet Indian Telecommunication Security Assurance Requirements.