The Pakistan Telecommunication Authority (PTA) has finalised new regulations aimed at strengthening the cybersecurity framework of the telecom sector.
The rules make local data hosting mandatory for all licensed telecom companies and introduce strict compliance requirements to safeguard consumer data and national digital infrastructure.
According to the PTA, the Critical Telecom Data and Infrastructure Security Regulations (CTDISR) have been finalized and shared with industry stakeholders. The authority has invited comments and suggestions from stakeholders by November 7 before the regulations are formally enforced.
The new regulatory framework aims to enhance data protection, cyber resilience, and network reliability across Pakistan’s telecom sector.
Mandatory data hosting
Under the finalized regulations, all licensed telecom companies will be required to host their data within Pakistan, ensuring that sensitive and critical telecom data remains under national jurisdiction.
The rules also make it mandatory for companies to appoint a Chief Information Security Officer (CISO) responsible for implementing security policies, monitoring cyber threats, and ensuring compliance with national cybersecurity standards.
Risk assessments, cyber audits, and business continuity plans
To strengthen preparedness against cyberattacks, the PTA has made it obligatory for telecom operators to conduct annual risk assessments and independent cyber audits.
Additionally, the companies will be required to maintain Disaster Recovery and Business Continuity Plans to minimize service disruption during cyber incidents or technical failures. These measures, according to the PTA, are essential to ensure the continuous protection of user data and communication networks.
Zero trust model and incident reporting
The regulations direct telecom operators to adopt a “Zero Trust Security Model,” a modern cybersecurity approach that minimizes the risk of breaches by requiring continuous verification of all users and devices accessing a network.
In case of a serious cyber incident, companies will have to report the breach to the PTA within 24 hours. The authority will monitor compliance closely and may take enforcement action against violators.
Furthermore, PTA reserves the right to ban the use of foreign software or equipment deemed risky or non-compliant with national cybersecurity standards.
Strengthening oversight and supply chain security
The document also mandates the establishment of Information Security Steering Committees within each licensed telecom company. These committees will oversee the implementation of security frameworks, monitor emerging threats, and coordinate with PTA on compliance matters.
Telecom companies will also be directed to ensure security across their supply chains and vendors, recognizing that third-party risks often pose vulnerabilities in complex telecom networks.
Through these regulations, the PTA aims to provide stronger consumer data protection and prevent unauthorized access, data breaches, and cyberattacks targeting telecom users. The authority emphasized that compliance with CTDISR will be critical for maintaining public trust and national security.
The last date for public comments on the proposed CTDISR framework has been set for November 7, after which the PTA will review feedback and move toward implementation.
