PTA Tightens Telecom Cybersecurity with Mandatory Local Data Hosting and Zero-Trust Rules

Usama AnjumLast Updated: Nov 4, 2025

The Pakistan Telecommunication Authority (PTA) has issued a new set of cybersecurity regulations for licensed telecom operators, finalizing the Critical Telecom Data and Infrastructure Security Regulations 2025 (CTDISR-2025). The updated framework aims to strengthen Pakistan’s critical information infrastructure by introducing strict data localization measures, enforcing a zero-trust security model, and setting new governance and reporting standards across the telecom sector.

Under the CTDISR-2025, all data classified as critical information infrastructure must be stored and processed within Pakistan unless the Authority grants explicit written approval for cross-border transfers. The PTA will also have the authority to restrict or prohibit the use of foreign software, hardware, or cloud services that pose security concerns. These measures mark a shift towards tighter supply chain controls and greater national oversight of data flows.

Each telecom operator will be required to appoint a Chief Information Security Officer (CISO) at the executive level and establish an Information Security Steering Committee (ISSC) headed by the CEO to oversee compliance. This committee will be responsible for approving security policies, managing risk assessments, and ensuring that adequate resources are allocated for information security.

The regulations further mandate all licensees to maintain disaster recovery and business continuity plans, conduct annual business impact analyses, and establish network and power redundancies to ensure operational resilience. Regular vulnerability testing, penetration audits, and timely remediation will be compulsory under the new standards.

Cyber incident management requirements have also been tightened. Any critical or high-severity cybersecurity incident must be reported to the PTA within 24 hours, followed by a comprehensive investigation report within five working days. Operators will also be required to preserve digital evidence and cooperate fully with regulatory inquiries.

Telecom companies must now ensure supply chain security, including vendor risk assessments and contractual safeguards to ensure compliance with the same standards. The regulations further require that cloud or backup infrastructure used by telecom companies remain within Pakistan’s jurisdiction to safeguard consumer data.

The CTDISR-2025 replaces the 2020 cybersecurity framework and broadens the PTA’s enforcement powers. Non-compliance may lead to legal penalties, audits, or regulatory action. The PTA has invited industry feedback on the draft and set 7 November as the deadline for public comments before final implementation.

The new regulations represent a major step in strengthening Pakistan’s cybersecurity posture. While telecom operators may face significant compliance costs, the framework aims to protect national infrastructure, prevent cyberattacks, and enhance user data privacy in an increasingly digital ecosystem.