Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024

Immediate upgradation of hardware/ software is permitted if it involves a security incident.

Ministry-of-Communications

On 22-11-2024, the Ministry of Communications notified the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 enhancing security and resilience of telecommunication networks identified as critical. The provisions came into force on 22-11-2024.

Key Points:

  1. These rules are applicable on the telecommunication networks which are notified by the Central Government (‘CG’) as Critical Telecommunication Infrastructure (‘CTI’) which is based on an assessment that disruption of such infrastructure can have a debilitating impact on the national security, economy, public health or safety of the nation.

  2. Telecommunication entity will have to ensure that CTI, including any spares, hardware and software used in such CTI are following the following standards:

    • Essential requirements/ interface requirements/ Indian telecommunication security assurance requirements and specifications/ testing requirements/ conformity assessment issued by Telecommunication Engineering Centre/ National Centre for Communication Security;

    • National Security Directive on Telecommunication Sector (‘NSDTS’);

    • Directives on communication security certification;

  3. CG can authorize its personnel to access and inspect hardware, software and data pertaining to CTI or telecommunication entities.

  4. Every telecommunication entity will have to comply with the following obligations related to CTI:

    • Ensure security of CTI;

    • Maintain a complete list of CTI along with the software and hardware details;

    • Preserve in a secure manner, logs and documentation of the telecommunication network architecture of CTI, for a minimum period of 2 years;

    • Plan, develop and maintain adequate verification practices and protocols applicable for all personnel authorized to have access to CTI;

    • Maintain records of the supply chain of the telecommunication equipment and other equipment deployed in the CTI;

    • Implement standard operating procedures for security incident response systems, including disaster recovery and business continuity;

    • Implement mechanisms to ensure intimation of security incidents to the CG, within six hours of occurrence of such incident.

  5. When a telecommunication entity requires remote access to its CTI for the purpose of repair/ maintenance from a location outside the territory of India, it can do so only from a location for which it has obtained prior written approval from the CG.

    For access of remote access, the telecommunication entity needs to:

    • provide due intimation of such remote access to the CG;

    • ensure that the logs for such remote access are preserved for at least one year.

  6. For upgradation of CTI, the telecommunication entity will have to make an application to the CG along with the details of the test reports for such upgradation.

  7. The telecommunication entity can undertake immediate upgradation in the software/hardware when upgradation is necessary for addressing/ mitigating the adverse effects of a security incident.

    • Such upgradation can be done without making an application;

    • Within 24 hours of such upgradation the following details have to be given to the CG:

      • description of the concerned security incident;

      • relevant software or hardware of an equipment requiring upgradation and the nature of upgradation undertaken in respect of such equipment.

Join the discussion

Leave a Reply

Your email address will not be published. Required fields are marked *