Telecom Act, 2023Telecom

First read on the Telecommunications Critical Infrastructure Rules, 2024

This post includes our initial analysis of the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 notified on November 22, 2024, including highlighting major changes from the draft rules issued in August 2024.

Karthika Rajmohan
Karthika Rajmohan
Injila Muslim Zaidi
Injila Muslim Zaidi

05 December, 2024
7 min read

tl;dr

On November 22, 2024, the Department of Telecommunications (“DoT”) officially notified the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (“Telecom CTI Rules”). These rules are the third set of regulations issued under the newly enacted Telecommunications Act, 2023 (“Telecom Act”). Prior to the finalization of these rules, the DoT released a draft version of the Telecom CTI Rules on August 28, 2024 (“draft rules”), inviting public comments during a thirty-day consultation period. It is important to note that, as of now, the DoT has not made the responses received from stakeholders during the consultation process publicly available. This post includes IFF’s initial analysis of the Telecom CTI Rules. 

Important Documents

  1. Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)
  2. Notified  Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)
  3. IFF’s analysis of the Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)
  4. IFF’s Consultation Response on the Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)
  5. The Telecommunications Act, 2023 (link)
  6. IFF’s first read of the Telecom Bill, 2023 (link)

Background 

The Telecom CTI Rules have been released in pursuance of sub-section (4) of section 20 read with clause (w) of sub-section (2) of section 56 of the Telecommunications Act, 2023 (“Telecom Act”). 

The notified rules do not supersede any existing regulations as the category of Critical Telecommunication Infrastructure (“CTI”) is newly conceptualised. The Telecom CTI Rules create a new category for telecommunication (“telecom”) infrastructure which would be designated as CTI and required to adhere to a higher threshold of compliance requirements.

Key changes in the Telecom CTI Rules following public consultation

Introduction of a portal for digital implementation 

Rule 10(1) of the Telecom CTI Rules introduces a portal for the digital implementation of the rules. The draft rules vaguely mentioned that the Union government may specify a forum for digital implementation, while the notified Telecom CTI Rules specify that the digital implementation will be through a dedicated portal. The newly introduced portal has been woven as a mechanism for undertaking compliance requirements throughout the Telecom CTI Rules. As per Rule 3(2), the Union government will specify the form and manner in which telecom entities would provide details regarding telecom networks, services and their elements. Further, Rule 6 which lays down the responsibilities of the Chief Telecommunication Security Officer (“CTSO”), now states that the reporting requirements of the CTSO will be undertaken on the new portal.

In essence, a portal for undertaking compliances under the Telecom CTI Rules is a welcome step that could significantly reduce compliance costs and regulatory burden for telecom companies. However, the actual implementation and efficacy of such a portal remains to be seen. 

Modification of compliance standards

The erstwhile Rule 4(2) in the draft rules has been replaced with the insertion of a proviso in Rule 4(a) in the Telecom CTI Rules. Rule 4(2) of the draft rules allowed the Union government to set standards for CTI and mandated that telecom entities be in compliance with the same. However, the newly added proviso to  Rule 4(a) of the Telecom CTI Rules has tightened the compliance requirements for telecom entities by providing that in the absence of “Essential Requirements (ERs), Interface Requirements (IRs), Indian Telecommunication Security Assurance Requirements (ITSARs) and specifications, testing requirements, or conformity assessment, as applicable, issued by Telecommunication Engineering Centre, National Centre for Communication Security, or any other person”, telecom entities are only permitted to use CTI which meets relevant standards set by the Union government.

While compliance with relevant specifications and standards for CTI is indeed essential, imposing a restriction on the use of CTI unless they meet standards notified by the Union government is a huge compliance cost which could hinder innovation and infrastructure development. Telecom entities will now have to wait for the government to release standards and carry tests to ensure that they are in conformity before utilising CTI or any part of it. They would be restricted from piloting any innovative equipment and would be bound to wait for standards to be released by the government and carry out conformity assessments. This is a huge restriction on ease of doing business and is likely to be a significant burden for MSMEs and new entrants into the market.

Inclusion of data retention provisions

Rule 7(1)(c) of the draft rules required the preservation of logs and documentation of the telecom network architecture of the CTI. In the new Telecom CTI Rules, Rule 7(1)(c) now states that such logs and documentation ought to be preserved in a ‘secure manner’ for a minimum period of two (2) years or other such period as may be prescribed by the Union government. 

It is laudable that the government has made an effort to include data retention provisions in the Telecom CTI Rules. However, these barely address the data protection concerns that we have with these rules. In our consultation response on the draft rules, we highlighted that the rules give excessive powers to access and store data collected from telecom entities. We emphasised that the access and storage of data have been permitted under the Telecom CTI Rules in the absence of any data protection safeguards, without any checks and balances, and in complete disregard of the ‘privacy by design’ approach. Further, despite incorporating data retention, privacy principles such as storage limitation, purpose limitation, data minimization etc. have not been incorporated. IFF recommended that there be a bar on access by the Union government to the user data maintained by telecom entities. However, this recommendation along with our push for the incorporation of robust privacy principles has been ignored in the Telecom CTI Rules. 

Modification in reporting of security incidents

Rule 7(1)(l) of the draft rules required telecom entities to report security incidents to the Union Government within two (2) hours of their occurrence. The concurrent rule in the Telecom CTI Rules (Rule 7(1)(j)) has been modified to allow telecom entities six (6) hours to report security incidents.The timeline for reporting security incidents has been identical to the six hour timelines provided under the Telecommunications (Telecom Cyber Security) Rules, 2024.

IFF in its consultation response had pointed out that the two hour timeline for reporting security incidents is highly unrealistic and unfeasible for most telecom entities. We had recommended that the timeline for reporting security incidents be increased to seventy-two (72) hours. Our recommendation is in line with global best practices. For instance, in the United States, the Cyber Incident Reporting for Critical Infrastructure Act prescribed a seventy-two (72) hour timeframe to report cyber incidents. Similarly, Article 33 of the General Data Protection Regulation allows for a span of seventy-two (72) hours to notify personal data breaches. However, the recommendation has been disregarded in favour of a minor relaxation from two hours to six hours but the reporting timeframe still remains highly unrealistic. Instead of a thrust on quick reporting, the focus ought to be on allowing for a response time to the telecommunication entity and realistic timelines for accurate reporting.

Modification in remote access, reporting and upgradation requirements

Under the erstwhile Rule 7(1)(f) of the draft rules, telecom entities were required to obtain prior written approval from the Union government for ensuring remote access to CTI for the purpose of repair or maintenance. In the new Telecom CTI Rules, the same provision has been retained in Rule 7(2). However, the new rule comes with additional requirements, namely (i) provide due intimation of such remote access to the Union government in the form and manner specified on the portal; and (ii) ensure that the logs for such remote access are preserved for at least one (1) year and provided as and when sought for by the Union government. 

At the outset, requiring prior approval for remote access to conduct repair and maintenance will likely pose as a hindrance to telecom entities to carry out both routine maintenance tasks as well as short notice urgent repair work. When faced with any pressing issues, telecom entities would be forced to seek approval from the government instead of focusing on resolving any issues that might arise at the earliest. This requirement is likely to be a roadblock for quick responses to cybersecurity issues. Instead of seeking prior approval, the Telecom CTI Rules could have instead implemented a post-facto reporting framework which would have allowed telecom entities to conduct repair and maintenance in a timely manner.

Secondly, the Telecom CTI Rules has inserted Rule 4(3) and 4(4) which require telecom entities to furnish a detailed report of the actions taken in pursuance of the list of obligations specified in Rule 4(1) on the new portal. Based on this reporting, the Union government may issue directions, orders or instructions for the protection of CTI or mitigating risks to such infrastructure. This reporting framework is an additional compliance for telecom entities under the Telecom CTI Rules. The power of the Union government to issue orders for the protection and risk mitigation of CTI is vaguely worded and comes without any checks and balances. This is a wide ranging power that could be potentially misused to exert influence on telecom entities. 

Lastly, the new Telecom CTI Rules have expanded on the approval process for carrying out upgradation processes in Rule 8. The draft rules required telecom entities to inform the Union government prior to undertaking upgradation of equipment and seek prior permission. However, the notified Telecom CTI Rules require telecom entities to make an application on the portal regarding such upgradation, which would be processed by the Union government in fourteen (14) days. The complication of upgradation approvals, heightens the concerns we highlighted in our consultation response. We pointed out that A requirement for prior permission for upgrading CTI would result in significant compliance costs and inefficiencies for telecom entities. Instead of fast-tracking upgradation procedures, the telecom entities would now be forced to wait for permission to carry out upgradation activities, even if they are routine in nature. The only positive on this front is that the Telecom CTI Rules have Rule 8(5) which allows telecom entities to carry out upgradation activities necessary for addressing or mitigating the adverse effects of a security incident, as long as they make an application within twenty-four (24) hours of such upgradation.

Conclusion

While the Telecom CTI Rules have addressed a few concerns raised in the public consultation and taken steps in the right direction, several of our concerns still remain. For instance, on a conceptual level, the parameters for designation of CTI, i.e., whether the destruction of the telecom network would have an impact on the national security, economy, public health or safety of the nation’ is overbroad, ambiguous, and could potentially be arbitrary. Due to the vagueness of the parameters of CTI identification, the potential for misuse of CTI designation to subject telecom entities to a higher threshold of compliance and scrutiny is a concerning prospect. The Telecom CTI Rules echo the gaps in the draft rules when it comes to excessive powers to the Union government and data protection safeguards. 

Donate Now

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Supreme Court issues notice in Sushant Singh's transfer petition challenging website blocking

Sushant Singh has sought transfer of his writ petition from the Bombay High Court to the Supreme Court, challenging Rules 8 and 16 of the IT Blocking Rules, 2009. On 02.05.2025, the Supreme Court issued notice and tagged it with SFLC’s pending petition raising similar issues.

6 min read

2
Section 44(3) and the Systematic Dismantling of the RTI Act: A Fact Check to Ashwini Vaishnaw

Section 3 has no relevance to the RTI amendment, and Mr. Ashwini Vaishnaw's response fails to address the core concern: Section 44(3) weakens citizens’ right to information and transparency in governance. IFF does a fact check. 

6 min read

3
Budget Session 2025: A Digital Rights Review

The Budget Session of Parliament, held from January 21 to April 4, 2025, included a recess from February 13 to March 10 for Standing Committee reviews. Key discussions covered various national issues, including digital rights and freedoms.

12 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!