The Pakistan Telecommunication Authority (PTA) has finalized new Critical Telecom Data and Infrastructure Security Regulations 2025 (CTDISR-2025) and invited feedback from stakeholders before their implementation.
Under the proposed regulations, telecom companies will be required to localize data, set up disaster recovery and business continuity plans, and take comprehensive steps to protect Pakistan’s Critical Information Infrastructure (CII) from cyber threats.
The CTDISR-2025 introduces a detailed security framework for all telecom licensees, including mobile operators and internet service providers (ISPs). Each company will need to form an Information Security Steering Committee (ISSC) chaired by its CEO and appoint a Chief Information Security Officer (CISO) to ensure compliance with cybersecurity standards.
The regulations are based on a Zero Trust Security Model, which means that no user or device will be automatically trusted—access will always need to be verified. The framework follows international best practices such as ISO 27001, NIST, and ITU recommendations.
As part of the new requirements, telecom operators must conduct annual risk assessments, vulnerability testing, and third-party cybersecurity audits to identify and fix any potential weaknesses. Any Critical or High-severity incidents—such as cyberattacks or data breaches—must be reported to the PTA’s National Telecom Computer Emergency Response Team (nTCERT) within 24 hours, with a detailed report submitted within five working days.
The PTA will also have the authority to inspect, restrict, or ban the use of foreign software, hardware, or services that could pose a national security risk.
Additionally, telecom companies will be required to maintain secure information repositories, enforce vendor and supply chain security protocols, and ensure compliance through continuous risk monitoring and incident management. A Zero Trust and Access Control Policy will be mandatory to prevent unauthorized access and protect customer data.
The PTA has published the draft regulations on its official website and invited public comments by November 7, 2025. Stakeholders, including telecom operators, IT firms, and cybersecurity experts, have been asked to provide feedback using the prescribed online format.
Once finalized, CTDISR-2025 will replace the 2020 framework and set a new benchmark for telecom data protection and cybersecurity resilience in Pakistan.
Stay Connected with ProPakistani
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.
No it isnt. Sadly this time you missed the mark jehangir .pity
Pta is not doing anything like that..
Pakistan doesn’t have data protection policy and our data is accessed by American government.
We don’t keep servers with our people data like china or Europe does.
So we don’t have any protection
To implement anny policy or rule we have people who conducts the Operation.
Problem is not with machines but people who betray their own people bcz they are corupt and immune to any accountability.
So important is we must have people in public service those are not corrupt and sells people interest for their little personel gains.
Such people don’t protect data your natural resources, even your health education and you name it.
And the grave problem is, this menes is present like a cancer in all institutions as our internal enemy which is always pulling nation behind.
Example is PIA STEEL mills IPPS and not even single public or private business where they have their negative influence.
Need of the hour is we must focus on zoro tolerance to corupt and coruption policy and make our whole public service institutions free of them.
The good option available we have in constitution is invoking article six against all such elements bcz they are guilty of betrayal to their oaths to protect life honor and property of each citizen indiscriminately.
Alhamdolilah