Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024
On November 22, 2024, the Department of Telecommunications notified the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 ("CTI Rules"). The CTI Rules are designed to safeguard the telecommunication infrastructure in India, viewed as critical for national security and economic stability. The CTI Rules outline a comprehensive framework that specifies the obligations of the telecommunication entities, compliance standards, and reporting mechanisms.
The CTI Rules broadly state the following:
1. the CTI Rules have introduced important definitions such as Critical Telecommunication Infrastructure ("CTI")', 'Chief Telecommunication Security Officer', 'security incident', and 'telecommunication entity';
2. the CTI Rules applies to any telecommunication network or its components notified by the Central Government as CTI due to its impact on national security, economy, public health, or safety;
3. the telecommunication entities must ensure that their CTI, including hardware, software, and spares, adheres to Essential Requirements, Interface Requirements, Indian Telecommunication Security Assurance Requirements, and other specifications/testing requirements/conformity assessment issued by Telecommunication Engineering Centre/ National Centre for Communication Security . In the absence of such standards, only Central Government notified standards may be used. The requirements also include adherence to the 'National Security Directive on Telecommunication Sector', and directives on communication security certification;
4. the Central Government is authorised to inspect the hardware, software, and data of CTI through designated personnel;
5. the 'Chief Telecommunication Security Officer' must be appointed by each telecommunication entity to ensure implementation of these CTI Rules and compliance with reporting requirements;
6. the telecommunication entities must ensure the security of CTI by adhering to specified standards, maintaining detailed records of hardware, software, and dependencies, and preserving logs for at least 2 (two) years. The telecommunication entities must implement verification protocols for personnel access, conduct regular risk assessments, and manage processes for Service Level Agreements and log backups. Security incidents are required to be reported within 6 (six) hours, and a risk register must be maintained for mitigating potential threats. Remote access for maintenance from outside India requires prior approval and preservation of logs for 1 (one) year. The telecommunication entities are required to submit compliance reports, and the Central Government may seek clarifications or issue directives to safeguard CTI or address risks;
7. for upgrading CTI, the telecommunication entities will have to apply to the Central Government with test reports and relevant details for approval. The Central Government must respond within 14 (fourteen) days by seeking clarifications, directing further testing, or approving/rejecting the request, failing which the telecommunication entities may proceed with the upgrade. The telecommunication entity can undertake immediate upgrade to address security incidents without prior application. However, the telecommunication entities must report to the Central Government within 24 (twenty-four) hours of such upgradation. The telecommunication entities are required to preserve records of all upgrades and provide them upon request, excluding routine updates aimed at improving performance or security;
8. any contraventions of the CTI Rules will be dealt with under the Telecommunications Act, 2023; and
9. the CTI Rules provide for the digital implementation of the CTI Rules through a government notified portal, enabling secure communication and reporting mechanisms.
Conclusion
The CTI Rules mark a significant step forward in the strengthening of the security and integrity of India's critical telecommunication networks They provide a comprehensive framework for protecting national security interests through explicit compliance standards, reporting requirements, and mechanisms for risk mitigation. Additionally, the CTI Rules empower the Central Government to take decisive action in preventing and addressing threats, thereby ensuring the uninterrupted operation of critical infrastructure. Such is the regulatory approach from CTI Rules that also have a positive impact on increasing safety in India's telecom industry making it sustainable and resilient. Having said that, it needs to be seen how the different government agencies, such as the Indian Computer Emergency Response Team, will work together towards the same goal but with varying compliance requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
