All telecom entities must report any cybersecurity incidents to the central government within six hours of becoming aware of them, as per the Telecom Cyber Security Rules, 2024, notified and brought into effect by the Department of Telecommunications on Thursday. In this six-hour period, the same as the one specified in the 2022 CERT-In directions, the affected entity must also give details of the affected system along with the description of the incident.
These rules, which were released for public consultation on August 29, mandate telecom entities to implement measures to prevent and respond to cyber incidents. They supersede the Prevention of Tampering of the Mobile Device Equipment Identification Number Rules, 2017, and have been issued under sections 22 and 56 (2)(v) of the Telecommunications Act, 2024.
The notified rules mandate all telecom entities to appoint an Indian chief telecommunication security officer based in the country, to adopt a telecom cybersecurity policy, and conduct periodic telecom cybersecurity audits, amongst other things. As with the recent spate of rules across ministries, these rules also require the creation of a portal for digital implementation of the rules.