The Pakistan Telecommunication Authority (PTA) has finalized a new regulatory framework aimed at fortifying cybersecurity and ensuring greater data sovereignty across the telecom sector. Under the new Critical Telecom Data and Infrastructure Security Regulations (CTDISR), all licensed telecom operators will now be required to host their data within Pakistan, ensuring that sensitive information remains under national jurisdiction.
The PTA has circulated the draft regulations to industry stakeholders, inviting feedback by November 7, 2025, before full enforcement begins. The framework emphasizes data protection, network resilience, and consumer privacy, marking a major step in Pakistan’s digital infrastructure governance.
Key Regulatory Highlights
- Mandatory Local Data Hosting:
All telecom operators must store customer and operational data within Pakistan to strengthen digital sovereignty and reduce exposure to foreign cybersecurity risks. - Appointment of CISOs:
Each company must appoint a Chief Information Security Officer (CISO) responsible for implementing security frameworks, monitoring cyber threats, and ensuring compliance with national cybersecurity standards. - Risk Management & Business Continuity:
Operators are required to conduct annual risk assessments and independent cyber audits, and to maintain robust Disaster Recovery and Business Continuity Plans to minimize downtime during cyber incidents. - Zero Trust Security Model:
The regulations mandate adoption of a Zero Trust Security Model, requiring continuous verification of users and devices to prevent unauthorized access. - Incident Reporting & Oversight:
In the event of a major cyber breach, operators must report incidents within 24 hours to the PTA. The authority retains the right to ban non-compliant foreign software or equipment deemed a cybersecurity risk. - Governance & Supply Chain Security:
Telecom firms must establish Information Security Steering Committees and ensure security protocols across their supply chains to address third-party vulnerabilities.
These new rules are designed to enhance Pakistan’s cyber resilience, improve oversight of critical telecom infrastructure, and strengthen public trust in digital communications. The PTA has underscored that adherence to CTDISR will be essential for maintaining both national security and consumer data integrity in an increasingly connected economy.
