The Pakistan Telecommunication Authority (PTA) has finalized new Critical Telecom Data and Infrastructure Security Regulations 2025 (CTDISR-2025) and invited feedback from stakeholders before their implementation.
Under the proposed regulations, telecom companies will be required to localize data, set up disaster recovery and business continuity plans, and take comprehensive steps to protect Pakistan’s Critical Information Infrastructure (CII) from cyber threats.
The CTDISR-2025 introduces a detailed security framework for all telecom licensees, including mobile operators and internet service providers (ISPs). Each company will need to form an Information Security Steering Committee (ISSC) chaired by its CEO and appoint a Chief Information Security Officer (CISO) to ensure compliance with cybersecurity standards.
The regulations are based on a Zero Trust Security Model, which means that no user or device will be automatically trusted—access will always need to be verified. The framework follows international best practices such as ISO 27001, NIST, and ITU recommendations.
As part of the new requirements, telecom operators must conduct annual risk assessments, vulnerability testing, and third-party cybersecurity audits to identify and fix any potential weaknesses. Any Critical or High-severity incidents—such as cyberattacks or data breaches—must be reported to the PTA’s National Telecom Computer Emergency Response Team (nTCERT) within 24 hours, with a detailed report submitted within five working days.
The PTA will also have the authority to inspect, restrict, or ban the use of foreign software, hardware, or services that could pose a national security risk.
Additionally, telecom companies will be required to maintain secure information repositories, enforce vendor and supply chain security protocols, and ensure compliance through continuous risk monitoring and incident management. A Zero Trust and Access Control Policy will be mandatory to prevent unauthorized access and protect customer data.
The PTA has published the draft regulations on its official website and invited public comments by November 7, 2025. Stakeholders, including telecom operators, IT firms, and cybersecurity experts, have been asked to provide feedback using the prescribed online format.
Once finalized, CTDISR-2025 will replace the 2020 framework and set a new benchmark for telecom data protection and cybersecurity resilience in Pakistan.
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.