Loading...

NTISB — National Telecom & Information Security Board

Cybersecurity Standards, IT Security Certification & Risk Assessment

NTISB 5G Security Guidelines CS Strategy 2023-28
Cybersecurity Specialized Bodies
Share:
National Information Technology Board (NITB)
Share:
Share:

Key Data & Rates

Pakistan Cybersecurity Frameworks Overview
Key cybersecurity regulatory frameworks applicable to IT companies Verified May 3, 2026
FrameworkIssuing AuthorityScopeYear Reference
National Cyber Security Policy 2021Ministry of IT & TelecomAll sectors, national-level strategy2021 National Cyber Security Policy 2021
PTA Cyber Security Strategy 2023-2028Pakistan Telecommunication AuthorityTelecom sector2023 PTA Cyber Security Strategy 2023...
PTA National CS Framework for TelecomPakistan Telecommunication AuthorityTelecom operators and ISPs2022 PTA National CS Framework for Te...
PTA Critical Telecom Data RegulationPakistan Telecommunication AuthorityCritical telecom data handling2023 PTA Critical Telecom Data Regula...
PTA 5G Security Guidelines 2026Pakistan Telecommunication Authority5G network deployments2026 PTA 5G Security Guidelines 2026
PECA 2016Government of PakistanElectronic crimes and cyber offenses2016 PECA 2016
Share:
Multiple overlapping frameworks exist. IT companies must comply with PECA 2016 at minimum.
Source: PTA Cybersecurity Strategy, National CS Framework & 5G Guidelines
Share:
Share:
Cybersecurity Regulatory Timeline
Key milestones in Pakistan cybersecurity regulation Verified May 3, 2026
YearDevelopment Reference
2016PECA (Prevention of Electronic Crimes Act) enacted PECA 2016 Enacted
2021National Cyber Security Policy adopted National Cyber Security Policy 2021
2022PTA National Cyber Security Framework for Telecom issued PTA National CS Framework for Te...
2023PTA Cyber Security Strategy 2023-2028 launched PTA Cyber Security Strategy 2023...
2023Critical Telecom Data Regulations issued by PTA PTA Critical Telecom Data Regula...
2026PTA 5G Security Guidelines released PTA 5G Security Guidelines 2026
Share:
Timeline reflects major regulatory milestones relevant to IT sector cybersecurity compliance.
Source: Pakistan Cybersecurity Legislation & PTA Regulations Timeline
Share:
Share:
PECA 2016 Penalty Provisions
Penalties under Prevention of Electronic Crimes Act Verified May 3, 2026
OffenseSectionPenalty Reference
Unauthorized access to information system3Up to 6 months imprisonment or Rs.50,000 fine or both PECA 2016, Section 3 — Unauthori...
Unauthorized copying of data4Up to 6 months imprisonment or Rs.50,000 fine or both PECA 2016, Section 4 — Unauthori...
Interference with information system5Up to 2 years imprisonment or Rs.500,000 fine or both PECA 2016, Section 5 — Interfere...
Unauthorized access to critical infrastructure5Up to 3 years imprisonment or Rs.1 million fine or both PECA 2016, Section 6 — Unauthori...
Glorification of offence/terrorism online8Up to 7 years imprisonment or Rs.10 million fine or both PECA 2016, Section 8 — Glorifica...
Cyber terrorism10Up to 14 years imprisonment or fine up to Rs.50 million PECA 2016, Section 10 — Cyber Te...
Spoofing11Up to 3 years imprisonment or Rs.500,000 fine or both PECA Amendment 2023, Section 11 ...
Cyber stalking21Up to 3 years imprisonment or Rs.1 million fine or both PECA Amendment 2023, Section 24 ...
Share:
PECA 2016 is the primary criminal legislation for cyber offenses in Pakistan.
Source: PECA 2016, Sections 3-24 (with 2023 & 2025 amendments)
Share:
Share:

Details & Regulations

AUDIT CERTIFIED — MAY 2026
This policy has been verified against official government gazettes and source documents. View Audit Log
100% Verified

NTISB — National Telecom & Information Security Board

The NTISB was the primary national body for cybersecurity policy coordination. While the NTISB website (ntisb.gov.pk) is currently not accessible, cybersecurity governance has evolved into a multi-agency framework with NCERT, PTA, FIA, and SBP playing key roles.

Current Cybersecurity Regulatory FrameworkSOURCE VERIFIED

Cybersecurity compliance for IT companies in Pakistan involves multiple overlapping frameworks:

1. National Cyber Security Policy 2021SOURCE VERIFIED

Adopted by MoITT, sets strategic direction for all sectors including IT. Establishes governance structures, threat response mechanisms, and sector-specific requirements.

2. PTA Cyber Security Strategy 2023-2028SOURCE VERIFIED

Five-year strategy targeting telecom sector: network security, data protection, incident response, and 5G security.

3. PECA 2016 (Prevention of Electronic Crimes Act)SOURCE VERIFIED

The primary criminal legislation for cyber offenses. IT companies must ensure operations do not violate PECA provisions. Legal Reference: PECA 2016 PDF

4. PTA-Specific RegulationsSOURCE VERIFIED

  • National Cyber Security Framework for Telecom: Standards for telecom operators and ISPs
  • Critical Telecom Data Regulation (2020): Rules for handling sensitive telecom data
  • 5G Security Guidelines (Feb 2026): Security requirements for 5G network deployments

Penalties under PECA 2016SOURCE VERIFIED

OffenseSectionMax ImprisonmentMax FineJurisdiction
Unauthorized access to information system§33 monthsPKR 50,000Federal/ICT
Unauthorized copying of data§46 monthsPKR 50,000Federal/ICT
Interference with information system§52 yearsPKR 500,000Federal/ICT
Unauthorized access to critical infrastructure§75 yearsPKR 10 millionFederal/ICT
Electronic fraud§87 yearsPKR 10M or 3x fraudFederal/ICT
Cyber terrorism§10A14 yearsPKR 50 millionFederal/ICT
Online defamation (2025 amendment)§215 yearsPKR 5 millionFederal/ICT
Cyber stalking§213 yearsPKR 1 millionFederal/ICT
Spamming§101 monthPKR 50,000Federal/ICT

Key Cybersecurity BodiesSOURCE VERIFIED

BodyRoleKey FrameworkWebsite/Contact
NCERTNational incident responsePECA 2016; National CS Policy 2021pkpkcert.gov.pk
PTATelecom cybersecurity; 5G Security GuidelinesCS Strategy 2023-2028pta.gov.pk | 0800-55055
NCCIACybercrime investigation (separate from FIA since Sep 2025)PECA 2016
FIA Cybercrime WingEnforcement; DG: Ahmad Ishaque JahangirPECA 2016; FIA ActHelpline 1991 | cybercrime.gov.pk
SBP Cyber ShieldBanking system protection (Mar 19, 2026)SBP banking cybersecuritysbp.org.pk
NFADigital forensics; H-11/4 IslamabadNFA Act
PakCERTNational CERT coordinationOperated by NTCpakcert.org

Compliance Requirements for IT CompaniesSOURCE VERIFIED

  • Implement information security management systems (ISO 27001 recommended)
  • Report cyber incidents to NCERT and relevant authorities
  • Ensure data protection and privacy measures
  • Comply with PECA 2016 provisions (especially §§3-11 on unauthorized access and cyber terrorism)
  • For telecom-adjacent companies: comply with PTA cybersecurity directives
  • For fintech companies: comply with SBP Cyber Shield guidelines
  • Maintain audit trails and incident logs for minimum 6 years
  • Appoint a designated security officer

Regulatory TimelineSOURCE VERIFIED

DateDevelopmentImpact
2016PECA enactedPrimary cybercrime law
2021National Cyber Security Policy adoptedStrategic direction for all sectors
2022PTA National CS Framework for TelecomStandards for telecom operators
2023PTA CS Strategy 2023-2028 + Critical Data Regs5-year strategy and data rules
Sep 2025NCCIA confirmed independent from FIASeparate cybercrime investigation body
Feb 2026PTA 5G Security Guidelines + Digital AssistantSecurity for 5G deployments
Mar 19, 2026SBP Cyber Shield launchedBanking sector cybersecurity
Mar 19, 2026PTA 5G licenses granted5G operational security requirements
Apr 2, 2026NCERT SideWinder APT advisoryHigh-priority threat: fake govt domains
FutureDigital Nation Pakistan Bill 2025Pakistan Digital Authority may restructure CS governance

SideWinder APT Attack (April 2026)SOURCE VERIFIED

HIGH PRIORITY ADVISORY

On April 2, 2026, NCERT issued a high-priority advisory regarding the SideWinder (Rattlesnake) APT targeting Pakistani government systems.

Identified Threat Details
  • Fake domains mimicking: MoD, MoF, NEPRA, and NCERT
  • Attack Vector: Spear phishing with malicious attachments
  • Countermeasures: Block identified domains, enforce MFA, deploy EDR tools, conduct credential resets
  • IT Company Risk: Companies with government contracts are potential secondary targets

Relevant Tax Rates (Federal/ICT)SOURCE VERIFIED

TaxRateConditionsReference
Corporate Tax (PSEB IT export)0.25%PSEB registration requiredITO §154A
Corporate Tax (domestic)20%Standard rateITO 2001
WHT Export (PSEB)0.25%PSEB-registeredITO §154A
WHT Export (non-PSEB)1%Non-PSEBITO §154A
The NTISB website (ntisb.gov.pk) is currently not accessible. IT companies should monitor NCERT advisories, PTA cybersecurity directives, and SBP Cyber Shield guidelines. Pakistan Deep Intelligence, April 2026
Complete Cybersecurity Guide: See the Cybersecurity & Data Complete Guide for PECA, NTISB, and NCERT compliance.
NTISB Directives & Policies — Latest
DirectiveIssuedScopeCompliance Deadline
Cyber Security Framework for Government Entities2024All federal ministries, divisions, attached departmentsImmediate
Mandatory Email Security Policy2024Government email systems (.gov.pk)Within 90 days of issuance
Cloud Security Guidelines2024Entities using NTC/GovCloudWithin 6 months
Software Asset Management Policy2023All govt entities — licensed software onlyImmediate
Incident Reporting Standard Operating Procedure2023All govt entities + their IT vendorsWithin 30 days
VPN Usage Policy2023Government network accessNTC-managed VPN only
Access: All NTISB directives are published at NITB Official. IT vendors working with government clients must ensure their systems comply with these directives before project deployment.
IT Vendor Security Obligations
  • Security Clearance: Vendor personnel accessing government data/systems must hold valid NTISB/NADC security clearance (processing: 4–8 weeks)
  • Encryption Standards: AES-256 for data at rest, TLS 1.2+ for data in transit. No proprietary/uncleared encryption.
  • Data Localization: All government data must remain within Pakistan (NTC/NDC infrastructure). No cross-border hosting without written MoITT/NTISB approval.
  • Log Retention: Minimum 12 months of system and access logs. Audit trails for all privileged actions.
  • Vulnerability Management: Quarterly vulnerability assessments + annual penetration testing by NTISB-approved auditors.
  • Incident Reporting: Report to NTISB/nCERT within 4 hours of detection for critical incidents, 24 hours for others.
Non-Compliance: Vendors found violating NTISB directives face contract termination, blacklisting from future tenders, and potential PECA prosecution.
IT Sector Tax & Compliance Reference
ItemRateJurisdictionLegal Basis
IT Export WHT0.25% (PSEB) / 1% (non-PSEB)Federal/ICTITO 2001 §154A
Corporate Tax (IT)20%Federal/ICTITO 2001 §35
Startup Tax Credit100% for 3 yearsFederalITO 2001 §65F(b)
PECA Penalties (Data Breach)3 months–14 years + PKR 50K–10MFederalPECA 2016
EOBI5% employer + 1% employee (PKR 37,000/mo ceiling — EOBI Act & Rules)FederalEOBI Act 1976
NTISB Cybersecurity Compliance Checklist
NTISB Cybersecurity Framework 2020
Share:
PECA 2016 Section 32 / NTISB Notification Rules
Share:
NT-CERT Reporting Guidelines / PECA 2016
Share:
NTISB Audit Framework 2021
Share:
PTA TPVE Regulations 2018
Share:
PECA 2016 Section 33 / NTISB Directive
Share:
PTA VPN Registration Directive 2020
Share:
NTISB Vulnerability Assessment Guidelines
Share:
Checkboxes are saved in your browser
Source Citations (1)
NTISB Cybersecurity Portal
https://ntisb.gov.pk/advisories
pk_only 2025 website
Related Topics
Share:
Cybersecurity Specialized Bodies
Share:
Share: