Pakistan Telecommunication Authority (PTA) has unveiled a revised framework for telecom sector security under its updated Critical Telecom Data and Infrastructure Security Regulations (CTDISR-2025). The new regulatory regime replaces the earlier 2020 version, signaling a stronger compliance approach to address growing cyber threats and evolving digital risks. The revised framework was highlighted in PTA’s Annual Cyber Security Report 2024-25, which emphasized the need to modernize security requirements across telecom operators and licensees.
According to the report, nearly all provisions from CTDISR-2020 were reviewed, consolidated, or refined to reduce duplication and ensure operational clarity. The regulator stated that CTDISR-2025 represents a move away from reactive cybersecurity practices and introduces proactive, risk-based governance to mitigate threats before they escalate. This transformation was informed by regulatory audits, consultations with industry stakeholders, and an analysis of emerging global cybersecurity trends. PTA emphasized that the revisions were designed to support consistent implementation across the sector and close gaps that had previously been exploited.
One of the most significant changes is the expansion of compliance requirements into new domains, including Asset Management, Risk Management, Data Privacy, Cloud Security, Insider Threat Detection, Business Continuity Planning, HR Controls, and defined roles for information security staff. Strengthened access control measures, such as mandatory multi-factor authentication and role-based access systems, have been mandated. PTA has also formally integrated real-time intelligence sharing by requiring telecom operators to connect with the National Telecom Security Operations Center (nTSOC). This step aims to strengthen coordinated incident response at the national level and foster collective defense mechanisms across the sector.
The framework also incorporates provisions designed to reduce risks stemming from human factors and external vendors. By mandating insider threat detection mechanisms, HR-driven security controls, and vendor risk management, CTDISR-2025 seeks to address vulnerabilities beyond purely technical domains. Additionally, business continuity and disaster recovery planning are now required components, ensuring operators remain resilient during disruptions caused by ransomware, supply-chain compromises, or large-scale cyberattacks. PTA stated that these measures will increase confidence in telecom services and reduce systemic risks that could impact millions of users.
CTDISR-2025 has been aligned with international standards such as ISO/IEC 27001 and NIST Cybersecurity Framework, while also supporting the objectives of Pakistan’s National Cybersecurity Policy 2021. By adopting these best practices, the updated framework places Pakistan’s telecom sector in a stronger position to address emerging threats, including AI-driven attacks and sophisticated ransomware campaigns. PTA expects that these measures will help safeguard critical telecom infrastructure, raise the country’s cybersecurity maturity, and strengthen its overall standing in the Global Cyber Security Index.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
