The new Critical Telecom Data and Infrastructure Security Regulations 2025 (CTDISR-2025) have been finalized by the Pakistan Telecommunication Authority (PTA), and prior to their implementation, stakeholders were invited to provide feedback.
Telecom companies will be required to localize data, create plans for disaster recovery and business continuity, and take comprehensive measures to safeguard Pakistan’s Critical Information Infrastructure (CII) from cyber threats under the proposed regulations.
A comprehensive security framework for all telecom licensees, including mobile operators and internet service providers (ISPs), is introduced in the CTDISR-2025.
To ensure compliance with cybersecurity standards, each business will need to establish an Information Security Steering Committee (ISSC) led by its CEO and appoint a Chief Information Security Officer (CISO).
The regulations are based on a Zero Trust Security Model, which means that no user or device will be automatically trusted—access will always need to be verified.
The framework adheres to ISO 27001, NIST, and ITU recommendations, among other international best practices.
Telecom operators are now required to carry out annual risk assessments, vulnerability tests, and third-party cybersecurity audits in order to discover and address any potential flaws. A detailed report must be submitted to the PTA’s National Telecom Computer Emergency Response Team (nTCERT) within five working days of any Critical or High-severity incidents, such as cyberattacks or data breaches.
The PTA will also have the authority to inspect, restrict, or ban the use of foreign software, hardware, or services that could pose a national security risk.
In addition, telecom companies will be required to ensure compliance through continuous risk monitoring and incident management, enforce vendor and supply chain security protocols, and maintain secure information repositories.
A Zero Trust and Access Control Policy will be mandatory to prevent unauthorized access and protect customer data.
On its official website, the PTA has made the draft regulations available for public comment until November 7, 2025. Using the prescribed online format, stakeholders—including telecom operators, IT firms, and cybersecurity experts —have been asked to provide feedback.
The CTDISR-2025 framework will replace the 2020 framework and establish a new standard for Pakistan’s cybersecurity resilience and telecom data protection.
For more daily updates, please visit our News Section.