Complete guide to TRAI / DoT cyber rules

01Regulatory landscape

Telecom in India is governed by a layered regime: the Telecommunications Act 2023 (replacing the colonial-era Indian Telegraph Act 1885) is the apex law; DoT (Department of Telecommunications) issues licences and security directions; TRAI (Telecom Regulatory Authority of India) regulates tariffs, quality of service, commercial communications, and consumer protection; NCIIPC oversees Critical Information Infrastructure including major telecom networks; and CERT-In's April 2022 directions impose log-retention and incident-reporting obligations.

02Who it applies to

• Telecom Service Providers (TSPs) — Jio, Airtel, Vi, BSNL, MTNL.
• Internet Service Providers (ISPs) — including last-mile and enterprise ISPs.
• Virtual Network Operators (VNOs) — Unified Licence VNO category.
• Niche licensees — IP-1 (passive infra), Mobile Number Portability, satellite licensees.
• OTT communication services — debate continues on whether WhatsApp / Signal-style services come under telecom; current position varies.
• Vendors — equipment vendors covered by Trusted Telecom Portal / Trusted Source rules.

03Unified Licence security obligations

The Unified Licence (UL) is the primary commercial framework and includes detailed security conditions:

• Network security — segregation, hardening, monitoring per DoT-approved security policy.
• Equipment from Trusted Sources — for designated network elements; the Trusted Telecom Portal lists approved sources.
• Indian-controlled OMC / NMS — Operations and Maintenance Centres / Network Management Systems controlled from India.
• Background-verified personnel for access to designated network elements.
• Encryption — restricted by DoT-approved standards; specific limits on encryption in certain user-facing services.

04Lawful interception

• Lawful Interception & Monitoring (LIM) systems mandatory for designated services; specifications issued by DoT.
• Centralised Monitoring System (CMS) — DoT-controlled platform that interfaces with LIM systems.
• Authorisation — interception permitted only on orders from designated authorities; logs of interception requests maintained.
• Compliance officer — designated point of contact; audited by DoT.

05Data localisation

• Customer Application Data (CAF) — must be stored in India.
• Call Data Records (CDR), IP Detail Records (IPDR) — stored in India for the prescribed retention period.
• Subscriber data — including tower data; primary copy in India.
• Cross-border transfer — restricted; specific safeguards required for transit interconnections.

06NCIIPC & CII

Major telecom networks are designated Critical Information Infrastructure (CII) under IT Act §70:

• Inventory of designated CII components shared with NCIIPC.
• Security audit via CERT-In empanelled vendor on the prescribed cadence.
• Incident reporting to NCIIPC on top of CERT-In notification.
• Threat-intel sharing through NCIIPC channels.
• Designated officer for NCIIPC liaison.

07Annual security audit

• Annual audit by CERT-In empanelled auditor of network security posture.
• VAPT covering customer-facing services, signalling, network management interfaces.
• Audit report submission to DoT / TRAI / NCIIPC depending on the asset type.
• Remediation tracking — DoT can demand evidence of remediation.

08TRAI commercial-comms / spam

TRAI's anti-spam regime has evolved substantially:

• TCCCPR 2018 / amendments — Telecom Commercial Communications Customer Preference Regulations.
• DLT (Distributed Ledger Technology) — enterprise registration platform for SMS senders, headers, and templates.
• AI-driven UCC detection — TRAI's 2024+ direction requiring TSPs to use AI/ML for unsolicited commercial communication detection.
• Voice anti-spam pilots — calling-name display, AI-driven scam-call labelling.
• Penalties — graduated from warnings to financial deductions for non-compliance.

09Telecom Act 2023

• Authorisation regime replacing the older licensing framework.
• Spectrum allocation rules including administrative allocation for satellite.
• User protection provisions including specific consent requirements for commercial messages.
• Standards-setting powers to the Central Government.
• Penalties reformed; civil + criminal penalties for unauthorised activities.
• Right of way rules for telecom infrastructure deployment.
• Implementation — Rules being notified in tranches; some provisions in force, others awaited.

10Incident reporting

11Common mistakes

• Pre-2024 contracts with vendors not from Trusted Sources for designated network elements.
• OMC / NMS partially controlled from outside India.
• Background verification not refreshed on renewals; access continues with stale clearances.
• CDR / IPDR stored on cloud regions outside India for "performance reasons."
• Annual audit performed by a non-empanelled vendor; report rejected.
• DLT registrations stale; SMS headers / templates not refreshed.
• NCIIPC liaison officer designation lapsed.
• CERT-In April 2022 direction non-implementation: log-retention, time-sync, incident reporting.

1290-day roadmap

• Days 1–15. UL / authorisation review; designated network elements inventoried; Trusted Source compliance gap-register.
• Days 15–30. OMC / NMS Indian-control evidence; background-verification refresh for personnel with privileged access.
• Days 30–50. CDR / IPDR / CAF localisation audit; remediation of non-compliant storage.
• Days 50–65. Annual audit scoped with CERT-In empanelled vendor; LIM compliance check.
• Days 65–80. NCIIPC inventory + liaison-officer refresh; threat-intel ingestion confirmed.
• Days 80–90. TRAI DLT compliance; AI-UCC detection plan; Telecom Act 2023 transition tracking; submission preparation.