PTA has finalized the Critical Telecom Data and Infrastructure Security Regulations 2025 (CTDISR-2025) and invited feedback from stakeholders before enforcement. The new framework aims to improve cybersecurity readiness, mandate data localization, and safeguard Pakistan’s critical telecom infrastructure against evolving cyber threats. Telecom operators, including mobile companies and ISPs, are expected to align their systems with the new security standards before full implementation.
Under the CTDISR-2025, telecom operators will be required to establish local data centers and implement robust disaster recovery and business continuity plans. Each operator will form an Information Security Steering Committee (ISSC), chaired by its CEO, and appoint a Chief Information Security Officer (CISO) to ensure compliance with cybersecurity policies. The regulations follow a Zero Trust Security Model, which assumes no user or device is trusted by default, and all access must be verified continuously. The standards are aligned with international cybersecurity frameworks such as ISO 27001, NIST, and ITU guidelines, ensuring consistency with global practices.
The regulations also require telecom operators to conduct periodic risk assessments, penetration testing, and third-party security audits. These assessments will help identify vulnerabilities and strengthen network defenses. Any major cyber incidents, including critical or high-severity data breaches, must be reported to PTA’s National Telecom Computer Emergency Response Team (nTCERT) within 24 hours, followed by a detailed report within five working days. The move reflects PTA’s intent to enhance response mechanisms and improve coordination between telecom licensees and national cybersecurity authorities.
PTA will also be empowered to inspect and, if necessary, restrict or ban the use of foreign technologies, software, or hardware components that could pose potential risks to national security. The new framework places emphasis on securing vendor supply chains and enforcing access control measures to ensure sensitive data remains protected. Telecom operators will need to maintain secure repositories, apply Zero Trust and Access Control policies, and continuously monitor their systems for security compliance.
PTA has published the draft of CTDISR-2025 on its official website and invited public comments until November 7, 2025. Stakeholders including telecom providers, cybersecurity experts, and IT firms are encouraged to provide their feedback through the designated online submission portal. Once implemented, CTDISR-2025 will replace the 2020 regulations, establishing an updated national standard for telecom data protection, cyber risk management, and regulatory compliance in Pakistan’s rapidly evolving digital landscape.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
