Data protection

1. Local data protection laws and scope

India’s personal data protection regime is presently regulated under the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) which aim to safeguard processing of personal information (collectively, "Current Data Protection Framework”).

Under the Current Data Protection Framework, ‘personal information’ has been defined very broadly to mean any information that relates to a natural person, which, either directly or directly, in combination with other information is capable of identifying such person (such as, name, phone number, email address, family details) (“Personal Information”), and ‘sensitive personal data or information’ includes certain categories of Personal Information such as password, financial information such as bank account credit card or debit card or other payment instrument details, physical, physiological and mental health condition, sexual orientation, medical records and history and biometric data (“SPDI”). 

The SPDI Rules currently extend protection primarily to SPDI and specifically mandate written consent for collection and use of SPDI, from the provider of the SPDI, along with other specific obligations in re the purpose of use of the SPDI, transfer of SPDI, disclosure of SPDI as well as requirement to maintain reasonable security practices and procedures. The SPDI Rules apply to body corporates which means any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities, thereby extending applicability to a large set of entities. Separately, in relation to all Personal Information (including SPDI), the IT Act prescribes safeguards by way of levying penalties for any access and disclosure of Personal Information of a person without due consent.

Right to privacy has been held to be a fundamental right under Article 21 of the Indian Constitution by a nine-judge bench of the Supreme Court of India in the case of Justice Puttaswamy and Ors. v. Union of India  (“Puttaswamy Case”), as an essential component of the ‘Right to Life and Personal Liberty’, thereby reinforcing the need for secure and responsible handling of Personal Information. The Puttaswamy Case recognised the concept of informational privacy allowing an individual to have control over the dissemination of material which is personal to him. Unauthorised use of such information may, therefore, lead to infringement of this fundamental right. Please note that fundamental rights can also be enforced against private entities.

Apart from the foregoing, there are also certain sector specific legislations under which data related obligations are imposed on the regulated entities by sectoral regulators, having supervisory powers over such entities. These include requirements specified by (i) the Reserve Bank of India (“RBI”) for the banking and finance sector, (ii) the Insurance Regulatory and Development Authority of India (“IRDAI”) for the insurance sector, and (iii) the Securities Exchange Board of India (“SEBI”) for the securities market and market intermediaries, which are the key financial sector regulators in India. 

2. Data protection authority

Under the Current Data Protection Framework, there is no dedicated data protection regulator or authority responsible exclusively for overseeing compliance with data protection obligations. Enforcement of contraventions under the IT Act is primarily through adjudication by Adjudicating Officers appointed by the Central Government under the IT Act, with appeals lying before the appropriate appellate forum. Individuals may approach the Adjudicating Officer for certain contraventions causing loss or damage under the IT Act. In addition, the Ministry of Electronics and Information Technology (“MeitY”), as the nodal ministry administering the IT Act and the SPDI Rules, issues policy directions, guidelines, and clarifications from time to time. Therefore, unlike jurisdictions with a dedicated data protection authority, the Current Data Protection Framework relies on statutory adjudication mechanisms and governmental oversight rather than a specialized privacy regulator. 

3. Anticipated changes to local laws

The Digital Personal Data Protection Act, 2023 (“DPDPA”) is an upcoming data legislation that will serve as India’s primary data protection legislation. It received presidential assent and was notified on August 11, 2023. The DPDPA establishes a comprehensive framework for the processing of digital personal data, i.e., any data about an individual who is identifiable by or in relation to such data (“Personal Data”) in India, and is set to replace the Current Data Protection Framework. While the DPDPA was enacted in 2023, its provisions are intended to be brought into force in a phased manner. The Central Government published the finalised Digital Personal Data Protection Rules, 2025 (following a stakeholder consultation process) in November 2025 (“DPDPR”), and the phased implementation timelines. While the provisions relating to the establishment of the Data Protection Board of India (“DPBI”) have been notified to be effective from November 13, 2025, the remaining provisions will come into effect subsequently, with the entirety of DPDPA being in effect by May 13, 2027.

The DPDPA will be applicable to the processing of digital Personal Data within India of individuals to whom the Personal Data relates (“Data Principal(s)”), where such data is collected digitally or is collected offline / by non-digital means and subsequently digitised. It also applies extra-territorially to the processing of digital Personal Data outside India if the processing is in connection with the offering of goods or services to Data Principals in India.

A key distinction between the DPDPA and the Current Data Protection Framework is its scope. Unlike the current regime, which more stringently regulates the handling of SPDI, the DPDPA applies uniformly to all categories of digital Personal Data. This expanded coverage significantly broadens compliance obligations and brings within its ambit a wide range of data sets dealt with routinely by businesses that was previously subject to limited regulation. This brings all categories of SPDI as well as Personal Information (as defined under the SPDI Act) within its purview.

The DPDPA marks a fundamental shift in India’s approach to data protection by introducing a consent-based processing framework, enhanced rights for individuals, clearly defined obligations for data fiduciaries, i.e., anyone who alone or in conjunction with other persons determines the purpose and means of processing of Personal Data (“Data Fiduciaries”), and a robust enforcement mechanism backed by substantial penalties. Its implementation will materially change how entities collect, process, store, and share Personal Data, requiring greater transparency, accountability, and governance across the entire data lifecycle. 

Under the upcoming DPDPA, the DPBI is intended to be established as an independent data protection authority, operating as a digital office. This will be the first time that India, as a jurisdiction, will have a dedicated authority solely for enforcement of Personal Data rights of Data Principals. The DPBI will be a quasi-judicial body with powers to inquire into data breaches and non-compliance, issue directions, and impose monetary penalties.

Separately, the Central Government has also indicated its intention to introduce a comprehensive Digital India Act to replace the IT Act, although timelines for this remain uncertain as of 2026.

4. Sanctions & non-compliance

Under the Current Data Protection Framework, enforcement is carried out through a combination of compensation mechanisms and criminal penalties. In relation to SPDI, Section 43A of the IT Act provides that where a body corporate is negligent in implementing and maintaining reasonable security practices and procedures in relation to SPDI, and such negligence causes wrongful loss or wrongful gain to any person, the body corporate is liable to pay compensation to the affected person. Section 43A does not prescribe a statutory upper limit on the amount of compensation that may be awarded.

In addition, Section 72A of the IT Act prescribes criminal penalties for disclosure of Personal Information in breach of a lawful contract. A person found guilty under this provision may be punished with imprisonment for a term of up to three years, or a fine of up to INR 5,00,000 (approximately USD 5,300), or both.

Claims for compensation under the IT Act may be adjudicated by an Adjudicating Officer appointed by the Central Government, subject to the jurisdictional limits prescribed under the IT Act. Claims exceeding such jurisdictional limits may be brought before the competent civil court.

On the other hand, the position under the DPDPA differs significantly from the Current Data Protection Framework. While the Current Data Protection Framework primarily provides for compensation claims and certain criminal penalties, the DPDPA establishes a dedicated regulatory enforcement mechanism through the DPBI, which is empowered to investigate non-compliance and impose substantial monetary penalties. The DPDPA does not prescribe imprisonment for violations, instead, it relies on financial penalties, which may extend up to INR 250 crore (approximately USD 26.5 million) for specified contraventions. Appeals from DPBI decisions lie to the Telecom Disputes Settlement and Appellate Tribunal.

5. Registration / notification / authorisation

Under the Current Data Protection Framework, there is no requirement for a body corporate or entity to register with, notify, or obtain prior authorisation from any regulatory authority before collecting, processing, storing, or transferring Personal Information or SPDI. Compliance with the IT Act and the SPDI Rules is required to be ensured through adherence with the prescribed requirements such as providing privacy policy, obtaining consent where required, and implementing reasonable security practices and procedures.

The position is broadly similar under the DPDPA. The DPDPA does not require Data Fiduciaries or even data processors, i.e., person who processes Personal Data on behalf of a Data Fiduciary (“Data Processor”) to register with, notify, or obtain authorisation from any authority or DPBI before commencing Personal Data processing activities. Instead, entities are required to comply with the obligations prescribed under the DPDPA and the rules framed thereunder.

A key distinction under the DPDPA is that the Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries ("SDFs") having regard to factors such as the volume and sensitivity of Personal Data processed, the risk to the rights of Data Principals, potential impact on India’s sovereignty, integrity and security. SDFs will be subject to enhanced obligations, including appointing a Data Protection Officer (“DPO”) and an independent data auditor, and undertaking periodic Data Protection Impact Assessments. However, designation as an SDF also does not constitute a registration or licensing requirement.

6. Main obligations and processing requirements

Current Data Protection Framework

The key obligations under the IT Act and the SPDI Rules include:

  • Consent: Prior consent of the Data Principal is required for the collection and processing of SPDI.
  • Privacy policy: Data Principals must be provided a privacy policy containing a privacy statement and informing them of the fact of collection, the purpose of collection, the intended recipients of the information, and the name and address of the entity collecting and retaining the information.
  • Access and correction: Data Principals must be given the opportunity to review and correct inaccurate or deficient information.
  • Disclosure restrictions: SPDI may not be disclosed to third parties without the prior permission of the Data Principal, unless such disclosure has been agreed to contractually or is required by law.

Cross-border transfers: SPDI may be transferred to another entity in India or abroad only if the recipient ensures the same level of data protection as is adhered to by the transferor under the SPDI Rules and the transfer is necessary for the performance of a lawful contract or the Data Principal has consented to the transfer.

The DPDPA introduces a broader and more comprehensive framework that applies to all digital Personal Data rather than only SPDI. Key obligations include:

  • Lawful basis for processing: Personal Data may only be processed for a lawful purpose on the basis of valid consent or certain specified legitimate uses recognised under the DPDPA. Consent must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action, and limited to the Personal Data necessary for the specified purpose.
  • Notice: Before or at the time of collecting Personal Data, the Data Fiduciary must provide the Data Principal with a notice containing a description of the Personal Data being collected, the purpose of processing, the manner in which the Data Principal may exercise their rights, and the manner in which complaints may be made to the DPBI.
  • Purpose limitation and data minimisation: Data Fiduciaries must only collect Personal Data that is necessary for the specified purpose for which consent has been obtained or for a recognised legitimate use. Upon the purpose being fulfilled or the Data Principal withdrawing consent, the Data Fiduciary must erase the Personal Data (unless retention is required by law).
  • Accuracy: Data Fiduciaries must make reasonable efforts to ensure the completeness, accuracy and consistency of Personal Data, particularly where such data is likely to be used to make decisions affecting the Data Principal or is likely to be disclosed to another Data Fiduciary.
  • Children’s data: The DPDPA contains specific provisions for the processing of Personal Data of children (individuals below 18 years of age). Before processing a child’s Personal Data, the Data Fiduciary must obtain verifiable consent of the child’s parent or lawful guardian. Data Fiduciaries are prohibited from undertaking tracking or behavioural monitoring of children, or targeted advertising directed at children. 
  • Security safeguards: Data Fiduciaries must implement reasonable security safeguards to protect Personal Data in their possession or under their control, including to prevent Personal Data breaches. The specific standards for what may constitute ‘reasonable security safeguards’ is briefly elaborated in the DPDPR and includes appropriate data security measures such as encryption, obfuscation, masking, or tokenisation/virtual tokens for Personal Data; appropriate access controls to restrict and manage access to systems and Personal Data; logging, monitoring and review mechanisms to enable detection, investigation and remediation of unauthorised access and business continuity and recovery measures, including data backups, to ensure continued processing where confidentiality, integrity or availability of Personal Data is compromised etc. 
  • Enhanced obligations for SDFs: SDFs are subject to additional compliance requirements, including the appointment of a DPO and an independent data auditor, and the conduct of periodic assessments and audits.

7. Data subject rights

The Current Data Protection Framework provides limited rights to Data Principals in relation to their Personal Information, primarily through contractual and consent-based protections. Key rights include:

  • Right to review and correction: Data Principals may review their SPDI and request correction of inaccurate, incomplete or deficient information.
  • Right to withdraw consent: Processing of SPDI is consent-based, and Data Principals may withdraw consent, after which the body corporate must cease processing unless retention is required by law or contract.
  • Right to restriction of disclosure: SPDI may not be disclosed to third parties without prior consent of the Data Principal, except where required by law or contractual necessity.
  • Right to be informed (via notice): Data Principals must be informed of the purpose of collection, intended recipients, and disclosure practices through a privacy policy.
  • Grievance redressal mechanism: Body corporates are required to designate a grievance officer to address discrepancies and grievances relating to processing of SPDI within thirty (30) days of grievance being raised.

The SPDI regime does not provide an express statutory framework of enforceable data subject rights and protections are largely derived from consent requirements and contractual safeguards.

The DPDPA grants Data Principals the following rights:

  • Right to information: Data Principals have the right to obtain a summary of the Personal Data being processed by a Data Fiduciary and the processing activities undertaken with respect to that data, including the identities of all other Data Fiduciaries and Data Processors with whom the Personal Data has been shared, together with a description of the Personal Data shared.
  • Right to correction and erasure: Data Principals have the right to request the correction of inaccurate or misleading Personal Data, the completion of incomplete Personal Data, the updating of Personal Data, and the erasure of Personal Data that is no longer necessary for the purpose for which it was collected.
  • Right of grievance redressal: Data Principals have the right to have readily available means of grievance redressal provided by the Data Fiduciary. Data Fiduciaries are required to redress grievances within ninety (90) days from receipt. If the Data Principal is not satisfied with the response, they may file a complaint with the DPBI.
  • Right to nominate: Data Principals have the right to nominate another individual who may exercise the Data Principal’s rights in the event of their death or incapacity.
  • Right to withdraw consent: Where processing is based on consent, the Data Principal has the right to withdraw consent at any time. The ease of withdrawing consent must be comparable to the ease with which it was given. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

The DPDPA does not include a right to data portability or a right to object to processing based on legitimate interests (as the DPDPA does not recognise a ‘legitimate interests’ as a lawful basis in the manner of the EU/UK GDPR). Data Principals also have duties under the DPDPA, including a duty not to file false or frivolous complaints and to comply with applicable laws when exercising their rights.

8. Processing by third parties

Under the SPDI Rules, outsourcing or processing by third parties is permitted, but subject to certain safeguards. Where an entity processes SPDI, it must ensure that any third party with whom such information is shared maintains the same level of data protection as required under the SPDI Rules. Transfer of SPDI to third parties (whether within India or outside India) is permitted only where the recipient ensures the same level of data protection and the transfer is necessary for performance of a lawful contract or made with the consent of the Data Principal.

The SPDI Rules do not prescribe detailed statutory requirements for data processing agreements; instead, obligations are primarily driven by consent, contractual arrangements, and the requirement to maintain ‘reasonable security practices and procedures’ by both the body corporate collecting and processing SPDI and any other recipient of SPDI.

The DPDPA introduces the concept of “Data Processor” (equivalent to a “processor” under the EU/UK GDPR. Data Fiduciaries remain responsible for ensuring compliance with the DPDPA even where processing is carried out by Data Processors. 

While the DPDPA does not prescribe mandatory contractual terms for Data Fiduciary–Data Processor agreements in the same detail as the EU/UK GDPR, Data Fiduciaries must ensure that Data Processors process Personal Data only in accordance with the Data Fiduciary’s instructions and implement reasonable security safeguards. Data Fiduciaries will have to ensure compliance by Data Processors with the DPDPA through contractual arrangements that define the scope, purpose, duration, nature of processing, types of Personal Data processed, and security obligations.

9. Transfers out of country

As mentioned above, under the SPDI Rules, cross-border transfer of SPDI is permitted subject to specific conditions. SPDI may be transferred to another body corporate or person, whether located in India or outside India, only if the recipient ensures the same level of data protection as provided under the SPDI Rules. In addition, such transfer is permitted only where it is necessary for the performance of a lawful contract between the transferor and the Data Principal or where the Data Principal has consented to the transfer.

The SPDI Rules do not impose any requirement for government approval or localisation, but rely primarily on consent, contractual safeguards, and the ‘same level of protection’ standard in the receiving jurisdiction.

Under the DPDPA the Central Government has the power to restrict or prohibit transfers to specific countries or territories by notification. Countries or territories to which transfer is not permitted will be specified in a ‘negative list’. As of mid-2026, the Central Government has not yet published the list of permitted or restricted jurisdictions. 

Further, the Central Government may impose restrictions on transfers to specified jurisdictions, categories of recipients, or classes of Personal Data on grounds such as national security, sovereignty, or public interest.

In addition, the Central Government may prescribe additional conditions for SDFs, including specific restrictions or requirements in relation to cross-border transfers. Accordingly, SDFs may be subject to a more stringent transfer regime compared to other Data Fiduciaries.

10. Data Protection Officer

The Current Data Protection Framework does not require the appointment of a DPO or any equivalent privacy officer by Data Fiduciaries processing Personal Information. However, body corporates that collect, receive, possess, store, deal with or handle SPDI are required to designate a ‘grievance officer’ and publish the grievance officer's name and contact details in their privacy policy. The grievance officer is responsible for addressing grievances and discrepancies raised by Data Principals in relation to the processing of their information and is required to resolve such grievances within one month of receipt.

Under the DPDPA, SDFs are required to appoint a DPO. The DPO must be based in India and will serve as the point of contact for the Data Principal and the DPBI. The DPO will be responsible for representing the SDF before the DPBI and overseeing compliance with the DPDPA on behalf of the SDF.

Data Fiduciaries that are not designated as SDFs are not required to appoint a DPO under the DPDPA. However, all Data Fiduciaries must publish the business contact information of a person who can answer questions on behalf of the Data Fiduciary regarding the processing of Personal Data.  Accordingly, while all Data Fiduciaries must designate a point of contact for grievance handling, only SDFs are required to appoint a formal DPO with statutory compliance and regulatory liaison responsibilities.

11. Security

Under the Current Data Protection Framework, any body corporate that possesses, deals or handles any SPDI must implement reasonable security practices and procedures. Compliance with IS/ISO/IEC 27001 on ‘Information Technology – Security Techniques – Information Security Management System – Requirements’ is deemed to constitute reasonable security practice. 

The DPDPA requires Data Fiduciaries to implement (which have to, in turn, require Data Processors to implement) ‘reasonable security safeguards’ to protect Personal Data in their possession or under their control, to prevent Personal Data breaches. T The DPDPR prescribes baseline security measures, including appropriate data security measures such as encryption, masking, obfuscation or tokenisation of Personal Data; access control measures and mechanisms to monitor and review unauthorised access; logging and monitoring systems to detect, investigate and remediate security incidents; business continuity, disaster recovery and backup measures to ensure availability of Personal Data and continuity of processing; retention of logs and relevant records for a prescribed period to facilitate investigation and remediation of Personal Data breaches; appropriate contractual measures requiring Data Processors to implement reasonable security safeguards; and technical and organisational measures to ensure the effective implementation of security controls.

Additionally, SDFs are required to undertake periodic Data Protection Impact Assessments and audits by an independent data auditor.

Separately, sector-specific regulators also impose security obligations, for example: the RBI mandates cybersecurity frameworks for banks, non-banking financial companies, payment system operators, and other RBI-regulated entities; the IRDAI requires cybersecurity policies for insurers and insurance intermediaries; and SEBI has issued cybersecurity frameworks for stock exchanges, depositories and SEBI-regulated intermediaries.

12. Breach notification

The IT Act and the SPDI Rules do not contain a general statutory obligation to notify affected individuals or any data protection regulator in the event of a data breach involving SPDI.

The DPDPA introduces a mandatory Personal Data breach notification regime, as per which, in the event of a Personal Data breach, the Data Fiduciary must notify the DPBI and each affected Data Principal. The DPDPR requires a Data Fiduciary to notify the DPBI in two stages: (i) an initial intimation without delay upon becoming aware of a Personal Data breach, and (ii) a detailed report within seventy-two (72) hours of becoming aware of the breach (unless a longer period is permitted by the DPBI). Further, the affected Data Principals must also be notified immediately without delay in the manner prescribed under the DPDR The notification must contain prescribed information regarding the breach, including its nature, extent and likely consequences, together with measures taken or proposed to mitigate its effects and recommendations enabling affected Data Principals to protect their interests and such other information as has been prescribed. 

Separately, certain cybersecurity incidents are subject to mandatory reporting requirements under the IT Act, which have been set out in the ‘Cybersecurity’ section below.

13. Direct marketing

There is no single comprehensive direct marketing law in India. Direct marketing is regulated through a combination of data protection, telecommunications and consumer protection laws.

Under the Current Data Protection Framework, where Personal Information or SPDI is used for marketing purposes, the body corporate must comply with applicable consent, notice and purpose limitation requirements. In particular, SPDI may only be collected and used for the purpose for which consent has been obtained, and disclosure to third parties for marketing purposes generally requires the consent of the Data Principal.

In addition, marketing communications sent through telecom networks are regulated by the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”) issued by the Telecom Regulatory Authority of India (“TRAI”), the DPDPA (insofar as Personal Data is used for marketing), and the IT Act.

Under the TCCCPR, commercial communications (i.e. marketing messages) sent via telephone, SMS or other electronic communication channels are regulated through a ‘Do Not Disturb’ (“DND”) registry. Individuals may register their telephone numbers on the DND registry to opt out of unsolicited commercial communications. Businesses must scrub their calling/messaging lists against the DND registry before sending commercial communications. Violations can result in disconnection of the telecom resources and financial penalties imposed by TRAI.

The DPDPA does not contain a standalone direct marketing regime either, however, where Personal Data is processed for the purpose of direct marketing, the Data Fiduciary must have a valid lawful basis (consent or a legitimate use) and must comply with the notice and purpose limitation requirements of the DPDPA. Data Principals have the right to withdraw consent at any time, which would require the Data Fiduciary to cease marketing communications. 

The DPDPA will operate alongside sector-specific regulations such as the TCCCPR, and compliance with the DPDPA will not remove the need to comply with applicable telecom and consumer protection requirements governing marketing communications.

14. Cookies and adtech

India does not have specific standalone legislation regulating cookies and adtech.

Under the IT Act and the SPDI Rules, cookies and similar technologies are regulated only to the extent that they collect, store or process SPDI. Organisations collecting information through cookies or similar technologies are generally expected to disclose their information collection and usage practices through their privacy policies and comply with applicable consent, notice and security requirements under the Current Data Protection Framework. Accordingly, the use of cookies and adtech is primarily regulated indirectly through general data protection principles rather than through technology-specific rules.

The DPDPA also does not contain specific provisions governing cookies or adtech. Where cookies or similar technologies collect digital Personal Data, such collection constitutes processing and must comply with all applicable requirements, including obtaining consent (unless a legitimate use exemption applies) and providing notice. 

In practice, many Indian websites and applications have adopted cookie consent mechanisms similar to those used in the EU/UK, particularly where they have a global user base.  It is important to note that India currently does not distinguish between ‘strictly necessary’ and ‘non-essential’ cookies in legislation, nor does it mandate cookie banners as such. Cookie consent practices in India are largely driven by data privacy regulations, global compliance standards, and business practice rather than a dedicated cookie law.

15. Risk scale

Moderate.  India is now moving to a comprehensive statutory framework for the protection of digital Personal Data under the DPDPA and DPDPR. The framework imposes substantive obligations on Data Fiduciaries, establishes enforceable rights for Data Principals, provides for regulatory oversight by the DPBI, and contemplates significant monetary penalties for non-compliance.

From a data protection perspective, Personal Data transferred to or processed in India is generally capable of being protected through contractual, organisational and technical safeguards, supported by an increasingly stringent legal framework.

However, the regulatory regime remains relatively new and upcoming and hence its practical enforcement is yet to be seen. Overall, India presents a moderate compliance risk, reflecting a developing but increasingly robust data protection framework with growing regulatory expectations and enforcement capabilities.

Cybersecurity

1. Local cybersecurity laws and scope

The key cybersecurity laws and regulations that apply in India include the following:

IT Act: The IT Act is India’s primary legislation governing electronic commerce, cybersecurity, and cybercrime. It provides the legal framework for electronic governance, recognises electronic records and digital signatures, and establishes offences relating to unauthorised access, hacking, identity theft, data theft, and other cybercrimes. It also empowers the Central Government to issue directions for cybersecurity incident response and protection of critical information infrastructure.

CERT-In Framework:

  • Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”): These rules establish the framework for the Indian Computer Emergency Response Team (CERT-In) and prescribe its functions relating to incident response, coordination and cybersecurity advisory. 
  • Directions issued by CERT-In relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet dated April 28, 2022 (“CERT-In Directions”): These directions, issued under section 70B(6) of the IT Act impose mandatory cybersecurity incident reporting obligations on specified entities, requiring reporting of prescribed cybersecurity incidents to CERT-In within six (6) hours of becoming aware of such incidents. The directions also impose additional requirements relating to log retention, synchronisation of ICT systems and maintenance of subscriber information by service providers.

DPDPA: The DPDPA imposes obligations on Data Fiduciaries to implement reasonable security safeguards to protect Personal Data and prevent Personal Data breaches. These requirements contribute to India’s broader data security framework, although the DPDPA is primarily a data protection statute rather than a general cybersecurity law. See the Data Protection section above for full details.

Sector-specific regulations: In addition to the general legal framework, sectoral regulators impose detailed cybersecurity and information security requirements. The RBI has issued comprehensive cybersecurity frameworks for banks, non-banking financial companies, and payment system operators. The SEBI has issued cybersecurity frameworks for regulated entities including stock exchanges, clearing corporations, depositories, stockbrokers, and mutual funds. The IRDAI requires cybersecurity policies and incident reporting for insurers and insurance intermediaries. The TRAI and the Department of Telecommunications (“DoT”) impose security obligations on telecom service providers.

2. Anticipated changes to local laws

The Indian Government has indicated its intention to introduce a comprehensive Digital India Act to replace the IT Act. The Digital India Act is expected to update India’s cybersecurity, cybercrime, and intermediary governance framework to address emerging technologies such as artificial intelligence, blockchain, and evolving digital platform ecosystems. However, as of 2026, no draft legislation has been formally introduced in Parliament, and such reform and timelines thereof remain uncertain.

In parallel, sector-specific regulators such as the RBI, SEBI and IRDAI continue to actively update cybersecurity and cyber resilience frameworks applicable to regulated entities. As a result, organisations operating in India must continuously monitor regulatory developments across both general and sector-specific regimes.

3. Application 

IT Act: The IT Act applies broadly to all persons who use computer resources, computer systems, computer networks, data, and information in electronic form. The IT Act has extraterritorial application to offences or contraventions involving computer systems, networks or devices located in India, regardless of the nationality or location of the offender.

CERT-In Framework: The cybersecurity incident response framework established under the IT Act, operationalised through the CERT-In Directions, applies to a wide range of entities, including service providers, intermediaries, data centres, body corporates and government organisations, regardless of such entities being based outside India. Virtual Private Server (VPS) providers, cloud service providers, and virtual private network (VPN) service providers are also specifically brought within scope and are required to ensure compliance with prescribed requirements. 

DPDPA: Please see the Data Protection section above for applicability.

Sector-specific regulations: The RBI’s cybersecurity frameworks apply to scheduled commercial banks, non-banking financial companies, payment system operators, and other RBI-regulated entities. SEBI’s frameworks apply to market infrastructure institutions, stockbrokers, depository participants, mutual funds, and other SEBI-registered entities. The IRDAI’s requirements apply to insurance companies and other insurance intermediaries.

Collectively, these regimes operate in parallel to create a multi-layered cybersecurity compliance framework based on statutory law, incident response obligations and sector-specific regulatory requirements.

4. Authority

CERT-In is the designated national agency for cyber incident response and coordination and is empowered under Section 70B(6) of the IT Act to issue directions relating to cybersecurity practices, incident reporting, and information security.

The MeitY is the central administrative ministry responsible for the implementation of the IT Act and for framing national-level policies relating to cybersecurity, data governance, digital infrastructure and emerging technologies. MeitY also oversees the National Cyber Coordination Centre (“NCCC”) and the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) which provide cyber threat monitoring, coordination and malware mitigation support functions.

Sector-specific authorities with cybersecurity oversight include: the RBI (for banks and financial institutions); SEBI (for capital markets entities); IRDAI (for insurers); the TRAI and DoT (for telecom service providers); and the National Critical Information Infrastructure Protection Centre (“NCIIPC”), which operates under the National Technical Research Organisation and is responsible for the protection of Critical Information Infrastructure (“CII”) as designated under section 70 of the IT Act.

5. Key obligations 

CERT-In Directions: The key obligations under the CERT-In Directions include: 

  • mandatory reporting of specified cybersecurity incidents* to CERT-In within six (6) hours of becoming aware of such incidents; 
  • maintenance of logs of all ICT systems for a rolling period of one hundred and eighty (180) days, which must be maintained within India; 
  • synchronisation of ICT system clocks to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL); 
  • VPN service providers, cloud service providers, and VPS providers must maintain specified customer and subscriber records for a period of five (5) years or longer; 
  • virtual asset service providers, virtual asset exchange providers, and custodian wallet providers must maintain KYC and transaction records for a period of five (5) years.

*The types of cybersecurity incidents that must be reported to CERT-In include: targeted scanning or probing of critical networks/systems; compromise of critical systems/information; unauthorised access of IT systems/data; defacement of websites or intrusion into websites; malicious code attacks; attacks on servers; identity theft, spoofing and phishing attacks; denial of service (DoS) and distributed denial of service (DDoS) attacks; attacks on critical infrastructure, SCADA and operational technology systems; data breaches and data leaks; attacks on Internet of Things (IoT) devices; and attacks or malicious activities affecting cloud computing systems, servers, networks and software/applications.

Critical Information Infrastructure: The IT Act empowers the Central Government to declare any computer resource which directly or indirectly affects the facility of CII as a ‘protected system’ (Section 70). Unauthorised access to a protected system is a criminal offence punishable with imprisonment of up to ten (10) years and a fine. The NCIIPC is responsible for the protection of CII and for issuing guidelines, advisories and coordination mechanisms for securing such infrastructure. The primary obligations under this framework apply to entities whose systems or networks are designated as CII (or declared as ‘protected systems’ under Section 70 of the IT Act). Such entities are required to implement and maintain security measures in accordance with NCIIPC-issued guidelines and advisories, adopt appropriate risk management and cybersecurity practices to ensure the confidentiality, integrity and availability of critical systems, and cooperate with NCIIPC and other designated government agencies in relation to vulnerability assessments, threat intelligence sharing and incident response activities. In addition, unauthorised access to or interference with a ‘protected system’ is prohibited and constitutes a criminal offence under the IT Act, attracting severe penal consequences.

6. Sanctions & non-compliance 

IT Act: The IT Act provides for a range of sanctions for cybersecurity-related offences. Key offences include: 

  • Section 65 (tampering with computer source documents): imprisonment up to three (3) years and/or fine up to INR 2 lakh (approximately USD 2,120);
  • Section 66 (computer-related offences): imprisonment up to three (3) years and/or fine up to INR 5 lakh (approximately USD 5,300) for unauthorised access and related acts derived from Section 43;
  • Section 66C (identity theft): imprisonment up to three (3) years and fine up to INR 1 lakh (approximately USD 1,060);
  • Section 66D (cheating by personation using computer resources): imprisonment up to three (3) years and fine up to INR 1 lakh (approximately USD 1,060);
  • Section 66E (violation of privacy): imprisonment up to three (3) years and/or fine up to INR 2 lakh (approximately USD 2,120);
  • Section 66F (cyber terrorism): imprisonment for life;
  • Section 67 (publication/transmission of obscene material): imprisonment up to three (3) years and fine up to INR 5 lakh (approximately USD 5,300) on first conviction, and higher penalties on subsequent conviction.

Civil Liability and Compensation: Under section 43 of the IT Act, any person who without authorisation, downloads, introduces computer contaminants, disrupts, denies access to, assists others to access, charges services to another, destroys or diminishes the value of information in a computer resource is liable to pay compensation up to INR 5 crore (approximately USD 530,000) to the person so affected, as may be adjudicated by the Adjudicating Officer. Section 43A further provides liability for failure of a body corporate to implement and maintain reasonable security practices and procedures, resulting in wrongful loss or gain. This provision does not prescribe an upper monetary cap on compensation.

CERT-In Directions: Non-compliance with the CERT-In Directions can attract penalties under the IT Act, as per which any service provider, intermediary, data centre, body corporate or individual which does not provide the information requested or does not comply with directions issued under Section 70B(6) of the IT Act, may be punished with imprisonment of up to one (1) year, or a fine of up to INR 1 crore (approximately USD 106,000), or both.

Sector-specific sanctions: Sector-specific regulators may impose additional penalties, including monetary penalties, licence revocation, and other regulatory actions. For example, the RBI has the power to impose monetary penalties on banks and financial institutions for non-compliance with its cybersecurity frameworks, and SEBI may take enforcement action (including directions, penalties, and suspension/cancellation of registration) against regulated entities for non-compliance with its cybersecurity circulars. The IRDAI may take enforcement action against insurers for cybersecurity and information security failures.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. Details pertaining to CERT-In and NCIIPC have been provided in responses above.

8. National cybersecurity incident management structure

India has a multi-layered national cybersecurity incident management structure. At the national level, the CERT-In is the primary agency responsible for cybersecurity incident response, coordination, and issuance of advisories under the IT Act.

For CII, the NCIIPC is responsible for coordinating the protection of designated critical systems, including working with sectoral agencies and stakeholders on threat mitigation and incident response. The NCCC which operates under MeitY, provides national-level cyber situational awareness and threat intelligence through analysis of cyber traffic metadata.

Sector-specific incident management arrangements also exist. For example, the RBI requires regulated entities such as banks to establish Security Operations Centres (SOCs) and designate a Chief Information Security Officer (CISO). SEBI-regulated entities must report cybersecurity incidents to SEBI in addition to CERT-In. 

9. Other cybersecurity initiatives 

National Cyber Security Policy, 2013: India’s first National Cyber Security Policy was published in 2013, setting out a vision for a secure and resilient cyberspace. It outlined objectives including building a secure computing environment, enabling information sharing, strengthening the regulatory framework, and creating a workforce of trained cybersecurity professionals. 

Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre): Operated under CERT-In, this initiative provides tools for citizens and organisations to detect and remove malware and botnet infections from their systems.

Cyber Surakshit Bharat: Launched by MeitY in partnership with industry consortiums, this initiative aims to strengthen the cybersecurity ecosystem in India by raising awareness, building capacity, and enabling government organisations to take steps to prevent and manage cyber incidents. It focuses on training Chief Information Security Officers (CISOs) and IT personnel and strengthening cyber resilience through knowledge sharing and best practices.

National Cyber Security Exercises: CERT-In regularly conducts national-level cyber security exercises to assess the preparedness of organisations across critical sectors to respond to cybersecurity incidents. These exercises involve stakeholders from government, critical infrastructure sectors, and the private sector.

MeghRaj: The MeitY GI Cloud (MeghRaj) initiative aims to promote cloud adoption across government departments through shared infrastructure and standardized security controls, with the objective of improving scalability, efficiency and cybersecurity posture of public digital infrastructure.

More recently, MeitY has proposed to make compliance with MeitY-issued advisories, clarifications, directions, standard operating procedures and guidelines mandatory for intermediaries, thereby making it a condition for retaining safe harbour protection by intermediaries under the IT Act. Additionally, a revised and updated National Cyber Security Strategy is under development as of 2026.