The National Cyber Security Policy, established by the Ministry of Electronics and Information Technology (MeitY) in 2013, aims to improve the cybersecurity framework in India, leading to specific actions and programmes to enhance the security posture of India’s cyberspace. The National Cyber Security Policy prescribes various objectives, which include the following:
The National Cyber Security Policy also recommends strategies for creating a secure cyber ecosystem and an assurance framework, encouraging open standards, strengthening the regulatory framework, creating mechanisms for the early warning of security threats, vulnerability management and response to security threats, creating cybersecurity awareness, etc.
The government is working towards updating its National Cybersecurity Strategy in order to improve its position in cyberspace. The updated National Cybersecurity Strategy is a long-awaited policy initiative of the government and is expected to bring in stronger security standards and priority allocation once it is notified.
The right to privacy (including the right to data security) of all citizens is protected as part of the right to life and personal liberty under Articles 19 and 21 of the Constitution of India, and as part of the freedoms guaranteed by Part III of the Constitution. This was also upheld by the Supreme Court of India (SCI) in 2017 in its landmark judgment of Justice K S Puttaswamy (Retd) and Another v Union of India and Others (2017) 10 SCC 1.
The Indian government enacted India’s first comprehensive legislation on data protection in August 2023 – ie, the Digital Personal Data Protection Act, 2023 (DPDPA), with the intent to provide a legislative framework for data protection and privacy. However, the DPDPA has not as yet been implemented and enforced. The Indian government also released the draft Digital Personal Data Protection Rules, 2025 (the “Draft DPDP Rules”) in January 2025, for stakeholder comments. The Draft DPDP Rules seek to operationalise the DPDPA and create a solid implementation framework for protection of digital personal data. The Draft DPDP Rules will be set in place after public consultation.
At present, the Information Technology Act, 2000 (ITA) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”) are the primary legislation for governing cybersecurity, data breach notification and incident response in India.
The ITA defines “cybersecurity” as “protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction”. The ITA empowers the central government to authorise any government agency to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource, to enhance cybersecurity, and to prevent data breaches.
Further, the SPDI Rules prescribe protection of personal information and sensitive personal data (SPD) and reasonable security practices and procedures to be implemented for collection and the processing of personal information or SPD. The SPDI Rules define personal information as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. The SPDI Rules recognise the following as SPD:
However, once the DPDPA is enforced, it will repeal the SPDI Rules.
The government has established the Indian Computer Emergency Response Team (the “CERT-In”) for performing various functions related to cybersecurity in India, including responding to cybersecurity incidents and implementing measures to reduce the risk of cybersecurity incidents.
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-In Rules”) regulate the duties and operations of CERT-In with respect to cybersecurity incidents, such as incident response and reporting, prediction, prevention and analysis of cybersecurity incidents.
The CERT-In Rules mandate CERT-In to operate an Incident Response Help Desk on a 24-hour basis, including government and other public holidays. Earlier, the service providers, intermediaries, data centres and body corporates handling SPD had to mandatorily report all cybersecurity incidents to CERT-In “as early as possible”. In April 2022, CERT-In issued a new directive which modified obligations under the CERT-In Rules, including requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. CERT-In has also set up sectoral Computer Emergency Response Teams to implement cybersecurity measures at a sectoral level. The details regarding the methods and formats for reporting cybersecurity accidents, vulnerability reporting and remediation, incident response procedures and dissemination of information on cybersecurity are published on CERT-In’s website and are updated from time to time.
The ITA prescribes that any service provider, intermediary, data centre, body corporate or person who fails to provide the information called for by CERT-In or comply with CERT-In’s directions will be punished with imprisonment for a term which may extend to one year or a fine which may extend to INR100,000 or both.
The ITA also prescribes deterrence in terms of compensations, penalties and punishments for offences such as damage to computer systems, failure to protect data, computer-related offences, theft of computer resource or device, SPD leak, identity theft, cheating by impersonation, violation of privacy, cyberterrorism, online pornography (including child pornography), breach of confidentiality and privacy, and breach of contract.
For critical sectors, the government has set up the National Critical Information Infrastructure Protection Centre (NCIIPC) under the ITA, as the nodal agency, and has framed rules and guidelines to protect the nation’s critical information infrastructure (CII) from unauthorised access, modification, use, disclosure and disruption to ensure a safe, secure and resilient critical information infrastructure in the country.
Other relevant rules framed under the ITA for regulating cybersecurity are as follows:
Indian criminal laws contain cybersecurity-related provisions, specifically punishment for criminal offences including those committed in cyberspace. The Indian criminal laws have recently undergone regulatory changes in line with the new age technologies. In particular, the Indian Penal Code, 1860, was replaced by the Bhartiya Nyaya Sanhita, 2023, (BNS), the Code of Criminal Procedure, 1973, was replaced by the Bhartiya Nagarik Suraksha Sanhita, 2023, (BNSS) and the Indian Evidence Act, 1872, was replaced by Bhartiya Sakshya Adhiniyam, 2023, (BSA), with effect from July 2024. Under the BNS, continued cyber-crimes and economic offences are referred to as “organised crime”. The BSA specifies that electronic records will be considered as primary records, which calls for a strong foundation to be laid to protect the data online. The BNS criminalises the forging of false electronic documents and imposes a punishment of seven years’ imprisonment and a fine.
Additionally, the Companies (Management & Administration) Rules, 2014 formulated under the Companies Act 2013, require companies to implement security systems to ensure that electronic records are secured from unauthorised access.
The Cyber Law Division, operating under MeitY, assumes a pivotal role in implementing cybersecurity measures.
Under the ITA, the Indian government has established CERT-In as the national nodal agency for cybersecurity, to carry out the following functions:
The CERT-In Rules prescribe that CERT-In will be responsible for responding to cybersecurity incidents and will assist cyber-users in the country in implementing measures to reduce the risk of cybersecurity incidents. CERT-In also has powers to issue directions to service providers, intermediaries, data centres, body corporates, etc, for enhancing cybersecurity infrastructure in the country.
The NCIIPC is the nodal agency for the protection of CII, networks and systems in the country.
In addition to MeitY and NCIIPC, the government has established the National Security Council Secretariat (NSCS) as the central co-ordinating body for cybersecurity and internet governance. NSCS has developed a draft cybersecurity strategy to address the issue of security of national cyberspace, with the main aim being to improve the audit quality relating to cybersecurity to aid the organisations in conducting a better review of their cybersecurity knowledge and architecture. Currently, there is no implementation date for this strategy.
The Ministry of Home Affairs (MHA) has set up the Cyber and Information Security Division (C&IS) to deal with matters relating to cybersecurity, cybercrime, the National Information Security Policy & Guidelines and its implementation. C&IS is comprised of a cybercrime wing, a cybersecurity wing, an information security wing and a monitoring unit.
Further, the MHA has established the Indian Cybercrime Co-ordination Centre (I4C), which is a nodal point in the fight against cybercrime, and provides a platform to deal with cybercrimes in a coordinated and comprehensive manner, while coordinating the implementation of mutual legal assistance treaties with other countries. The I4C has launched the Citizen Financial Cyber Fraud Reporting and Management System in several Indian states, to facilitate the immediate reporting of financial fraud and prevent fund siphoning by fraudsters.
The government has also set up the National Technical Research Organisation (NTRO) as a technical intelligence agency under the National Security Advisor in the Prime Minister’s office. NTRO’s primary role is to develop technology capabilities in aviation and remote sensing, data gathering and processing, cybersecurity, strategic hardware and strategic monitoring. The NCIIPC falls within NTRO’s ambit.
The ITA mandates the central government to appoint an adjudicating officer to conduct inquiries, and adjudicate matters (ie, contravention of any of the provisions of the ITA or any rule, regulation, direction or order made thereunder, including non-compliance with CERT-In’s direction), with claims for injury or damages valued up to INR50 million. Claims that exceed this amount must be filed before the competent civil court. Where more than one adjudicating officer is appointed, the ITA mandates the central government to specify the matters and places of jurisdiction of each adjudicating officer.
The inquiry and investigation procedure for the adjudicating officer is provided under the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003. Any decision of the adjudicating officer can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Under the DPDPA, the Central Government has the power to establish the Data Protection Board of India (DPB). The DPB is the primary regulatory body responsible for enforcing the DPDPA legislation. Data principals are required to comply with applicable laws while exercising their rights under the Act. Breach of the duties by data principals may result in penalties of up to INR10,000. The maximum penalty for violation of the DPDPA’s provisions by a data fiduciary is INR2.5 billion, for failure to take reasonable security safeguards to prevent a personal data breach if the non-compliance is regarded as significant by the DPB.
The DPDPA also prescribes specific penalties of INR2 billion for failure to notify the DPB and affected data principals of data breaches, and non-compliance with additional obligations while processing children’s data.
Under the DPDPA, the TDSAT established under the Telecom Regulatory Authority of India Act, 1997 adjudicates on appeals from the orders of the DPB, and the SCI is the final appellate authority for all purposes under the DPDPA.
The following non-governmental authorities assist the Indian government in cybersecurity measures:
Sector-Specific Regulators
Additionally, there are various sector-specific regulators engaged in supervising their relevant intermediaries on the progress of implementation and robustness of cybersecurity frameworks. They regularly conduct cybersecurity and system audits of the intermediaries, which are reported to the relevant regulators.
Banking sector
The Reserve Bank of India (RBI) governs both public and private sector banks. The RBI’s guidelines prescribe that the RBI can request an inspection at any time of any of the banks’ cyber-resilience. The RBI has set up a Cyber Security and Information Technology Examination (CSITE) cell under the Department of Banking Supervision, to periodically assess the progress made by banks in the implementation of the cybersecurity framework, and other regulatory instructions and advisories through on-site examinations and off-site submissions. The RBI has an internal ombudsman scheme for commercial banks with more than ten branches as a redressal forum, and has also issued guidelines on information security, electronic banking, technology risk management and cyber fraud. CERT-In and the RBI jointly carry out a cybersecurity awareness campaign on “Beware and be aware of financial frauds” through the Digital India Platform.
RBI also issued Guidelines on Regulation of Payment Aggregators and Payment Gateways, directing payment aggregators to put in place adequate information, data security infrastructure and systems for prevention and detection of fraud, and has specifically recommended implementation of data security standards and best practices such as PCI-DSS, PA-DSS, the latest encryption standards and transport channel security. Payment aggregators must establish a mechanism for monitoring, handling and follow-up of cybersecurity incidents and breaches, and mandatorily report incidents to RBI and CERT-In.
RBI regularly conducts audits and inquiries into banks’ security frameworks and imposes penalties on the banks for non-compliance with RBI’s cybersecurity framework. RBI has also formulated an integrated scheme, The Reserve Bank – Integrated Ombudsman Scheme, 2021 to simplify the grievance redressal process at RBI by enabling the customers of all regulated entities to register their complaints at one centralised reference point. Through this portal, RBI also spreads cyber-crime awareness including frauds using mobile apps/UPI/QR codes, etc.
Insurance sector
The Insurance Regulatory and Development Authority (IRDA) is the nodal agency for governance and regulation of the insurance sector in India. The IRDA conducts regular on-site and off-site inspections of insurers to ensure compliance with the legal and regulatory framework. The IRDA also has issued guidelines on Information and Cyber Security for Insurers (IRDA Cyber Security Policy), which requires vulnerability assessment and penetration testing annually and closing any identified gaps within a month. Some other relevant guidelines issued by IRDA are: IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; IRDAI (Maintenance of Insurance Records) Regulations, 2015; and the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017, which contain a number of provisions and regulations on data security. Additionally, IRDA has issued guidelines to insurers on structuring cyber-insurance for individuals and identifying gaps that need to be filled. As per the guidelines, cyber-insurance should provide cover against theft of funds and identity, unauthorised online transactions, email spoofing, etc.
Telecoms sector
Telecoms operators in India are governed by regulations laid down by the following regulatory bodies:
Further, the Unified Access Service Licence (UASL) extends information security to the telecom networks as well as to third-party operators. The regulator requires telecom operators to audit their network (internal/external) at least once a year.
TRAI has released its recommendations on cloud services in relation to creation of a regulatory framework for cloud services, and constituting an industry-led body of all cloud service providers (CSP).
In August 2024, the DoT released the Telecommunications (Telecom Cyber Security) Rules, 2024, which place obligations on telecommunications entities to take measures to ensure telecoms cybersecurity. These measures obligate the entity to adopt a telecoms cybersecurity policy, to identify and reduce the risks of security incidents, ensure timely responses to such incidents, take appropriate action for addressing security incidents, and mitigate their impact, etc.
The DoT also released the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024, which authorise the Union Government to declare any telecommunications network or part thereof as Critical Telecommunication Infrastructure, disruption of which will severely impact national security, economy, public health or safety.
The DoT regularly conducts cybersecurity workshops and cyber drills for better awareness.
Securities sector
The Securities Exchange Board of India (SEBI) was established in 1988 and is the regulatory body for commodity and security markets in India. SEBI oversees the interests of investors and market intermediaries, and ensures that the issuers of securities are protected, including safeguarding their customer data, data and transactions. In April 2022, SEBI appointed six committee members to advise regarding the cybersecurity initiatives for the Indian economy and guide SEBI to maintain and develop cybersecurity requirements keeping in mind the global industry standards.
In August 2024, SEBI issued a Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities.
The ITA empowers the government to identify critical information infrastructure and prescribe the information security practices and procedures for protected systems.
For critical sectors, the government has set up the NCIIPC under the ITA, as the nodal agency for the protection of the CII, networks and systems in India. Critical sectors include but are not limited to energy, finance, banking, telecommunications, transportation and defence.
The NCIIPC has framed the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 (the “NCIIPC Rules”) and issued Guidelines for the Protection of National Critical Information Infrastructure, 2015, (“NCIIPC Guidelines”) to protect India’s CII from unauthorised access, modification, use, disclosure and disruption to ensure a safe, secure and resilient information infrastructure for critical sectors in the country.
The NCIIPC Guidelines prescribe that each critical sector is responsible for the identification and categorisation of CIIs within their infrastructures on the basis of functionality, criticality scale, degree of complementarities political, economic, social and strategic values, degree of dependence, sensitivity, etc.
In the financial sector, the government has declared the following along with their associated infrastructures to be “Protected Systems”:
The NCIIPC regularly advises on reducing vulnerabilities of the CII, and against cyberterrorism, cyberwarfare, and other threats. The NCIIPC Guidelines prescribe the development of audit and certification agencies for the protection of the CII. The NCIIPC also exchanges cyber incidents and other information relating to attacks and vulnerabilities with CERT-In and concerned cybersecurity organisations in India.
The CERT-In Rules require all cybersecurity incidents to be reported, including attacks on critical infrastructure and compromise of critical systems/information.
The NCIIPC Rules lay down the cybersecurity practices and procedures to be followed in respect of CII and protected systems. The NCIIPC Rules prescribe that all organisations having “Protected System” shall constitute an Information Security Steering Committee under the chairmanship of the Chief Executive Officer/Managing Director/Secretary of the organisation.
The organisations having “Protected System” are required to undertake the following responsibilities:
The CISO is required to maintain regular contact with the NCIIPC and is responsible for implementing the security measures suggested by NCIIPC using all available/appropriate ways of communication.
The CISO is mandated to share the following, whenever there is any change, or as required by the NCIIPC, and incorporate the inputs/feedbacks suggested by the NCIIPC:
The NCIIPC Rules require the CISO to establish a process, in consultation with the NCIIPC, for sharing of logs of the “Protected System” with the NCIIPC to help detect anomalies and generate threat intelligence on a real-time basis. The CISO must also establish a process of sharing documented records of the CSOC (related to unauthorised access, unusual and malicious activity) of the “Protected System” with the NCIIPC to facilitate issue of guidelines, advisories and vulnerability, audit notes, etc, relating to the “Protected System”. The CISO is also required to establish a process for timely communication of cyber incidents on the “Protected System” to the NCIIPC.
Additionally, CERT-In is mandated to exchange relevant information relating to attacks, vulnerabilities and solutions in respect of critical sectors with NCIIPC.
Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of the ITA shall be punished with imprisonment which may extend to ten years and a fine.
As per the CERT-In directive of 2022, certain types of cybersecurity incidents are to be mandatorily reported by service providers, intermediaries, data centres, body corporate and government organisations to CERT-In, within six hours of noticing such incidents or being brought to notice about such incidents. These cybersecurity incidents include, inter alia:
The NCIIPC Guidelines also recommend that cybersecurity breach incidents must be reported to the NCIIPC.
The NCIIPC’s latest Standard Operating Procedure (SOP) on Incident Response shall be strictly followed in case of cybersecurity incidents impacting the national CII. Based on NCIIPC’s latest SOP on Incident Response (2017), in case of any security incident, the victim organisation should operate as follows.
The National Cyber Security Policy 2013, lays down the protection and resilience of CII, building a secure and resilient cyberspace, and creating mechanisms for security threat early-warning, vulnerability management, and response to security threats as some of the primary responsibilities of the government.
The policy envisages that large-scale cyber incidents may overwhelm the government, public and private sector resources and services by disrupting the functioning of critical information systems. Some examples of cyber threats to individuals, businesses and government are identity theft, phishing, social engineering, hactivism, cyber terrorism, compound threats targeting mobile devices and smart phones, compromised digital certificates, advanced persistent threats, denial of service, bot nets, supply chain attacks, data leakage, etc.
The policy prescribes that the government should work towards rapid identification, information exchange, investigation and co-ordinated response and remediation, which can effectively mitigate the damage caused by malicious cyberspace activity.
CERT-In is the main authority responsible for analysing trends and patterns in intruder activities, determining the scope, priority and threat of a cyber incident and developing preventive strategies against cybersecurity incidents. With the aim of identifying cybersecurity vulnerabilities and promoting resilience, CERT-In follows a “Responsible Vulnerability Disclosure and Coordination Policy”, wherein it collects, analyses, and mitigates co-ordination with researchers/finders and vendors leading to the public disclosure of newly identified cybersecurity vulnerabilities and threats.
Upon receiving any information regarding a cybersecurity vulnerability, CERT-In will examine and validate the vulnerability report and communicate to the discloser whether or not the report will be co-ordinated by CERT-In. Upon successful validation, CERT-In will initiate co-ordination with the relevant product vendor, discloser and other stakeholders (if required) for the remediation and closure of the issue. CERT-In will endeavour to get the issue resolved within 120 days from initial vendor contact date.
CERT-In publishes the vulnerability note/advisory on its website after the vulnerability is addressed or at an appropriate time determined by CERT-In in synchronisation with the stakeholder.
Additionally, the NSCS has released Cyber Security Audit – Baseline Requirements (CSA-BR) prescribing minimum, common and harmonised baseline requirements for cybersecurity audits, which are to be mandatorily followed by all CII. These guidelines are applicable to regulators and owners of CII and entail the following stages – management, protection, detection, response, recovery and lessons learnt.
India does not have a comprehensive financial sector operational resilience regulation under the current cybersecurity framework.
However, with the aim of improving the cybersecurity framework in India’s financial sector, in August 2024, the SEBI released the Cybersecurity and Cyber Resilience Framework (CSCRF), for SEBI Regulated Entities (the “Regulated Entities/RE”) which includes, inter alia, the following:
The CSCRF defines “cyber-resiliency” as “the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing, and rapidly recovering from cyber incidents”.
The CSCRF is standards-based and broadly aligns with the cyber-resiliency goals of CERT-In’s Cyber Crisis Management Plan for countering cyberattacks and cyber terrorism. These goals include: anticipating, withstanding, containing, recovering, and evolving in response to threats, in addition to the core cybersecurity objectives of identifying, detecting, protecting, responding, and recovering. The CSCRF framework provides a structured methodology to implement various solutions for cybersecurity and cyber resiliency. The CSCRF framework supersedes earlier SEBI circulars and guidelines.
The RBI also released a Guidance Note on Operational Risk Management and Operational Resilience in April 2024 (“Guidance Note”) which applies to Regulated Entities (“REs”) including all commercial banks, primary (Urban) Co-operative Banks/State Co-operative Banks/Central Co-operative Banks, All-India Financial Institutions and All Non-Banking Financial Companies including Housing Finance Companies.
RBI’s Guidance Note intends to promote and further improve the effectiveness of Operational Risk Management of the REs, and enhance their Operational Resilience in view of the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which the REs operate.
There is no specific definition or provisions dealing with “ICT service providers” under the current cybersecurity law framework in India.
However, RBI’s Guidance Note mentions that third-party service providers, inter alia, include cloud service providers and IT/operations vendors. The Guidance Note prescribes that REs should perform a risk assessment and due diligence before entering into arrangements with such third-party service providers. Particularly, the RE should verify whether the third-party service provider has at least an equivalent level of operational resilience to safeguard the RE’s critical operations in normal circumstances, and in the event of a disruption.
Further, the Guidance Note recommends that a policy approved by the board of directors on the management of service providers is critical for managing risks associated with reliance on third parties irrespective of whether they are related or unrelated to the RE. Such third-party risk policies should include:
REs, in their agreements with the third-party service providers, should also include clauses making the service provider contractually liable for the performance and risk management practices of its sub-contractors.
As per the CSCRF, REs are required to identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management. The board/partners/proprietor of the RE shall approve the list of critical systems. The CSCRF does not specify whether ICT services or cloud service providers will be considered as critical systems.
The key objective of the CSCRF is to address evolving cyber threats, to align with the industry standards, to encourage efficient audits, and to ensure compliance by SEBI REs. The CSCRF also sets out standard formats for reporting by REs.
The CSCRF lays down that REs are required to establish, communicate and enforce cybersecurity risk management roles, responsibilities and authorities to foster accountability and continuous improvement. A comprehensive cybersecurity and cyber-resilience policy shall be documented and implemented with the approval of the board/partners/proprietor.
CSCRF mandates Market Infrastructure Institutions (MIIs), Qualified REs and mid-size REs to prepare a cyber risk management framework for identification and analysis, evaluation, prioritisation, response and monitoring of cyber risks on a continuous basis. MIIs and Qualified REs must also prepare a Cyber Capability Index (CCI). MIIs shall conduct third-party assessment of their cyber-resilience using CCI on a half-yearly basis. Qualified REs shall perform self-assessment of their cyber-resilience using CCI on a yearly basis.
Risk assessment (including post-quantum risks) of RE’s IT environment also must be done on a periodic basis. REs shall establish appropriate security mechanisms through a Security Operations Centre for continuous monitoring of security events and timely detection of anomalous activities.
REs shall be solely accountable for all aspects related to third-party services including (but not limited to) confidentiality, integrity, availability, non-repudiation, security of their data and logs, and ensuring compliance with laws, regulations, circulars, etc, issued by SEBI/Indian government. Accordingly, REs shall be responsible and accountable for any violations of the same.
Incident and Reporting Obligations
As per the CSCRF, the REs are required to establish a comprehensive Incident Response Management plan and corresponding SOPs, as well as formulate an up-to-date Cyber Crisis Management Plan. In the event of an incident, Root Cause Analysis (RCA) shall be conducted to identify the cause leading to the incident.
Under the CSCRF, cyber-attacks, cybersecurity incidents and breaches experienced by REs falling under CERT-In’s 2022 directive, must be notified to SEBI and CERT-In within six hours of noticing/detecting such incidents or being brought to notice about such incidents. This information also has to be shared to the SEBI Incident Reporting Portal within 24 hours.
Stock brokers/depository participants shall also report the incident to stock exchanges/depositories as well as SEBI and CERT-In within six hours of noticing/detecting such incidents or being brought to notice about such incidents. Any/all other cybersecurity incidents shall be reported to SEBI, CERT-In, and NCIIPC (as applicable) within 24 hours.
During the life cycle of incident handling, some aspects must be captured, such as whether the RE has followed its organisation’s incident response plan, taken necessary (immediate) measures to contain the incident impact and to control, mitigate and remediate the incident, whether the RE has communicated about the incident to all relevant stakeholders, etc.
The RE shall undertake the necessary activities and submit the relevant reports within timelines prescribed in the CSCRF. Thereafter, SEBI shall examine the incident on the basis of reports submitted. Further, the RE shall classify the cybersecurity incident based on its severity and the same shall be reviewed and submitted to SEBI.
In case an RE does not report a cybersecurity incident to SEBI (despite being aware of the incident) in the prescribed manner, SEBI may take appropriate regulatory action depending on the nature of the incident.
Additionally, as per RBI’s Guidance Note, REs should maintain an inventory of incident response and recovery, internal and third-party resources to support its response and recovery capabilities. The scope of incident management should capture the life cycle of an incident, typically including, but not limited to:
Incident response and recovery procedures should be periodically reviewed, tested and updated by the REs. They should also identify and address the root causes of incidents to prevent or minimise serial recurrence.
There are no specific operation resilience enforcement obligations or provisions for critical ICT service providers under the current cybersecurity regime.
The DPDPA permits the transfer of personal data for the purpose of processing to any country or territory outside of India, except to such territories which may be restricted by the government via notification. However, the DPDPA has not as yet been implemented and enforced.
As per the SPDI Rules which are currently in force, the transfer of sensitive personal data or information to a third-party company/individual outside of India is permitted if the recipient ensures the same level of data protection that is adhered to by the transferor. Further, the personal data may only be transferred based on the consent of the relevant company/individual or for the performance of a contract with the company/individual.
The CSCRF for REs prescribes that Vulnerability Assessment and Penetration Testing (VAPT) must be done to detect vulnerabilities in the IT environment for all critical systems, infrastructure components, and other IT systems as defined in the framework.
CSCRF specifies a comprehensive scope for VAPT. The scope of the IT environment taken for the VAPT should be made transparent to SEBI and should include all critical assets and infrastructure components including (not limited to) networking systems, security devices, servers, databases, applications, systems accessible through WAN, LAN as well as with public IPs, websites, etc.
Testing Methodology
The VAPT should provide in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks. The testing methodology should be adapted from the following:
As regards the insurance sector, the IRDA also has a cybersecurity policy requiring vulnerability assessment and penetration testing annually and closing any identified high-risk gaps within a month. The RBI also mandates banks to have periodical vulnerability assessment and penetration testing exercises for all critical systems.
Further, the DPDPA requires significant fiduciaries to undertake measures including data protection impact assessment and periodic audits. The “Data Protection Impact Assessment” is defined as a process comprising description, purpose, assessment of harm, measures for managing the risk of harm and such other matters concerning the processing of personal data, as may be prescribed.
While India’s National Cyber Security Policy states “building a secure and resilient cyberspace” as one of its primary objectives, at present there is no specific legislation governing cyber-resilience in India under the current cybersecurity regime.
However, there are sector-specific frameworks for cyber-resilience, such as the CSCRF for SEBI’s REs, which is outlined in 3. Financial Sector Operational Resilience Regulation.
Please refer to 4.1 Cyber-Resilience Legislation.
The current Indian law does not include cybersecurity certification legislation.
With regards to CII organisations, the NCIIPC Guidelines prescribe security certifications by third-party agencies (government or private agencies) to protect the assets of a CII for smooth and error-free operation. The certifications must also deal with enforcing or implementing any international security standards available globally for the protection of critical assets working in the CII by respective organisations. Each CII must list the certifications needed to be implemented for the protection of their assets and the areas involved.
In addition to the certification of the CII facility, the CII must also ensure that the personnel hold certifications relevant to their responsibilities and up to date with the current standards. Accordingly, knowledge upgradation programs via new certifications, trainings, seminars, workshops etc. should also be planned for the employees based on the requirements of the CIIs. The implementation process of the security certifications should also be properly monitored by the CII management, so that it does not interfere with the normal functioning of the CII.
Under the DPDPA, a data fiduciary is mandated to protect the personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach. The Draft DPDP Rules also prescribe that the data fiduciary shall protect personal data by taking reasonable security safeguards to prevent personal data breach, which shall include the following:
As per the DPDPA, the processing of personal data can only happen by way of consent of the data principal. A notice must be provided to the data principal before seeking consent. The notice should contain details about the personal data to be collected, the purpose of processing, as well as how the data principal may withdraw its consent, use the grievance redressal mechanism, and make a complaint to the DPB.
The DPDPA prescribes that the consent obtained from the data principal must be free, specific, informed, unconditional and unambiguous with clear affirmative action, and shall signify an agreement to the processing of the subject’s personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
Consent need not be sought for legitimate uses which include processing for:
The Draft DPDP Rules propose that in case of personal data breaches, the data fiduciary must report the personal data breach to the DPB within 72 hours of becoming aware of such breach. If such personal data breach is in connection with a cybersecurity incident, the same must be reported to CERT-In as well as the relevant sectoral regulator, within their respective prescribed timelines.
The SPDI Rules prescribe the protection of personal information and sensitive personal data and reasonable security practices and procedures to be implemented for collection and the processing of personal information or SPD. The SPDI Rules require all body corporates to implement reasonable security practices and standards, as well as to document their security programmes and policies.
Once the DPDPA is brought into force, it will repeal the SPDI Rules.
AI is not specifically dealt with under the current cybersecurity regime in India.
MeitY constituted four committees to promote AI initiatives and to develop a policy framework around it. The committees have submitted their reports on platforms and data on AI; leveraging AI for identifying national missions in key sectors; mapping technological capabilities; key policy enablers required across sectors; and on cybersecurity, safety, legal and ethical issues.
Further, MeitY, CERT-In and SISA (a global leader in forensics-driven cyber security), in September 2024, jointly launched the Certified Security Professional for Artificial Intelligence (CSPAI) program which is the first-of-its-kind ANAB-accredited AI security certification. The CSPAI program equips security professionals with the skills needed to effectively integrate AI into business applications while adhering to sustainable practices.
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, (IMCR) impose patient confidentiality obligations on medical practitioners.
The Ministry of Health and Family Welfare introduced a draft legislation in 2017, known as the Digital Information Security in Healthcare Act (the “DISH Act”), to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Act also provides for the establishment of a National Digital Health Authority as the statutory body to enforce privacy and security measures for health data, and to regulate storage and exchange of health records.
The Ministry of Health and Family Welfare had approved a Health Data Management Policy (the “HDM Policy”) largely based on the DPDPA to govern data in the National Digital Health Ecosystem. The HDM Policy recognises entities such as data fiduciaries and data processors similar to the DPDPA, and establishes a consent-based data-sharing framework.
Under the DPDPA, health data can be processed by the data fiduciary as legitimate use, in case there is a medical emergency that involves a threat to life or an immediate threat to the health of a data principal or any other person or if there is a situation like an epidemic, an outbreak of a disease, or any other threat to public health.
The SPDI Rules also recognise and protect SPD which includes a person’s physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information.
7th Floor
Keshava
Bandra Kurla Complex
Bandra East
Mumbai 400 051
India
+91 22 6112 8484
mailbox@anaassociates.com www.anaassociates.comThe Indian Cybersecurity Landscape: Rapid Progress and Increased Vulnerabilities
India is at the forefront of a digital revolution, adapting to new technology and improving government services for its people. From pioneering instant payment systems such as UPI (Unified Payments Interface) ‒ which processes more than 16 billion transactions monthly ‒ to piloting central bank digital currencies, the country has cemented its leadership in digitalising financial ecosystems.
This rapid digitalisation, however, is a double-edged sword. As India accelerates its journey toward becoming a USD1 trillion digital economy by 2030, with digital services projected to contribute 20% of GDP by 2026, its expanding cyber frontier has become a magnet for malicious actors. Today, the nation accounts for 13.7% of global cyber-incidents.
The Indian government’s push to digitalise governance, healthcare, and critical infrastructure has undeniably improved accessibility and efficiency for millions. At the same time, it has also exposed systemic fragilities: a population still adapting to digital literacy, organisations lagging in cyberhygiene, and sectors such as healthcare and finance ‒ lifelines of the digital economy ‒ emerging as prime targets for ransomware and data extortion. Meanwhile, the rise of AI introduces new complexities, from ethically fraught dilemmas to sophisticated malware capable of evading traditional defences.
Against this backdrop, India’s cybersecurity landscape in 2025 is defined by a race between a relentless pace of innovation and an evolving sophistication of threats. While progressive legislation such as the Digital Personal Data Protection Act 2023 (DPDPA) and the updated National Cybersecurity Strategy aim to fortify defences, gaps persist.
Trends in cybersecurity incidents
The cybersecurity environment in India underwent notable changes in 2024, presenting a complex picture of challenges and improvements alike. According to the Data Security Council of India’s Cyber Threat Report 2025 (the “Report”), the country experienced significant malware activity while showing enhanced defensive capabilities. In 2024, India recorded 369.01 million malware detections across 8.44 million endpoints, averaging 702 detections per minute. This represents a reduction from 2023’s figures of 400 million detections across 8.5 million endpoints.
More significantly, the number of actual cybersecurity incidents decreased substantially, from approximately 10,500 in 2023 to 7,770 in 2024. Data suggests strengthened cybersecurity measures, as evidenced by an improved incident-to-detection ratio. In 2024, approximately one security incident occurred per 40,400 malware detections, compared to one per 38,000 detections in 2023.
However, the threat landscape has grown more sophisticated, as demonstrated by an increase in behaviour-based malware detections from 12.5% in 2023 to 14.5% in 2024. This indicates that attackers are employing more sophisticated malware and reflects their increasing use of malware that avoids traditional detection by constantly changing its code or hiding in legitimate processes.
Geographically, the threat landscape expanded beyond traditional tech hubs. While states such as Telangana and Tamil Nadu remained primary targets, there was a marked increase in activity in tier-two cities such as Surat and Ahmedabad.
The healthcare sector emerged as the most targeted industry, accounting for 21.82% of all attacks ‒ up from 15% in 2023. This rise is likely driven by the high value of medical data and the essential nature of healthcare systems, which may prompt organisations to be more inclined to pay ransoms. The hospitality (19.6%) and banking sectors (17.4%) also saw significant targeting, highlighting the focus on industries handling large volumes of personal and financial data.
India saw a rise in cloud-based detections, accounting for 62% of all detections, which reflects the broader digital transformation across Indian businesses. As more organisations move their operations to the cloud, they are creating new opportunities for attackers to exploit misconfigured or inadequately protected cloud resources.
In terms of malware types, Trojans and infectors remained the most prevalent, constituting 43.25% and 34.10% of detections respectively. These types of malwares often masquerade as legitimate software, tricking users into executing them and providing attackers with backdoor access to systems.
Ransomware attacks continue to pose one of the most acute cybersecurity threats. While the typical approach of stealing and encrypting data remains a primary tactic, there is an increasing trend towards threat actors adopting data extortion tactics whereby data is stolen but not encrypted. This shift reflects a change in the nature of ransomware attacks, moving from traditional encryption-based extortion to more sophisticated data theft and extortion methods.
Ransomware also persistently upholds its position as one of the most pernicious manifestations of cybercrime. A single ransomware security incident emerges for every cluster of 595 detections. That said, the occurrence of a malware incident is considerably less frequent ‒ materialising only once amid a staggering 40,400 detections.
The geopolitical landscape continued to influence cybersecurity threats, with hacktivist groups and state-sponsored actors targeting critical infrastructure and public utility services. The ongoing conflicts in the Middle East and other regions have also led to increased cyber-activity aimed at undermining India’s global standing. Additionally, cyber-activity around key national events (eg, Independence Day and Republic Day) reflects efforts to undermine India’s standing on the global stage.
One of the most revealing insights about India’s cybersecurity preparedness comes from the Cyber Security Maturity Survey (the “Survey”) conducted as part of the Report. The Survey, which involved organisations across India, offers a comprehensive look into critical areas such as cyber-resiliency, preparedness, and priorities. The Survey found that nearly 73% of organisations are unaware if they have ever been attacked and found that 57% lack cyberhygiene practices.
Impact of AI and other emerging technologies
In 2024, AI-driven threats became a significant challenge for Indian organisations owing to their scalability, ability to evade detection, and adaptability against conventional cybersecurity measures. The widespread availability of open-source AI tools and low-cost cloud computing enabled even less-skilled attackers to execute advanced cyber-attacks. Platforms accessible on the dark web simplified the creation of phishing campaigns and business email compromise (BEC) attacks, reducing the technical expertise required for such activities.
By way of example, generative AI has been weaponised to craft hyper-personalised phishing emails by scraping publicly available data from social media and corporate websites. There has been a surge in fraud cases where AI-simulated voices mimicked executives to authorise fraudulent transactions, demonstrating the alarming precision of these tools.
AI-enhanced malware, such as BlackMamba, represents a paradigm shift in cybersecurity threats. Unlike traditional malware, BlackMamba leverages generative AI to dynamically rewrite its code, evading signature-based detection systems. This adaptability allows attacks to persist undetected, which complicates mitigation efforts for organisations.
Similarly, polymorphic ransomware employs reinforcement learning to alter its behaviour in real-time, targeting critical sectors such as healthcare and finance with increased efficiency. The healthcare sector, already strained by high-value data and operational criticality, witnessed a rise in automated attacks on exposed internet of things (IoT) devices in 2024.
Emerging technologies such as data-centric ransomware signify a strategic shift in attacker priorities. Instead of encrypting data, adversaries now use AI to identify and exfiltrate high-value information, threatening public disclosure unless ransoms are paid. This approach ‒ observed in the 2024 attack on C-Edge Technologies, which disrupted 300 rural banks ‒ minimises detection risks while maximising extortion leverage. Concurrently, supply chain compromises through third-party AI vendors and open-source libraries have expanded the attack surface, with malicious code injected via compromised updates or dependencies.
Indian government’s efforts
To counter these threats, the Indian government has prioritised regulatory and institutional reforms. The DPDPA mandates stringent safeguards for AI training datasets, requiring explicit consent for data collection and imposing penalties of up to USD30 million. Complementing this, the Indian Computer Emergency Response Team (CERT-In)’s AI Security Advisory recommends measures to mitigate AI-related threats, including educating users, verifying domains, securing data, and preventing misuse.
International collaboration has also been prioritised, with India’s membership in the Global Partnership on AI (GPAI) facilitating cross-border threat intelligence sharing and ethical AI standardisation.
India’s position on the global stage: pivotal role of CERT-in
India has claimed a spot in the Tier-1 category in the latest Global Cybersecurity Index (GCI) 2024, released by the International Telecommunication Union. With a score of 98.49, India is one of 47 countries to be adjudged as a leading nation that has demonstrated commitment to robust cybersecurity practices. Central to this success are the country’s progressive legislative frameworks and the operational efficacy of CERT-In.
Among such frameworks, India’s legal framework for cybersecurity has also evolved significantly and contributed to this success, anchored by the Information Technology Act 2000 (the “IT Act”) and its subsequent amendments. The introduction of the DPDPA further strengthened this framework. By establishing stringent guidelines for data controllers, enforcing organisational and technical safeguards and standards, and imposing penalties for non-compliance, the DPDPA addresses growing concerns around data security in the digitised economy. These legislative measures have been instrumental in aligning India’s cybersecurity governance with global standards, earning high marks in the GCI’s legal pillar.
India’s technical capabilities, particularly through CERT-In, have been pivotal to its Tier-1 status. Established in 2004, CERT-In operates as the national nodal agency for cybersecurity and is tasked with safeguarding India’s digital infrastructure, co-ordinating incident responses, and fostering a secure cyber ecosystem. Its mandate spans across threat analysis, vulnerability management, and collaboration with domestic and international stakeholders. CERT-In follows a structured approach to addressing reported incidents, which has significantly enhanced India’s capability to manage cybersecurity challenges, as follows.
Incident reporting
As per the CERT-In Cyber Incident Reporting Guidelines, organisations are legally obligated to report certain types of high-severity cybersecurity incidents within six hours. Upon notification, CERT-In may request access to logs, system records, and other forensic data to assess the breach’s scope and impact. This process enables targeted mitigation strategies while maintaining a collaborative, non-punitive approach. By prioritising risk mitigation over penalties, CERT-In encourages transparency and proactive reporting among entities.
Proactive organisational engagement
Larger organisations with established cybersecurity practices and significant customer bases in India often proactively report incidents to CERT-In. This is driven by the recognition that timely reporting can help mitigate risks and prevent further damage. CERT-In’s responsive and supportive approach encourages organisations to engage with the agency.
Incident management support
CERT-In is known for its proactive and efficient approach to handling reported cybersecurity incidents. Upon receiving a notification, the agency typically acknowledges the incident promptly and provides a detailed response within 24 hours, thereby ensuring timely action. In certain cases, CERT-In officials often directly reach out to the reporting entity to gather additional information or offer immediate guidance.
Clearly, the agency’s support is comprehensive and multifaceted, encompassing technical assistance, remedial measures, and follow-up actions. By way of example, CERT-In provides technical expertise to help organisations contain and mitigate the impact of cyber-incidents. This includes identifying vulnerabilities, recommending patches, and guiding recovery efforts to restore normal operations.
Additionally, CERT-In issues specific recommendations to address incidents and prevent their recurrence. This was demonstrated during the 2017 WannaCry ransomware attack, where the agency played a pivotal role in co-ordinating the response and issuing advisories to affected organisations.
Multi-stakeholder co-ordination
To tackle cybercrimes effectively, CERT-In often works closely with law enforcement agencies to investigate incidents and take down malicious phishing websites. Additionally, CERT-In collaborates with sector-specific regulators, particularly in critical infrastructure sectors such as banking, healthcare, and energy.
Beyond national borders, CERT-In actively engages in international co-operation. It has signed memoranda of understanding (MoUs) with agencies in countries such as Singapore, Japan, and the UK.
Conclusion
India’s cybersecurity landscape in 2025 presents a dual narrative of progress and vulnerability. Advancements such as a 26% reduction in cybersecurity incidents and India’s Tier-1 ranking in the GCI highlight strides in policy and technical capabilities. Legislative frameworks and the operational efficiency of CERT-In reflect institutional efforts to align with global standards. These measures have strengthened incident response, particularly in critical sectors such as finance and healthcare, where mandatory reporting protocols have been put in place.
However, emerging threats ‒ particularly AI-driven attacks ‒ continue to challenge this progress. The rise of adaptive malware (eg, BlackMamba), AI-generated phishing campaigns, and data-centric ransomware underscores the ability of adversaries to exploit technological advancements. Sectors such as healthcare (targeted in 21.8% of attacks) with limited cybersecurity infrastructure remain disproportionately vulnerable. Geopolitical tensions and state-sponsored attacks further strain cybersecurity defences, as seen in incidents targeting critical infrastructure during national events.
The path forwards hinges on systemic collaboration. While CERT-In’s incident management framework and international partnerships demonstrate proactive governance, gaps persist. Bridging these gaps requires scaling capacity-building initiatives, enforcing regulatory mandates such as the DPDPA, and integrating AI-driven threat detection into national strategies. India’s cybersecurity future will depend on balancing innovation with equitable resilience to ensure that its digital ambitions are not derailed by evolving risks.
18th Floor
SKAV 909
No 9/1
Residency Road
Richmond Circle
Bengaluru 560 025
Karnataka
India
+91 804 350 3600
+91 804 350 3617
pro-team@jsalaw.com www.jsalaw.com