In a major development toward enhancing national cybersecurity, the federal government has officially declared the digital systems and data assets of the Federal Board of Revenue (FBR), the National Database and Registration Authority (NADRA), and the IMMPASS platform as “Critical Information Infrastructures” (CIIs). This classification, granted under the Prevention of Electronic Crimes Act (PECA) 2016 and the Computer Emergency Response Team (CERT) Rules 2023, recognizes the vital role these entities play in Pakistan’s digital ecosystem and the need to secure them against potential cyber threats.
The decision places these organizations at the center of Pakistan’s cybersecurity agenda, obligating them to implement enhanced, proactive measures to protect sensitive information and digital infrastructure. This move also legally empowers authorities to initiate punitive actions—including investigations, prosecutions, and convictions—against individuals or groups attempting to compromise these CIIs. The goal is to significantly elevate the resilience of Pakistan’s critical systems against escalating cyber threats.
According to the Minister of State for IT and Telecommunication, Shaza Fatima, the designation will also extend to the licensees of these organizations, compelling them to adhere to elevated cybersecurity protocols. The minister emphasized that this step is essential in safeguarding national data assets and public trust in key digital services, particularly as the country rapidly transitions toward a more digitized governance model.
While NADRA and FBR have been officially recognized as CIIs, a summary is currently under federal cabinet review to extend this status to the Pakistan Telecommunication Authority (PTA) and the wider telecom sector. Given the telecom industry’s integral role in supporting national communication networks and digital services, the proposed designation is expected to enhance cyber resilience across an even broader spectrum of critical services.
Simultaneously, the CERT Council—established under Rule 4(2) of the CERT Rules 2023—has proposed the formation of both provincial and sector-specific Computer Emergency Response Teams to further strengthen the country’s cyber response capacity. Recommendations include setting up CERTs in Punjab, Sindh, Khyber Pakhtunkhwa, Balochistan, Azad Jammu & Kashmir, and Gilgit-Baltistan. Sectoral CERTs have also been proposed for the Defense, Telecom, and Community sectors. These proposals are currently awaiting formal cabinet approval.
The CERTs are envisioned to play a pivotal role in detecting threats, responding to cyber incidents, and enhancing the overall system resilience of key public and private institutions. Their implementation would mark a crucial step in the institutionalization of cybersecurity practices in Pakistan, shifting the approach from reactive to preventive.
The CERT Council itself functions as the coordinating and advisory body for these specialized teams and is chaired by the Secretary of the Ministry of IT and Telecommunication (MoITT). Its membership includes key representatives from the Ministry of Defense, Ministry of Interior, Ministry of Foreign Affairs, PTA, academia, industry, and civil society. This multi-stakeholder composition aims to foster a comprehensive and collaborative framework for cybersecurity governance across various sectors.
As the frequency and sophistication of cyber threats continue to evolve, the government’s decision to classify NADRA, FBR, and IMMPASS as Critical Information Infrastructures marks a decisive move to shore up the country’s cyber defenses. By ensuring that high-value digital assets are protected through legal, administrative, and technical safeguards, Pakistan is taking concrete steps to secure its digital future.
