I support the ‘Konektadong Pinoy’ Bill—but not its security blind spot

DECODED: TECH, TRUTH, AND THREATS

By Art Samaniego

I support the Konektadong Pinoy Bill. I believe in what it’s trying to do, that is to expand access, open up the market, and bring in new players. But it can and should be stronger than it is right now.

One area that needs rethinking is the three-year grace period for cybersecurity certification. That’s a long time for a digital telecom to operate without proving it meets even the most basic security standards. In those three years, a provider could be handling sensitive personal data, processing financial transactions, or even relaying government communications.

Yet, there’s no requirement to show their systems are safe or up to par. It’s not hard to imagine how that could go wrong. We’ve seen how weak infrastructure becomes a target: ransomware attacks, foreign surveillance, even local networks being hijacked for larger global cyber threats.

What’s more, international standards like ISO 27001 exist for a reason, they’re not a luxury, they’re a baseline. Deferring certification for three years sends the wrong message. It says security can wait.

And legally, the problem goes deeper: the grace period is embedded into the law itself. It can’t just be tweaked or shortened in the implementing rules and regulations. That makes it a structural risk, not just a policy flaw.

There’s also the potential for exploitation by shell companies, groups that register, operate just long enough to extract data or money, then vanish before ever getting certified.

Add to that the fact that the law allows foreign-controlled DTIPs under current investment rules, and the risks multiply. Without immediate compliance checks, we’re essentially opening up the country’s digital backbone to parties we might not be able to vet or hold accountable fully.

Now, to be fair, I understand why the grace period is there. It’s meant to attract smaller players, to give them room to scale up and build capacity.

That’s important too. But if we’re serious about national security and if we genuinely want public trust in these new systems, then cybersecurity can’t be an afterthought.

The law should require at least phased compliance: basic protections from year one, more advanced controls as operations grow. Waiting three years to enforce the rules is just too long. We can do better.

(Art Samaniego is the founder and Editor-in-Tech of Tech-NewsPH.com, as well as co-founder of Scam Watch Pilipinas.)