Cybersecurity Obligations for Telecommunications Operators
TRC set out baseline cybersecurity expectations for licensed telecommunications operators, including incident reporting, network integrity and cooperation with national authorities.
Development
In 2024 the Cambodian authorities formalised a set of cybersecurity obligations applicable to telecommunications operators and, in some respects, to a broader set of providers that operate essential digital services. The measures build on earlier guidance and consolidate expectations that operators must protect their networks and services, manage risks in a structured way, respond effectively to incidents and cooperate with the authorities on matters affecting national security and public safety.
The measures are relevant to mobile network operators, fixed and broadband providers, internet service providers, data centre operators, cloud service providers with a presence in Cambodia, and to enterprise customers whose services depend on the security of the telecommunications infrastructure.
Governance and risk management
The obligations require operators to establish and maintain a formal cybersecurity management system, appropriate to the size, complexity and risk profile of their business. This includes designated senior responsibility for cybersecurity, a documented risk assessment methodology, defined controls calibrated to identified risks, and periodic review of the effectiveness of controls.
Operators are expected to identify their critical assets, including network elements, operational support systems, customer databases, billing systems and administrative systems that support the delivery of telecommunications services. Risk assessment should cover threats to confidentiality, integrity and availability, and should consider both malicious and accidental sources of harm, including supply chain risks and insider threats.
Technical and organisational controls
The framework describes categories of controls that are expected to be implemented, drawing on internationally recognised standards. These include access control and identity management, network segmentation, encryption of data in transit and at rest where appropriate, hardening of network elements and operational systems, logging and monitoring, vulnerability management, secure software development for internally developed systems and secure procurement for third-party components.
Organisational controls include policies and procedures, training and awareness programmes for staff, background checks for personnel in sensitive roles, incident response arrangements and business continuity planning. Third-party arrangements, including outsourcing, cloud services and managed security services, should be governed by contracts that reflect the operator's obligations under the framework.
Incident reporting and response
The framework requires operators to notify the competent authority of significant cybersecurity incidents within defined timeframes. Notification categories typically include incidents that affect the availability of important services, that involve unauthorised access to customer data, that affect the integrity of network operations or that raise wider public interest concerns. Preliminary notifications may be required within short periods, with more detailed reports following as investigations progress.
Operators are expected to maintain documented incident response plans that identify roles, escalation paths, containment steps, communication protocols and recovery procedures. Post-incident reviews should identify root causes, evaluate the effectiveness of the response and drive improvements to controls. The authorities may request access to relevant evidence and may coordinate with operators on communication with affected customers and the public.
Cooperation with authorities and national security
Operators are expected to cooperate with the competent authorities on matters affecting national security and public safety, including lawful interception, information requests in the context of criminal investigations and coordinated responses to significant cyber threats. The framework acknowledges that cooperation must respect the legal basis for each request, and operators are expected to have internal procedures for validating requests and for handling them in a manner consistent with data protection and other applicable rules.
For internationally operating groups, this may raise questions about the interaction between Cambodian obligations and requirements imposed by other jurisdictions. Legal advice may be required to develop internal procedures that comply with Cambodian rules while managing conflicts of law where they arise.
Supply chain and equipment security
The framework recognises that the security of telecommunications networks depends significantly on the security of the equipment and software deployed within them. Operators are expected to assess the security of their supply chain, to prefer equipment and software that meet recognised security standards, and to implement measures such as secure configuration, patch management and monitoring for anomalous behaviour.
Operators are also expected to plan for scenarios in which a supplier becomes unavailable or unreliable, whether for commercial, technical or geopolitical reasons. Multi-vendor strategies, contractual protections and continuity arrangements are appropriate mitigations for such risks.
Implications for smaller operators and downstream providers
The framework applies proportionately, so that smaller operators and providers of less critical services are not expected to implement the same depth of controls as the largest mobile networks. Nevertheless, all providers are expected to maintain a baseline of cybersecurity, including basic hygiene measures such as strong authentication, timely patching, secure backups and preparedness to respond to incidents.
Enterprise customers should recognise that the security of their own services depends in part on the security of the telecommunications providers they use. Contracts with providers should reflect the customer's own security requirements, including expectations about incident notification, cooperation on investigations and provision of technical information necessary to support the customer's own risk management.
Practical steps and Lex Civora perspective
Operators should verify that their existing cybersecurity programme aligns with the requirements of the 2024 framework. Gap assessments should identify areas where governance, controls, incident response or documentation need to be strengthened, and remediation plans should be prioritised based on risk. Cybersecurity obligations should be integrated with other regulatory obligations, including data protection, quality of service and consumer protection, so that a coherent overall compliance posture is achieved.
For enterprise customers and downstream providers, the framework offers a basis for engaging providers on security and for benchmarking suppliers against a common set of expectations. Contracts should reflect the obligations imposed on providers and should provide customers with the information and assurances necessary to manage their own risks.
Lex Civora advises operators and enterprise customers on the interpretation and application of the cybersecurity framework, on the design of governance and controls, on the negotiation of contracts with suppliers and customers, and on the response to significant incidents and to interactions with the competent authorities.
This article is provided for general information only and does not constitute legal advice. Regulatory positions may change; readers should verify obligations against the current official publication or seek professional advice before acting.
