Pakistan Telecommunication Authority (PTA) has finalized the new Critical Telecom Data and Infrastructure Security Regulations 2025 (CTDISR-2025) and invited feedback from stakeholders before their official implementation. These regulations represent a major step toward enhancing data protection, cybersecurity resilience, and national digital security for Pakistan’s telecom sector.
Under CTDISR-2025, all telecom operators, including mobile network providers and internet service providers (ISPs), will be required to localize user data, implement disaster recovery systems, and develop business continuity plans to secure Pakistan’s Critical Information Infrastructure (CII). Each company will need to establish an Information Security Steering Committee (ISSC) chaired by its CEO and appoint a Chief Information Security Officer (CISO) responsible for maintaining and enforcing cybersecurity compliance. The regulations are designed to align with the Zero Trust Security Model, which means no user or device will be inherently trusted, and verification will be mandatory for every access attempt.
The new framework is based on international best practices such as ISO 27001, NIST, and ITU guidelines, ensuring consistency with global cybersecurity standards. Telecom operators will be obligated to conduct annual risk assessments, perform vulnerability testing, and undergo independent third-party cybersecurity audits. These steps are intended to proactively identify and mitigate potential risks before they evolve into large-scale threats. In cases of Critical or High-severity security incidents, including data breaches or cyberattacks, operators will be required to notify PTA’s National Telecom Computer Emergency Response Team (nTCERT) within 24 hours and provide a comprehensive report within five working days.
The regulations also grant PTA authority to inspect, restrict, or ban the use of foreign software, hardware, or digital services that could pose national security threats. Telecom operators must therefore ensure that their infrastructure and supply chain meet security standards approved by the regulator. Additionally, the framework mandates that companies maintain secure data repositories, enforce vendor and third-party security protocols, and monitor risks continuously through real-time incident management systems. The introduction of a Zero Trust and Access Control Policy will be essential to safeguarding customer information and reducing exposure to unauthorized access.
The draft version of CTDISR-2025 has been published on PTA’s official website, where telecom operators, IT service providers, and cybersecurity experts have been invited to share their comments by November 7, 2025, using the prescribed feedback format. Once the consultation period concludes, PTA will finalize the regulations and replace the existing 2020 framework. The updated rules are expected to set a new national benchmark for cybersecurity governance, data localization, and infrastructure protection in Pakistan’s telecom industry, strengthening the sector’s overall resilience against evolving digital threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
