The government has introduced new telecom cybersecurity rules to protect India's communication networks and services. These rules include steps like requiring telecom companies to report security incidents and share relevant information within specified timelines.

In order to maintain cyber security, the regulations also give the federal government or its designated agency the authority to request traffic data and any other information (apart from message content) from a telecom company. A telecom cyber security strategy, which would cover security measures, risk management strategies, actions, training, network testing and risk assessment, would also need to be adopted by telecom corporations. 

"The central government, or any agency authorised by the central government, may, for the purposes of protecting and ensuring telecom cyber security, seek from a telecommunication entity, traffic data and any other data, other than the content of messages, in the form and manner as may be specified by the central government on the portal; and direct a telecommunication entity to establish necessary infrastructure and equipment for collection and provision of such data from designated points to enable its processing and storage," according to the rules framed under the new Telecom Act.

According to the statement, the government and any agency it has authorised to gather data under these regulations, along with the individuals with whom such data is shared, will put in place sufficient protections to guarantee that the data is kept in absolute confidence and that unauthorised access is avoided. Telecom cyber security responsibilities are spelt out in detail in the regulations. "No person shall endanger telecom cyber security by misuse of telecommunication equipment or telecommunication identifier or telecommunication network or telecommunication services or by fraud, cheating or personation; transmitting any message which is fraudulent; committing or intending to commit any security incident; engaging in any other use which is contrary to the provision, of any other law for the time being in force; or any other means which may have security risk on telecom cyber security," according to the rules," it said.

Telecom companies will now need to follow specific rules to improve cyber security. This includes creating a clear cyber security policy that outlines steps for protecting their networks, managing risks, training employees, and using the best security practices and technologies. The policy must also cover testing the telecom network for weaknesses, assessing vulnerabilities and risks, and taking steps to prevent security breaches. It should include a quick-response system to handle security incidents, with actions to reduce their impact. Additionally, forensic analysis must be done on security incidents to learn from them and improve future cyber security measures.

A Chief Telecommunication Security Officer must be appointed by telecom companies, and security problems must be reported to the Centre within six hours, along with "relevant details of the affected system including the description of such incident." Telecom companies must report details of a security incident within 24 hours. They need to provide information about the number of users affected, how long the issue lasted, which areas were impacted, how the network or service was affected, and the steps taken or planned to fix the problem.

Additionally, equipment manufacturers must register the International Mobile Equipment Identity (IMEI) numbers of their devices with the government before selling them for the first time in India. A telecommunication entity is anyone who provides telecommunication services or is involved in setting up, operating, maintaining, or expanding a telecommunication network, including any authorised organisation that has received permission to do so.