By: Atty. Edsel F. Tupaz (Senior Partner) & Atty. Harold B. Medina (Junior Associate)

December 3, 2025

Summary

The Konektadong Pinoy Act (RA 12234), which lapsed into law on 24 August 2025, is directed at the development of data transmission infrastructure and the removal of barriers to competition in data transmission services, with the broader policy goal of narrowing the country’s digital divide. At the same time, the law embeds cybersecurity, information security, and related compliance requirements as fundamental conditions for registration as well as continued participation in the Philippine data transmission industry.

The Department of Information and Communications Technology (DICT), in consultation with other agencies and stakeholders, has released a Draft Implementing Rules and Regulations (IRR), version as of 16 September 2025, that remains open for public comment. The IRR provides the operational framework for the law, setting out definitions, compliance processes, and specific obligations on cybersecurity certification, audits, reporting, and user rights.

In this article, Edsel F. Tupaz and Harold B. Medina, from Gorriceta Africa Cauton & Saavedra, examine the Konektadong Pinoy Act (RA 12234) and the Draft IRR released by the DICT, highlighting their cybersecurity, information security, and data privacy requirements and discussing their practical implications for industry participants.

Scope

The Konektadong Pinoy Act applies to Data Transmission Industry Participants (DTIPs), defined as any entity engaged in the provision of data transmission services as a form of economic activity. This includes public telecommunications entities (PTEs) and value-added service (VAS) providers under Republic Act No. 7925 or the Public Telecommunications Policy Act of the Philippines, as well as satellite systems providers or operators (SSPOs), to the extent that their operations involve data transmission.

Entities principally engaged in basic telephone services — such as international carriers, interexchange carriers, local exchange operators, and mobile radio service providers — are also covered for the data transmission services they provide and the linkage of their networks to other DTIPs. In addition, access providers, including passive infrastructure owners, lessors, and operators (PIOLO), must likewise comply with the requirements under the law and its IRR.

Entry and Certification

As a condition for market entry, DTIPs must register with the National Telecommunications Commission (NTC) and maintain a valid certificate of registration or certificate of authority, which may be national or subnational in scope. Upon registration, they are required to adopt and comply with national and global best practices and standards on cybersecurity and be subject to cybersecurity performance audit by the DICT Cybersecurity Bureau. Thus, within two (2) years from registration, DTIPs shall secure either (a) a cybersecurity certification from a third-party organization based on the prevailing ISO standards on information security management or (b) a certificate of compliance from the DICT Cybersecurity Bureau.

To support compliance, the DICT, in collaboration with the NTC, Cybercrime Investigation and Coordinating Center (CICC), National Privacy Commission (NPC), and other relevant agencies, is mandated to provide guidance and training on cybersecurity standards and requirements, which DTIPs may request as needed.

Finally, as part of the general terms and conditions of their authority to operate, DTIPs must comply with existing laws and regulations pertaining to the privacy of communications, including the Data Privacy Act of 2012 (DPA) and its implementing rules and other NPC issuances.

Operational Security Standards

DTIPs must adopt cybersecurity measures commensurate with their risk profile and risk exposure based on the segment of the data transmission network where they operate. Thus, the level of controls must be proportionate to the DTIP’s complexity, considering factors such as size (market share) and scope (nationwide, regional, or localized) of operation.

The minimum cybersecurity requirements for DTIPs shall be aligned with the principles of confidentiality, integrity, availability, non-repudiation, authenticity, privacy, and safety (CIANA-PS) under the National Cybersecurity Plan 2023–2028 and its future iterations. These requirements, based on a DTIP’s risk profile and where appropriate, include the:

  1. Establishment and operationalization of a Computer Emergency Response Team (CERT);
  2. Adoption of  Secure  Software  Development  Life  Cycle, Security-and-Privacy-by-Design Framework, and Zero-Trust Architecture;
  3. Adoption of internationally recognized Cybersecurity Standards and Frameworks prescribed by the DICT, such as but not limited to Philippine National Standards (PNS)/International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 Information Security Management System (ISMS); ISO/IEC 27701 (PIMS); National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0; and Center for Internet Security (CIS) Controls v.8.0 and their succeeding iterations;
  4. Development and implementation of Risk Management to include Business Continuity and Disaster Recovery Plans, Data Classification, and Supply Chain Security;
  5. Submission of the Risk Assessment and Vulnerability Assessment and Penetration Testing (VAPT) Reports to DICT; and
  6. Submission of material cybersecurity incidents to DICT National Computer Emergency Response Team (NCERT).For companies, practical compliance with these requirements means beginning with a gap assessment against ISO/IEC 27001, NIST CSF 2.0, or CIS Controls v8, and documenting which safeguards are already in place and which need to be built. From there, organizations should establish a compliance work plan: designate or outsource a CERT function, embed secure coding and privacy-by-design practices, conduct at least one VAPT annually with results filed to DICT, and prepare incident reporting templates aligned with NCERT procedures. Ideally, documented compliance must be subject to submission to the regulators on-demand. Aligning internal policies and audit documentation early will not only meet DICT’s certification requirement but also reduce business disruption once audits and reporting obligations take effect.

    For community-based or micro-enterprise DTIPs, the DICT will determine the appropriate baseline requirements and provide necessary training and support, recognizing that full compliance with the minimum set above may be too burdensome. Agencies are aware over proportionality principles in managing risks and mitigation measures.

    These technical safeguards are reinforced by provisions on infrastructure access. Refusal to share infrastructure with another DTIP is permitted only on objective, proportionate, and transparent grounds, which include risks to network integrity or cybersecurity, as confirmed by the DICT.

    Finally, in handling service delivery and complaints, DTIPs must ensure that all personal data collected is processed in accordance with the DPA and its implementing rules. Accordingly, subscriber information should be collected only for declared and legitimate purposes such as billing, service delivery, or complaint handling; processed fairly and lawfully; kept accurate and up to date; and retained only for as long as necessary for these purposes.

Risk and Incident Management

A “material cybersecurity incident” is defined as a single event or a series of unwanted or unexpected events whose nature and scope are determined to have or likely to have a significant impact on a DTIP’s network, such as causing the stoppage, disruption, or degradation of a DTIP’s operations or compromising the integrity, confidentiality, or availability of the data transmitted within its network.

As mentioned, DTIPs must submit such incidents to the NCERT as part of its minimum cybersecurity requirements. In addition to this reporting duty, DTIPs are placed under continuing audit oversight. DTIPs shall be subject to periodic cybersecurity audits conducted by the DICT or DICT-accredited third-party entities, for the purpose of verifying compliance with the minimum cybersecurity requirements.

Before each audit, the DICT will notify the DTIP of the normative references or frameworks to be applied, which may include PNS/ISO/IEC 27001 ISMS, ISO/IEC 27701 (PIMS), NIST CSF, CIS Controls v.8, Control Objectives for Information and Related Technology (COBIT), or such other standards as may be prescribed. After completion, the DICT shall inform the DTIP of the results in a timely manner and indicate the cybersecurity measures that must be implemented to improve its cybersecurity posture.

Reporting and Transparency

DTIPs are required to disclose their cybersecurity compliance as part of the annual report submitted every 30th of April to the NTC and PCC. This report includes technical and financial information on investments made, network roll-out reach, network map, together with a fair and accurate statement regarding their market prices and services. By expressly requiring cybersecurity compliance as part of these disclosures, regulators are given visibility into each DTIP’s security posture.

In parallel, the NTC, together with the DICT, shall publish a registry of all DTIPs on their respective websites, updated at least annually or as necessary. This DTIP Registry shall include, among other information, each DTIP’s cybersecurity certification status, the standard adopted, the certifying body, and the validity of such certification. While enabling public access, the DICT and NTC are also required to ensure that personal data and confidential business information are protected in accordance with applicable privacy laws.

Enforcement and Penalties

The law treats cybersecurity certification as a mandatory condition for continued operation. Thus, a DTIP who fails to secure a cybersecurity certification shall be issued a suspension order of its operations until it is able to secure the required certification. Failure to comply within six (6) months from the issuance of such order shall, after due process, be cause for the NTC to revoke all certificates, licenses, authorizations, rights, and awards issued in relation to the DTIP’s participation in the data transmission industry, remove it from the registry of DTIPs, and prohibit it from rendering data transmission services.

Conclusion

The Konektadong Pinoy Act represents a significant shift in the Philippine regulatory landscape by embedding cybersecurity, information security, and privacy requirements into the very structure of the data transmission sector.

The forthcoming IRR will determine how these requirements are operationalized, but the direction is clear: while security and privacy obligations have long been mandated under the DPA and related issuances, the Konektadong Pinoy Act elevates them into explicit statutory conditions for market entry and continued participation in the data transmission industry. For companies, this means that readiness on cybersecurity controls, documentation, and compliance reporting must be integrated into enterprise governance from the outset. At the same time, the publication of certification status in a public registry underscores the transparency requirement, enabling both regulators and customers to verify compliance.

In practical terms, businesses seeking to participate in the Philippine data transmission market should now prioritize certification planning, incident management protocols, and privacy-aligned reporting as part of their compliance baseline.

This article was also published under OneTrust Data Guidance. You may find the full article here: Philippines: Konektadong Pinoy Act – embedding cybersecurity, privacy, and audit duties in data transmission regulation | Opinion | DataGuidance

More from Gorriceta Africa Cauton & Saavedra