Pakistan Telecommunication Authority (PTA) has finalized the Critical Telecom Data and Infrastructure Security Regulations (CTDISR) 2025, marking a major step toward data localization and enhanced cybersecurity across the nation’s telecom sector. The new framework requires telecom operators to host critical data within Pakistan, implement disaster recovery and business continuity measures, and adopt robust security protocols to protect the country’s Critical Information Infrastructure. The regulations aim to strengthen Pakistan’s telecom ecosystem, aligning national standards with international cybersecurity frameworks such as ISO 27001, NIST, and ITU recommendations. Stakeholder feedback has been invited before full implementation, ensuring that operators, IT companies, and cybersecurity professionals can contribute to the final framework.
Under CTDISR 2025, every telecom operator is expected to establish an Information Security Steering Committee chaired by the CEO and appoint a Chief Information Security Officer to oversee compliance. The regulations follow a Zero Trust Security Model, ensuring that no user or device is considered trustworthy without verification. Operators will be required to maintain secure information repositories, enforce vendor and supply chain security protocols, and continuously monitor their networks to manage incidents effectively. These measures are designed to safeguard user data and prevent unauthorized access, enhancing the resilience of Pakistan’s digital communication infrastructure.
Telecom companies will also be subject to strict auditing and reporting requirements. Annual risk assessments, vulnerability scans, and third-party cybersecurity audits will be mandatory to identify and address weaknesses proactively. Any critical or high-severity incidents, including data breaches, must be reported to PTA’s National Telecom Computer Emergency Response Team within 24 hours, followed by a detailed report within five working days. PTA retains the authority to inspect, restrict, or block foreign hardware, software, or services that may pose a risk to national security, reinforcing control over sensitive data and critical operations.
The draft CTDISR 2025 has been published on PTA’s official website, with public comments invited until November 7, 2025. Feedback from stakeholders will guide final adjustments to the framework, which will replace the older 2020 rules and establish a new benchmark for telecom data security in Pakistan. By implementing these regulations, PTA aims to create a secure, resilient, and compliant telecom ecosystem, strengthening user protection and ensuring that national digital infrastructure meets international cybersecurity standards. The initiative is part of a broader effort to advance data localization and cybersecurity practices, promoting accountability and operational excellence across Pakistan’s telecommunications sector.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
