The Ministries of Communications and Electronics and Information Technology (MeitY) have reportedly begun discussions on rationalising audit and compliance reporting requirements under cybersecurity rules applicable to telecom service providers. The discussions are primarily aimed at improving ease of doing business.
No changes to the broader regulatory framework or rules are under consideration, but that the dual structures for audit and compliance reporting by carriers may be examined for rationalisation.
Further, the initial discussions between the Indian Computer Emergency Response Team (CERT-In), which operates under MeitY, and the Department of Telecommunications (DoT) have already taken place. A working group comprising officials and industry representatives has been formed to identify overlaps and potentially designate a single reporting body.
Under the Telecom Cybersecurity Rules, 2024 issued by DoT, carriers are required to report breach incidents within six hours and retain logs and records for up to two years. They are also subject to a range of security and data obligations, including lawful interception, data retention, subscriber know-your-customer requirements and data localisation expectations.