Cybersecurity Regulatory Landscape in India: A Primer for Business

India's digital transformation has been profound. Online payments, smart technologies, and digital services have all changed the way its citizens live and conduct business. There are many opportunities, but as many risks. Millions of citizens now use platforms that didn't exist a few years ago, and with this shift has come a slew of new cyber threats.

In fact, a recent study predicted that cyberattacks in the country would rise to a whopping  ₹1 trillion per annum by 2033 and reach  ₹17 trillion by 2047, when the country celebrates its centenary.

This is driving a shift in India. After years of ambiguity and piecemeal oversight, the country is building a formal cybersecurity and data protection regime, one that no global business can afford to ignore.

India's new laws are not speculative; they are binding. They affect how entities handle data, how they report incidents, and how multinationals interact with India's digital economy. For CISOs, legal teams, and compliance officers, understanding the terrain is a prerequisite for doing business.

The Legal Backbone

India's cybersecurity law begins with the Information Technology Act of 2000, the country's earliest legislation to govern online conduct. Section 43A holds companies accountable for the protection of sensitive personal information, and corresponding SPDI Rules (2011) prescribe what those protections should look like: encryption, access controls, written policies, and breach notification.

But this framework has frayed over time. It lacks the teeth of enforcement, and its language leaves room for interpretation. The country's response was a total redesign.

Enter the Digital Personal Data Protection Act, 2023 (DPDPADigital Personal Data Protection Act, 2023 (DPDPA). It is India's first comprehensive data protection law. Rights-oriented, accountability-focused, and enforceable. It imposes direct obligations on data fiduciaries to impose "appropriate security measures," and clarifies what happens when they fail.

Organizations must notify the Data Protection Board of India (DPB) within 72 hours if a data breach happens. In the event of a data breach, that can be considered a cybersecurity event, they need to notify CERT-In (the national incident response center) within six hours. The clock starts ticking when an incident is detected, not disclosed.

Once the DPDPA's final rules are released, it is expected to repeal the older SPDI Rules. At that point, ambiguity will give way to compliance, and soft expectations will become legal requirements.

Agencies in Charge

India's cybersecurity and data protection oversight is multi-tiered and growing more structured.

• MeitY (Ministry of Electronics and Information Technology): Regulates policy-making and publishes draft rules under the DPDPA.
• CERT-In: Oversees breach notifications, threat advisories, and national response coordination. Operates under MeitY.
• Data Protection Board of India (DPB): Created under DPDPA to administer personal data requirements, prosecute violations, and impose penalties.
• Sectoral Regulators: Include RBI (finance), SEBI (securities), IRDAI (insurance), and TRAI (telecom). Each maintains its own cybersecurity guidance and enforcement levers.

Enforcement is no longer a future concern. It's already in motion. Since 2022, CERT-In has required entities to report a broad range of cybersecurity incidents (ransomware, phishing, data leaks) within six hours of detection. These include both confirmed breaches and suspected compromises.

Failure to comply can lead to fines or even jail time under the IT Act. Under DPDPA, the financial risks are even higher: penalties of up to ₹250 crore (~$30 million) for non-compliance.

Signals from 2024–2025

India's cybersecurity regime is no longer just a patchwork of old laws. The last 18 months have seen deliberate movement:

• Draft DPDPA Rules (2024): Outlined specific requirements for breach response, consent, grievance redressal, and data processing contracts. Still under review, but already setting expectations.
• CERT-In Guidelines for AI Systems: While not formal law, these guidelines reflect early thinking on AI accountability, data bias, and algorithmic risk. They may evolve into formal guidance or be folded into MeitY's forthcoming AI Governance Framework.
• Professionalisation of Cybersecurity Skills: Industry associations, CERT-In, and MeitY have debuted certifications like CSPAI, which aims to secure AI deployments and critical infrastructure.
• Focus on Critical Infrastructure: Sectoral regulators are intensifying the scrutiny of banks, telecom, and healthcare companies. Risk assessment, resilience testing, and third-party audits are becoming de facto requirements, not nice-to-haves.

The trend is clear: less room for judgment, more form, faster response times, and more transparent accountability.

The trend is clear: less room for discretion, more structure, shorter response times, and more visible accountability.

Global Influence, Local Shape

India's regulatory design is not entirely original. It draws from the EU's GDPR, the NIST Cybersecurity Framework, and ISO 27001 but adapts them to India's economic and legal environment.

The DPDPA, for example, includes broad exemptions for "legitimate use" in contexts such as state service delivery, public health, and employment. Consent remains the default, but with more carve-outs than in the EU.

India also lacks a single national cybersecurity framework akin to NIST or ENISA's blueprint. Instead, incident reporting and security practices are shaped by CERT-In and supported by sectoral standards. For multinationals, this fragmentation requires cross-mapping between business units and regulatory domains.

Still, the direction of travel is convergence. India is closing the regulatory gap by interpreting global norms for local realities.

What Businesses Must Do

If your company collects, processes, or stores data from India's citizens (or operates services in India), you are in scope, and you have work to do.

• Understand Your Role: Are you a data fiduciary or processor under DPDPA? The obligations differ.
• Review Breach Protocols: Align internal timelines to match India's six-hour (CERT-In) and 72-hour reporting windows (DPB) in your escalation matrix.
• Update Contracts: Service providers and vendors must be contractually bound to implement safeguards and cooperate during incident response.
• Track Sector-Specific Rules: Especially in finance, telecom, and health. One set of rules doesn't cover everything.
• Invest in Local Capacity: Engage with legal counsel and compliance experts familiar with India's enforcement and regulatory agencies.
• Plan for AI Governance: India is building its AI compliance regime. Get ahead of the curve.

Compliance as a Capability

Cybersecurity compliance in India is no longer a distant concern or a back-office checkbox. It is now a defining part of doing business in one of the world's most data-rich, digitally ambitious economies.

The country's regulatory architecture is still being built, but the scaffolding is strong. Staying compliant is manageable for those who are prepared. For those who delay, the consequences will be real and will affect their financial and operational stability, as well as their brand.

In India, cybersecurity is not just a matter of defense but a test of readiness, and readiness is increasingly the law.