As the federal IT minister is all set to present the new Cybersecurity Act 2025 for establishing an independent National Cybersecurity Authority (NCA), fundamental questions remain unanswered regarding funding, institutional coherence, and the inherent tension between security and telecom companies.

The government has stated that new secure digital infrastructure will be built under the World Bank-backed Digital Economy Enhancement Project (DEEP). This strategic choice prompts a key question: why is a World Bank-funded project (DEEP), focused on digital public services, being positioned as the backbone for a national security law?

This proposed law pertains to the fourth component of the World Bank’s DEEP, which is Contingent Emergency Response Component (CERC) and is being financed with zero dollars and is primarily about development of a CERC manual that entails an emergency action plan. DEEP is specifically funding the assessment of Pakistan’s cybersecurity infrastructure and the development of a comprehensive cybersecurity roadmap by the end of this year.

By embedding the new Cybersecurity Act’s architecture directly into the DEEP project, the government is seeking to achieve two goals: tapping into international investments and standardisation.

NCA would utilise moderately sized international investment (DEEP) to finance the otherwise expensive development of secure, government-wide infrastructure, bypassing reliance solely on the national budget. At the same time, it shall enforce global best practices, as World Bank projects require stringent standards for data governance and security. Logically, these good practices could be then followed by our National CERT.

However, the question remains: what happens to the existing National Emergency Response Team (PK CERT) and will the Act lead to institutional redundancy? And what roles related to cybersecurity shall remain with the Pakistan Telecommunication Authority (PTA)?

PK CERT (Pakistan Computer Emergency Response Team) is the officially designated National CERT, formally established under the CERT Rules 2023 to handle cyber incident response, threat intelligence sharing, and coordination across national and sectoral CERTs.

Now establishing a new, overarching National Cybersecurity Authority with response powers could create bureaucratic overlaps with the operational functions already mandated to PK CERT. Will the NCA become the policymaking body while PK CERT remains the technical implementation arm, or will the NCA attempt to incorporate the functions of PK CERT in entirety?

Similarly, the PTA has its own comprehensive cybersecurity framework for the telecom sector that is built on six pillars of legal framework, cyber resilience, proactive monitoring and incident response, capacity building, cooperation and collaboration, and public awareness. Collectively, these pillars represent a holistic approach, ensuring a resilient and secure digital infrastructure across Pakistan’s telecom sector.

It remains to be seen whether the new Cybersecurity Act and the establishment of the National Cybersecurity Authority would rationalise or rather confuse the PTA’s security mandate?

The PTA currently operates under a regulatory framework focused on communication and content. The proposed NCA, however, is meant to be the apex technical and policy body for national cybersecurity. If the NCA focuses strictly on national defence and critical infrastructure protection, the PTA’s security role might be limited to telecom operators. This could lead to a clear division of labour.

But if conversely, the NCA demands sweeping powers over all digital infrastructure, it would create a conflict over who sets the technical standards for telecom networks – the established telecom regulator (PTA) or the new cyber authority (NCA).

The PTA’s current dual role as a regulator as well as an enforcer of censorship means its actions are often perceived through a lens of political control rather than technical security. The NCA must ensure that the overall cybersecurity strategy prioritises technical defence and rights protection over the PTA’s tendency towards mass restriction. So, the true test of the new framework is whether the NCA, as a high-level authority focused on technical resilience, will advocate for alternative, targeted security measures instead of blanket shutdowns enforced by the PTA.

In essence, the new Cybersecurity Act provides an opportunity to either formalise the PTA’s necessary security functions under the NCA’s umbrella, thereby improving coherence, or it could simply add another layer of bureaucracy, further muddying the lines of authority over Pakistan’s critical digital space. The need for a “beefed-up incident response” system is undeniable, but it must build on the technical expertise that PK CERT is tasked with developing.

If the new authority is primarily a political or bureaucratic body, it risks sidelining the technical competency of PK CERT, replacing expert-driven incident management with top-down political control.

A similar fiasco happened a few years back when we tried to transfer powers for managing state-owned companies to a newly established withholding company – Sarmaya-e-Pakistan – a move that totally backfired and resulted in wastage of taxpayers’ money.

The writer is a Cambridge graduate and is working as a strategy consultant