TRC Launches Cybersecurity Self-Assessment Programme for Licensees
A structured self-assessment programme invites licensed operators to evaluate their cybersecurity posture against a common maturity framework and identify improvement priorities.
Development
In 2025 the Cambodian authorities introduced a structured cybersecurity self-assessment programme for telecommunications operators and, in a proportionate way, for other providers of essential digital services. The programme complements the 2024 cybersecurity obligations by giving providers a common framework against which they can assess their own maturity, identify gaps and plan improvements.
The programme is relevant to mobile network operators, fixed and broadband providers, data centre operators, cloud service providers and other organisations whose services are central to Cambodia's digital economy.
Objectives of the programme
The programme aims to raise the overall level of cybersecurity across the sector, to provide a shared reference point for providers of different sizes and business models and to support constructive dialogue between providers and the authorities. It seeks to encourage internal reflection, prioritised investment and continuous improvement rather than to impose a purely compliance-oriented burden.
Self-assessment is not a substitute for external audit or for the specific obligations imposed by other frameworks. It is a tool that providers use to understand their own posture, to plan improvements and to demonstrate to internal and external stakeholders that cybersecurity is being managed in a mature way.
Structure of the self-assessment
The programme provides a structured questionnaire covering governance, risk management, technical controls, incident response, third-party management, cooperation with authorities and continuous improvement. Each area includes indicators or criteria that describe different levels of maturity, allowing providers to place themselves on a scale rather than to make binary compliance judgments.
The questionnaire is designed to be workable for providers of different sizes. Larger providers are expected to demonstrate more comprehensive practices, while smaller providers are expected to focus on the essentials appropriate to their scale and risk profile.
Governance and risk management
The programme places significant emphasis on governance and risk management. Providers are asked about the involvement of senior management in cybersecurity, the existence of documented policies, the identification of critical assets, the assessment of risks and the mechanisms through which risk decisions are made. Governance that treats cybersecurity as an ongoing management responsibility, rather than a one-off project, is typically associated with better outcomes.
Risk management is expected to consider not only the likelihood and impact of incidents but also the interdependencies between systems, the potential for cascading failures and the ways in which cybersecurity risks interact with other operational and regulatory risks.
Technical controls
The programme covers technical controls in areas including identity and access management, network segmentation, encryption, secure configuration, patch management, monitoring and logging, and secure development. The relevant maturity levels reflect current good practice rather than a fixed set of prescriptive requirements, allowing providers to demonstrate maturity through different combinations of controls appropriate to their technology and business model.
Providers are encouraged to document not only what controls exist but how they are operated, maintained and reviewed. Controls that exist on paper but are not maintained in practice do not provide meaningful protection.
Incident response and cooperation
Effective incident response is a critical component of cybersecurity maturity. The programme asks about the existence and maintenance of incident response plans, about the arrangements for detection, containment, eradication and recovery, and about post-incident review. Cooperation with the authorities, with other providers and with customers in the context of incidents is also considered.
Providers are expected to conduct exercises to validate their incident response arrangements and to learn from actual incidents. Aggregated lessons across the sector can inform improvements in the framework itself and can support a more resilient overall environment.
Third-party and supply chain considerations
Modern telecommunications networks depend on a wide range of third parties, including equipment vendors, software providers, managed service providers and cloud providers. The programme includes questions about how providers manage cybersecurity risks in these relationships, including due diligence, contractual protections, monitoring and contingency planning for the loss of a critical supplier.
Providers are encouraged to consider not only the security of their direct suppliers but also the security of the broader supply chain, particularly where sensitive components or services are involved.
Use of the self-assessment output
The output of the self-assessment is primarily an internal tool for the provider, informing investment plans, training programmes and governance reporting. The authorities may request access to specific aspects of the self-assessment as part of supervisory engagement, or may use aggregate information from the sector to inform policy. Providers are expected to conduct the self-assessment honestly and to use it as a basis for genuine improvement.
Sharing self-assessment results with certain customers or partners, subject to appropriate confidentiality, may support trust and enable more informed decisions. Some providers choose to align the self-assessment with recognised international frameworks to support such external communication.
Practical implications and next steps
For providers, the programme is an opportunity to develop a structured view of the cybersecurity posture, to identify priorities and to demonstrate maturity in a consistent way. Executive engagement, cross-functional participation and integration with existing governance processes support meaningful use of the tool.
For customers and partners of these providers, the programme can inform expectations, procurement decisions and contractual arrangements. Understanding whether a provider engages seriously with such tools and demonstrates continuous improvement is a valuable input into risk assessment.
Lex Civora advises telecommunications operators and other providers on the use of the self-assessment programme, on the integration of self-assessment results into internal governance and external communication, and on the alignment of cybersecurity practices with the broader legal and regulatory framework applicable in Cambodia.
This article is provided for general information only and does not constitute legal advice. Regulatory positions may change; readers should verify obligations against the current official publication or seek professional advice before acting.
