FBR, NADRA Declared Critical Information Infrastructures

The federal government has declared the information systems and data of key national entities NADRA, IMMPASS, and the Federal Board of Revenue (FBR) as “Critical Information Infrastructures” (CIIs), under the Prevention of Electronic Crimes Act (PECA) 2016 and the Computer Emergency Response Team (CERT) Rules 2023. A summary for declaring the Pakistan Telecommunication Authority (PTA) and the broader telecom sector as CIIs is currently under review by the federal cabinet. According to IT Minister Shaza Fatima, the designation of these institutions as CIIs will require the respective organizations and their licensees to implement stringent and proactive cyber security measures. It will also empower competent authorities to take punitive actions, including legal proceedings, investigations, prosecutions, and convictions of cybercriminals, under applicable laws relevant to CIIs. The minister further said that the CERT Council, established under Rule 4(2) of the CERT Rules 2023, has recommended the formation of Provincial CERTs in Punjab, Sindh, Khyber Pakhtunkhwa, Balochistan, Azad Jammu & Kashmir, and Gilgit-Baltistan. Additionally, Sectoral CERTs for Defense, Telecom, and Community sectors have also been proposed. The summary for cabinet approval of these recommendations is currently in process. CERTs at both national and sub-national levels are expected to enhance the country’s overall cybersecurity posture. These specialized teams will focus on improving threat detection, incident response, and system resilience, thereby strengthening national defense against evolving cyber threats. The CERT Council, chaired by the secretary of IT and Telecommunication (MoITT), functions as a consultative and coordinating forum to advise and guide CERTs across sectors. It comprises members from the Ministry of Defense, Ministry of Interior, Ministry of Foreign Affairs, PTA, as well as representatives from academia, industry, and civil society, ensuring a broad-based and collaborative approach to cybersecurity governance.