India recognises cybersecurity as a core component of national security, economic stability and the effective functioning of its digital infrastructure. The recently enacted Digital Personal Data Protection Act, 2023 (DPDPA) and its associated Digital Personal Data Protection Rules, 2025 (the “DPDP Rules”) are a transformative step for India’s cybersecurity and data protection landscape. It establishes a comprehensive framework governing the collection, processing, and protection of personal data, emphasising accountability, informed user consent, and timely breach notification.

National Cybersecurity Strategy

The National Cyber Security Policy, 2013, established by the Ministry of Electronics and Information Technology (MeitY), represents India’s first comprehensive policy framework for securing cyberspace. The policy seeks to build a resilient and digital ecosystem by creating a secure environment for individuals, businesses and government institutions.

The National Cyber Security Policy prescribes various objectives, which include the following:

• to create a secure cyber ecosystem that fosters trust and confidence in IT systems and digital transactions across all sectors of the economy;
• to establish an assurance framework supporting security-by-design and compliance with global security standards and best practices through conformity assessment of products, processes, technologies and personnel;
• to strengthen the regulatory framework governing cybersecurity and cyber risk management;
• to establish national and sectoral level 24x7 mechanisms for obtaining strategic threats information to ICT infrastructure, and for enabling co-ordinated response, resolution and crisis management through predictive, preventive, protective, response and recovery actions;
• to enhance the protection and resilience of critical information infrastructure (CII) through the operation of a dedicated national protection centre and the adoption of security practices across the lifecycle of information systems;
• to improve visibility into the integrity and security of ICT products and services through testing and validation mechanisms;
• to safeguard information during processing, storage and transmission to protect citizen data, reduce economic losses from cybercrime and mitigate data theft;
• to enable effective prevention, investigation and prosecution of cybercrime through legislative and institutional strengthening;
• to train approximately 500,000 cybersecurity professionals through capacity building and skill development initiatives; and
• to enhance international co-operation by promoting shared understanding and collaborative mechanisms for securing cyberspace.

Building on the 2013 framework, the Data Security Council of India (DSCI) has conceptualised the National Cyber Security Strategy, 2020, which is under development and represents the most comprehensive attempt to establish an integrated and future-ready cybersecurity framework aligned with India’s rapidly expanding digital footprint.

A significant feature of the proposed 2020 strategy is its focus on the governance of emerging technologies. India aims to develop regulatory guidelines for Artificial Intelligence (AI) safety, quantum-resistant encryption, 5G and 6G network security, IoT certification frameworks, and secure cloud adoption standards. In parallel, it promotes domestic research and development in cryptography, semiconductors, hardware security modules and cyber-forensics, with the objective of strengthening long-term technological autonomy.

Legislative and Regulatory Framework

The national strategy is supported by a combination of existing legislation and proposed reforms. The Information Technology Act, 2000, (the “IT Act”) together with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, (the “IT Rules”) forms the primary legal foundation for cybersecurity governance. Further, the binding directions and guidelines issued by the national nodal agencies under the IT Act, the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC), addresses incident reporting, co-ordinated response, protection of critical systems and enforcement against unauthorised access or cyber offences across sectors.

Further, the DPDPA mandates the implementation of reasonable security safeguards, requires reporting of personal data breaches, and reinforces organisational accountability for data-related cybersecurity incidents.

Additionally, the proposed Digital India Act is intended to modernise India’s digital regulatory architecture and is expected to introduce enhanced provisions relating to platform governance, cybersecurity obligations and enforcement mechanisms, reflecting the increasing complexity of India’s digital ecosystem.

Scope of Cybersecurity Regulations Across Sectors

Enhanced cybersecurity regulations are imposed on regulated sectors such as banking, financial services, insurance, telecommunications, power and securities markets.

Banking and finance sector

The Reserve Bank of India (RBI) has progressively strengthened cybersecurity oversight within the financial sector. In September 2025, RBI issued the Master Directions on Regulation of Payment Aggregators, to consolidate and rationalise the existing payment aggregator regulatory framework and introduce enhanced compliance and operational requirements. The framework mandates licensing for payment aggregators, including cross-border payment aggregators, and emphasises strong cybersecurity controls.

The Directions also mandate payment aggregators to conduct full merchant KYC checks as per the RBI Know Your Customer Direction, 2016, subject to prescribed thresholds. The RBI has also emphasised heightened oversight of cybersecurity risks arising from third-party dependencies and digital fraud. Incident reporting obligations in the banking and financial sector align with national cyber incident reporting timelines to RBI and CERT-In.

Insurance sector

In the insurance sector, the Insurance Regulatory and Development Authority of India (IRDAI) has significantly strengthened cybersecurity expectations. The IRDAI Information and Cyber Security Guidelines, 2023, applicable to insurers and intermediaries, require continuous monitoring of ICT systems, retention of security and application logs for extended periods, time-synchronised ICT systems and rapid reporting of cyber incidents to both IRDAI and CERT-In. The guidelines emphasise governance structures, encryption, business continuity planning and vendor risk management, embedding cyber-resilience within broader enterprise risk management and IT governance frameworks.

Telecommunications sector

Telecommunications operators are regulated by the Department of Telecommunications (DoT). Licensed telecoms service providers are required to ensure network security, protect the confidentiality of communications and conduct ongoing monitoring, audits and compliance assessments. The Telecom Cybersecurity Rules, 2024, mandate infrastructure protection measures, intrusion and attack monitoring facilities and incident reporting to relevant authorities, reflecting the critical role of telecoms networks as foundational digital infrastructure.

Telecoms entities are also subject to CERT-In reporting obligations, in addition to sector-specific licence conditions and operational directions. In 2025, the amended Telecom Cybersecurity Rules introduced verification and reporting obligations for non-telecoms entities that are using telecoms identifiers to provide their services.

Power sector

The Central Electricity Authority (CEA) provides a comprehensive cybersecurity framework for all entities managing Operational Technology (OT) and IT infrastructure in the power sector under the Cyber Security in Power Sector Guidelines, 2021. The Power Computer Security Incident Response Team (CSIRT), set up in 2024, is the central agency responsible for reporting and responding to cyber security incidents, and co-ordinating with other agencies.

Additionally, the CEA introduced the draft Central Electricity Authority (Cyber Security in Power Sector) Regulations, in October 2025, which includes provisions regarding incident reporting obligations, annual security audits, additional cybersecurity requirements, etc.

Securities sector

The Securities and Exchange Board of India (SEBI) introduced a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024, applicable to all SEBI-regulated entities. This includes stock exchanges, clearing corporations, depositories, brokers, asset managers, credit rating agencies, mutual funds, investment advisers, KYC registration agencies and other market intermediaries.

The CSCRF sets out standards for anticipation, detection, response to, containment of and recovery from cyber incidents. It requires SEBI-regulated entities to develop and implement cybersecurity governance structures, establish Security Operations Centres (SOCs) or equivalent monitoring arrangements, conduct regular vulnerability assessments and audits, report cyber incidents within prescribed timelines, and manage third-party risk effectively.

Cybersecurity and cyber-risk management in India are governed through legislation, delegated rules, binding executive directions and sector-specific standards. This framework applies horizontally across sectors, with enhanced obligations for critical infrastructure and regulated entities.

IT Act (2000) and IT Rules (2021)

The IT Act forms the core statutory basis for cybersecurity regulation in India. Its subject matter includes cyber offences, unauthorised access, damage to computer resources, intermediary liability, interception powers and the protection of CII.

The IT Act applies to all persons and entities using computer systems or networks in India, including companies, intermediaries, service providers and government bodies. It has extraterritorial application where a computer system or network located in India is involved, regardless of the nationality or location of the offender.

The Act empowers the central government to issue binding directions and designate authorities responsible for incident response and infrastructure protection, providing the statutory basis for CERT-In and NCIIPC.

The IT Rules further establish a regulatory framework for social media intermediaries, requiring them to observe enhanced due diligence obligations. The Rules also regulate content published by online publishers of news and current affairs, as well as providers of curated audio-visual content, and prescribe obligations relating to content moderation and grievance handling. It also mandates all intermediaries to establish a grievance redressal mechanism for addressing complaints from users or affected persons.

DPDPA (2023) and DPDP Rules (2025)

While primarily the DPDPA and the DPDP Rules are a data protection regime, it imposes cyber-risk management and breach prevention obligations on organisations processing personal data. The Act is presently implemented in a phased manner as prescribed in the Rules with full effect by May 2027.

The Act applies to all data fiduciaries processing digital personal data within India as well as foreign entities offering goods or services to individuals in India. It mandates the implementation of reasonable security safeguards and requires notification of personal data breaches to regulators and affected individuals. Codes of practice, guidance and directions issued by the Data Protection Board of India (DPBI) play a binding role in enforcement and compliance.

CERT-In Rules and Directions

Under the IT Act, the CERT-In is authorised to issue binding rules and directions governing cybersecurity incident reporting and response. The scope includes mandatory reporting of specified cyber incidents, maintenance of system logs, time-bound reporting obligations, audit requirements and co-operation with government investigations. These obligations apply to service providers, intermediaries, data centres, cloud service providers, corporate entities and other covered organisations.

CERT-In Directions apply to entities operating in India and may extend to foreign entities where services are offered in India or Indian digital infrastructure is affected. CERT-In advisories, while often framed as guidance, operate as de facto binding standards when issued as formal directions under statutory authority.

NCIIPC Rules and Guidelines

The NCIIPC has framed the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 (the “NCIIPC Rules”) and issued Guidelines for the Protection of National Critical Information Infrastructure, 2015, (the “NCIIPC Guidelines”) to safeguard India’s CII from unauthorised access, modification, use, disclosure and disruption to ensure a safe, secure and resilient information infrastructure for critical sectors in the country.

This framework applies to entities notified as “Protected Systems” operating in sectors such as power, banking, telecommunications, transport and government services, where disruption could have a debilitating impact on national security or public order.

Sector-Specific Cybersecurity Regulations

Sectoral regulators, including the RBI, SEBI, IRDAI and the DoT, issue binding cybersecurity and resilience frameworks applicable to entities within their respective domains as referred to in 1.1 Cybersecurity Regulation Strategy.

These frameworks impose enhanced cyber-risk management, governance, audit, testing and reporting obligations on regulated entities. They are binding within their respective sectors and enforced through supervisory inspections, penalties and licensing conditions.

Proposed Digital India Act

The proposed Digital India Act is intended to modernise India’s digital regulatory framework and replace or supplement parts of the IT Act. It is expected to introduce clearer cybersecurity governance norms, strengthen enforcement powers, and formalise obligations relating to digital intermediaries, platforms and online services, including cyber-resilience and incident reporting requirements.

India’s cybersecurity framework operates through complementary and overlapping regimes. The IT Act and CERT-In Directions establish baseline cybersecurity and incident reporting obligations applicable across sectors. The NCIIPC framework imposes heightened requirements for critical infrastructure. The DPDPA overlays data protection and breach notification obligations where personal data is involved. Sectoral regulators impose additional requirements tailored to specific risk environments.

In practice, organisations may be subject to parallel compliance obligations arising from multiple frameworks, requiring co-ordinated incident response, reporting and risk management processes.

Cybersecurity regulation and enforcement in India is administered through a multi-agency framework, comprising central government authorities, sectoral regulators and law enforcement bodies.

The CERT-In established under the IT Act and operating under the MeitY, serves as the national nodal agency for cybersecurity incident response affecting non-critical information infrastructure. Its mandate includes:

• issuing advisories, guidelines and directions relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
• collecting, analysing and disseminating information on cyber threats;
• co-ordinating incident response;
• requiring mandatory reporting of specified cyber incidents within prescribed timelines;
• to call for information, conduct audits, seek logs and technical data;
• co-ordinate with domestic and international agencies; and
• such other functions relating to cybersecurity as may be prescribed.

The NCIIPC, designated under the IT Act, is responsible for protecting CII. It operates under the National Technical Research Organisation (NTRO) and focuses on sectors whose disruption could have a debilitating impact on national security, public health or economic stability, such as power, banking, telecommunications, transport and government services.

NCIIPC is authorised to issue sector-specific cybersecurity guidelines, conduct risk assessments, mandate protective measures, and co-ordinate with sectoral entities on preparedness and incident response.

The National Cyber Coordination Centre (NCCC) functions as a situational awareness and co-ordination body, which supports real-time monitoring of cyber threats and inter-agency information sharing. It plays a central role in threat intelligence aggregation and inter-agency co-ordination.

Law enforcement oversight is exercised through the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs (MHA), which supports investigation, co-ordination and capacity-building for cybercrime enforcement across states and union territories. Police authorities derive investigative and prosecutorial powers under the IT Act and the Bharatiya Nyaya Sanhita, 2023, enabling search, seizure, arrest and prosecution in cases involving cyber offences.

In addition to central authorities, sectoral regulators impose cybersecurity obligations and exercise supervisory and enforcement powers within their respective domains. These include the Reserve Bank of India (banking and payments), the Securities and Exchange Board of India (capital markets), the Insurance Regulatory and Development Authority of India (insurance), the Central Electricity Authority (CEA) and the Department of Telecommunications (telecoms services). Such regulators issue advisories, binding cybersecurity frameworks, conduct inspections and audits, mandate incident reporting, and may impose penalties or supervisory actions for non-compliance.

Cybersecurity enforcement also intersects with data protection oversight. Under the DPDPA, the DPBI has powers to inquire into personal data breaches, direct remedial measures and impose monetary penalties. Further, in case a cybersecurity incident results in personal data compromise, organisations may be subject to parallel scrutiny by CERT-In and the DPBI.

Overall, India’s cybersecurity governance relies on centralised technical co-ordination through CERT-In and NCIIPC, supported by law enforcement and sectoral regulators, with national and sectoral cyber incident response teams operating within this framework to ensure preparedness, detection, response and enforcement across the digital ecosystem.

India regulates cybersecurity for essential and critical entities primarily under the IT Act, supplemented by executive notifications, binding directions and sector-specific regulation.

Section 70 of the IT Act empowers the central government to designate any computer resource whose incapacitation would have a debilitating impact on national security, the economy, public health or public order as Critical Information Infrastructure (CII), and notify them as “Protected Systems” under the IT Act. The designation is based on the functional criticality and systemic importance of the system, rather than on the size, turnover or corporate structure of the entity operating it.

The NCIIPC is the competent authority responsible to oversee the protection of CII. Once a system or network is designated as critical, the operator is subject to enhanced cybersecurity obligations, including compliance with security guidelines, audits, risk assessments and co-ordinated incident response protocols.

In practice, critical infrastructure designation and sectoral oversight extend to entities operating in sectors considered essential to national functioning, including:

• power and energy;
• banking and financial services;
• telecommunications;
• transport (including aviation and rail);
• government and defence-related systems; and
• digital public infrastructure platforms.

The NCIIPC regularly advises on reducing vulnerabilities of the CII, and against cyberterrorism, cyberwarfare and other threats. The NCIIPC Guidelines prescribe the development of audit and certification agencies for the protection of the CII. The NCIIPC also exchanges cyber-incidents and other information relating to attacks and vulnerabilities with CERT-In and concerned cybersecurity organisations in India.

Additionally, the DPDPA introduces a risk-based designation mechanism for critical data fiduciaries. Under Section 10 of the DPDPA, the Central Government may designate any Data Fiduciary as a Significant Data Fiduciary (SDF) after considering the following factors:

• volume and sensitivity of personal data processed;
• risk to the rights of individuals;
• potential impact on national security or public order;
• use of emerging or advanced technologies; and
• systemic importance of the service.

SDFs are classified by the government based on actual risk, not merely size. Therefore, any entity could be designated an SDF based on the sensitivity of the data it handles. Designation is discretionary, anticipatory and flexible, allowing the regulator to pre-emptively impose heightened standards where risk is high.

The CERT-In Rules require all cybersecurity incidents to be reported, including attacks on critical infrastructure and compromise of critical systems/information.

The NCIIPC Rules lay down the cybersecurity practices and procedures to be followed in respect of CII and Protected Systems. The NCIIPC Rules prescribe that all organisations having a “Protected System” shall constitute an Information Security Steering Committee (ISSC) under the chairmanship of the Chief Information Security Officer (CISO) of the organisation. The ISSC must oversee all security audits and risk-acceptance decisions of the organisations and is required to undertake the following responsibilities:

• plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of the Protected System as per latest NCIIPC Guidelines or an industry accepted standard duly approved by the NCIIPC;
• identify and classify critical segments into categories for targeted protection;
• conduct mandatory cybersecurity audits by CERT-In empanelled auditors;
• perform Vulnerability/Threat/Risk (V/T/R) Analysis whenever significant system upgrades occur, with results reported to the ISSC;
• report cyber incidents to CERT-In within six hours of discovery;
• maintain system logs for 180 days within India;
• implement network segmentation, role-based access controls and multi-factor authentication for privileged users;
• prioritise the use of validated and certified IT products, including indigenously manufactured products, where feasible for CII;
• ensure accountability for data protection even where third-party processors are engaged, supported by contractual security obligations and audit rights;
• establish and periodically test a Cyber Crisis Management Plan (CCMP) in co-ordination with NCIIPC; and
• validate Protected Systems at least once every two years to assess resilience against evolving threats.

The CISO is required to maintain regular contact with the NCIIPC and is responsible for implementing the security measures suggested by NCIIPC using all available/appropriate ways of communication. Further, under the IT Act, any person who secures access or attempts to secure access to a Protected System in contravention of the provisions shall be punished with imprisonment which may extend to ten years and a fine.

For entities designated as SDFs under the DPDPA, additional governance and accountability requirements apply under Rule 13 of the DPDP Rules, including:

• conducting periodic Data Protection Impact Assessments (DPIAs) addressing processing activities, risks, mitigation measures, algorithmic impacts and high-risk use cases;
• updating DPIAs following system redesigns, adoption of new technologies or material changes in data flows
• undergoing annual independent data protection audits;
• ensuring algorithmic transparency and safeguards where automated decision-making affects individual rights;
• implementing enhanced protections for sensitive categories of data, including biometric, health, financial and children’s data; and
• appointing a qualified Data Protection Officer (DPO) reporting directly to senior management.

Under the DPDPA, security safeguard failures or failure to notify data breaches to the DPBI may attract penalties of up to INR250 crore (1 crore equals 10 million) (USD27.2 million, approximately).

Entities operating in India may be subject to parallel and multi-agency incident reporting obligations, depending on the nature of the incident and the systems affected.

CERT-In serves as the national nodal agency for all cybersecurity incident reporting, while the NCIIPC is the designated authority for Protected Systems and CII. The DPBI, operationalised in 2025 under the DPDP Act, handles personal data breaches. Sector-specific regulators, such as the RBI, SEBI, IRDAI and CEA impose additional reporting obligations on entities in finance, securities, insurance and power.

Reporting timelines are defined according to the type of incident:

• general cybersecurity incidents, including unauthorised access, malware infection, or critical system compromise, must be reported to CERT-In within six hours;
• any incident affecting a Protected System or CII must be reported within six hours to both CERT-In and NCIIPC; and
• personal data breaches, including unauthorised processing or loss of access to personal data, must be reported to the DPBI within 72 hours.

Initial notifications must include the nature of the incident, date and time of detection, affected systems or data, and immediate mitigation measures. Detailed reports may additionally require:

• description of affected data categories;
• description of affected data subjects;
• proposed or implemented mitigation steps; and
• contact details of the CISO or DPO.

Notifications are submitted to CERT-In via the official incident reporting template by email or 24/7 helpdesk, to NCIIPC through channels established in the entity’s Cyber Crisis Management Plan, and to the DPBI through its online portal or mobile application.

CERT-In assigns a tracking number, analyses the incident, and provides guidance on containment and recovery. Entities are expected to provide updates as more information becomes available, and Protected Systems are generally required to prepare post-incident reports, including root-cause analysis, corrective measures, and, in some cases, third-party audits to verify remediation. System logs and related technical records must be maintained locally for 180 days to facilitate investigation, compliance and regulatory follow-up.

The National Cyber Security Policy, 2013, lays down the protection and resilience of CII, building a secure and resilient cyberspace, creating mechanisms for security threat early warning, vulnerability management, and response to security threats as some of the primary responsibilities of the government.

The policy prescribes that the government should work towards rapid identification, information exchange, investigation and co-ordinated response and remediation, which can effectively mitigate the damage caused by malicious cyberspace activity.

CERT-In is the main authority responsible for analysing trends and patterns in intruder activities, determining the scope, priority and threat of a cyber incident and developing preventive strategies against cybersecurity incidents. With the aim of identifying cybersecurity vulnerabilities and promoting resilience, CERT-In follows a “Responsible Vulnerability Disclosure and Co-ordination Policy”, in terms of which it collects, analyses and mitigates co-ordination with researchers/finders and vendors leading to the public disclosure of newly identified cybersecurity vulnerabilities and threats.

Upon receiving any information regarding a cybersecurity vulnerability, CERT-In will examine and validate the vulnerability report and communicate to the discloser whether or not the report will be co-ordinated by CERT-In. Upon successful validation, CERT-In will initiate co-ordination with the relevant product vendor, discloser and other stakeholders (if required) for the remediation and closure of the issue. CERT-In will endeavour to get the issue resolved within 120 days from initial vendor contact date.

Under the proposed National Cybersecurity Strategy, states are expected to establish dedicated State Cybersecurity Cells tasked with monitoring, co-ordinating and responding to cyber threats at the regional level. These cells work in close co-ordination with the National Cyber Co-ordination Centre (NCCC), CERT-In and the NCIIPC to ensure a unified response to cyber incidents.

India’s financial sector operational resilience framework is principally articulated through regulator-issued guidance and framework.

The RBI’s Guidance Note on Operational Risk Management and Operational Resilience (the “Guidance Note”) issued in April 2024, is a key development in this area, which applies to Regulated Entities (REs) including all commercial banks, primary (Urban) Co-Operative Banks/State Co-Operative Banks/Central Co-Operative Banks, All-India Financial Institutions and All Non-Banking Financial Companies including Housing Finance Companies.

RBI’s Guidance Note intends to promote and further improve the effectiveness of Operational Risk Management of the REs, and enhance their Operational Resilience in view of the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which the REs operate.

Further, with the aim of improving the cybersecurity framework in India’s financial sector, in August 2024, the SEBI released the Cybersecurity and Cyber Resilience Framework (CSCRF), for SEBI-regulated entities (the “Regulated Entities”) which includes, inter alia, the following:

• alternative investment funds (AIFs);
• bankers to an issue (BTI) and self-certified syndicate banks (SCSBs);
• clearing corporations;
• collective investment schemes (CIS);
• credit rating agencies (CRAs);
• custodians;
• debenture trustees (DTs);
• depositories and depository participants;
• investment advisers and research analysts;
• KYC registration agencies; and
• merchant bankers.

The CSCRF defines “cyber-resiliency” as “the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing, and rapidly recovering from cyber incidents”.

The CSCRF is standards-based and broadly aligns with the cyber-resiliency goals of CERT-In’s Cyber Crisis Management Plan for countering cyber-attacks and cyber terrorism. These goals include: anticipating, withstanding, containing, recovering and evolving in response to threats, in addition to the core cybersecurity objectives of identifying, detecting, protecting, responding and recovering. The CSCRF framework provides a structured methodology to implement various solutions for cybersecurity and cyber-resiliency. The CSCRF framework supersedes earlier SEBI circulars and guidelines.

There is no specific definition or provisions dealing with “ICT service providers” under the current cybersecurity law framework in India.

Under RBI’s Guidance Note, third-party service providers include, inter alia, cloud service providers and IT/operations vendors. The Guidance Note prescribes that REs should perform a risk assessment and due diligence before entering into arrangements with such third-party service providers. Particularly, the RE should verify whether the third-party service provider has at least an equivalent level of operational resilience to safeguard the RE’s critical operations in normal circumstances, and in the event of a disruption.

Further, the Guidance Note recommends that a policy approved by the board of directors on the management of service providers is critical for managing risks associated with reliance on third parties irrespective of whether they are related or unrelated to the RE. Such third-party risk policies should include:

• procedures for determining whether there is a need for entering into a third-party arrangement for a service and how to enter into such an arrangement;
• sound structuring of the third-party arrangement, including ownership and confidentiality of data, as well as termination rights;
• programmes for managing and monitoring the risks associated with the third-party arrangement, including the financial condition of the service provider;
• establishment of an effective control environment at the RE and the service provider that should include a register of third-party relationships (that identifies the criticality of different services) and metrics and reporting to facilitate oversight of the service provider; and
• execution of comprehensive contracts and/or service level agreements (which are enforceable) with a clear allocation of responsibilities between the third-party service provider and the RE, provided the ultimate responsibility vests with the RE.

REs, in their agreements with the third-party service providers, should also include clauses making the service provider contractually liable for the performance and risk management practices of its sub-contractors.

As per the CSCRF, Regulated Entities are required to identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management. The board/partners/proprietor of the Regulated Entity shall approve the list of critical systems. The CSCRF does not specify whether ICT services or cloud service providers will be considered as critical systems.

The key objective of the CSCRF is to address evolving cyber threats, to align with the industry standards, to encourage efficient audits and to ensure compliance by SEBI Regulated Entities. The CSCRF also sets out standard formats for reporting by the Regulated Entities.

The CSCRF lays down that Regulated Entities are required to establish, communicate and enforce cybersecurity risk management roles, responsibilities and authorities to foster accountability and continuous improvement. A comprehensive cybersecurity and cyber-resilience policy shall be documented and implemented with the approval of the board/partners/proprietor.

CSCRF mandates Market Infrastructure Institutions (MIIs), Qualified Regulated Entities and mid-size Regulated Entities to prepare a cyber-risk management framework for identification and analysis, evaluation, prioritisation, response and monitoring of cyber risks on a continuous basis. MIIs and Qualified Regulated Entities must also prepare a Cyber Capability Index (CCI). MIIs shall conduct third-party assessment of their cyber-resilience using CCI on a half-yearly basis. Qualified Regulated Entities shall perform self-assessment of their cyber-resilience using CCI on a yearly basis.

Risk assessment (including post-quantum risks) of Regulated Entities’ IT environment also must be done on a periodic basis. Regulated Entities shall establish appropriate security mechanisms through a Security Operations Centre for continuous monitoring of security events and timely detection of anomalous activities.

Regulated Entities shall be solely accountable for all aspects related to third-party services including (but not limited to) confidentiality, integrity, availability, non-repudiation, security of their data and logs, and ensuring compliance with laws, regulations, circulars, etc, issued by SEBI/Indian government. Accordingly, Regulated Entities shall be responsible and accountable for any violations of the same.

Incident and Reporting Obligations

As per the CSCRF, the Regulated Entities are required to establish a comprehensive Incident Response Management Plan and corresponding SOPs, as well as formulate an up-to-date Cyber Crisis Management Plan. In the event of an incident, Root Cause Analysis (RCA) shall be conducted to identify the cause leading to the incident.

Under the CSCRF, cyber-attacks, cybersecurity incidents and breaches experienced by Regulated Entities falling under CERT-In’s 2022 directive, must be notified to SEBI and CERT-In within six hours of noticing/detecting such incidents or being brought to notice about such incidents. This information also has to be shared to the SEBI Incident Reporting Portal within 24 hours.

Stock brokers/depository participants shall also report the incident to stock exchanges/depositories as well as SEBI and CERT-In within six hours of noticing/detecting such incidents or being brought to notice about such incidents. Any/all other cybersecurity incidents shall be reported to SEBI, CERT-In, and NCIIPC (as applicable) within 24 hours.

During incident handling, some aspects must be captured, such as whether the Regulated Entity has followed its organisation’s incident response plan, taken necessary (immediate) measures to contain the incident impact and to control, mitigate and remediate the incident, whether the Regulated Entity has communicated about the incident to all relevant stakeholders, etc.

The Regulated Entity shall undertake the necessary activities and submit the relevant reports within timelines prescribed in the CSCRF. Thereafter, SEBI shall examine the incident on the basis of reports submitted. Further, the Regulated Entity shall classify the cybersecurity incident based on its severity and the same shall be reviewed and submitted to SEBI.

In case a Regulated Entity does not report a cybersecurity incident to SEBI (despite being aware of the incident) in the prescribed manner, SEBI may take appropriate regulatory action depending on the nature of the incident.

Additionally, as per RBI’s Guidance Note, REs should maintain an inventory of incident response and recovery, internal and third-party resources to support its response and recovery capabilities. The scope of incident management should capture the life cycle of an incident, typically including, but not limited to:

• the classification of an incident’s severity based on predefined criteria (eg, expected time to return to business as usual), enabling proper prioritisation and assignment of resources to respond to an incident; and
• the incident response and recovery procedures, including their connection to the RE’s business continuity, disaster recovery and other associated management plans and procedures.

Incident response and recovery procedures should be periodically reviewed, tested and updated by the REs. They should also identify and address the root causes of incidents to prevent or minimise serial recurrence.

There are no specific operation resilience enforcement obligations or provisions for critical ICT service providers under the current cybersecurity regime.

The DPDPA allows transfers of personal data outside India to countries or territories that are notified by the central government, subject to compliance with the Act’s data protection principles. The DPDPA establishes a “negative list” approach to cross-border transfers, meaning personal data can be transferred outside India unless the central government specifically restricts such transfers to certain countries or territories through official notification.

The DPDPA also requires banks to map their cross-border data flows, maintain audit trails, and conduct regular risk assessments, especially for SDFs. Secure data handling is essential not only for meeting legal requirements but also preserving business continuity and consumer trust.

While the Act does not itself impose operational resilience obligations, regulated entities must align data transfer decisions with resilience considerations, particularly in regulated sectors where continuity and access are critical.

Further, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”), which are currently in force, permit the transfer of sensitive personal data or information to a third-party/individual outside of India, if the recipient ensures the same level of data protection adhered to by the transferor.

The CSCRF for Regulated Entities prescribes that Vulnerability Assessment and Penetration Testing (VAPT) must be done to detect vulnerabilities in the IT environment for all critical systems, infrastructure components and other IT systems as defined in the framework.

CSCRF specifies a comprehensive scope for VAPT. The scope of the IT environment taken for the VAPT should be made transparent to SEBI and should include all critical assets and infrastructure components including (not limited to) networking systems, security devices, servers, databases, applications, systems accessible through WAN, LAN as well as with public IPs, websites, etc.

Testing Methodology

The VAPT should provide in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks. The testing methodology should be adapted from the following:

• SEBI CSCRF;
• NCIIPC;
• CERT-In Rules;
• The National Institute of Standards and Tech¬nology Special Publication 800-115;
• Latest ISO27001;
• PCI-DSS standards;
• Open Source Security Testing Methodology Manual; and
• OWASP Testing Guide.

As regards the insurance sector, the IRDAI also has a cybersecurity policy requiring vulnerability assessment and penetration testing annually and closing any identified high-risk gaps within a month. The RBI also mandates banks to have periodical vulnerability assessment and penetration testing exercises for all critical systems.

Further, the DPDPA requires SDFs to undertake measures including data protection impact assessment and periodic audits. The Data Protection Impact Assessment (DPIA) is defined as a process comprising description, purpose, assessment of harm, measures for managing the risk of harm and such other matters concerning the processing of personal data, as may be prescribed.

India currently does not have comprehensive specific legislation governing cyber-resilience. However, cyber-resilience obligations are dispersed across sector-specific laws, regulations and binding directions issued under the IT Act.

Under the NCIIPC Rules and Guidelines, operators of CII are required to implement security-by-design principles, including robust access controls, encryption, system hardening, continuous monitoring and secure software development practices for systems that support essential services.

Sectoral regulators, such as the RBI, SEBI and IRDAI, also issue guidance requiring banks, financial institutions and insurers to implement resilience measures for ICT products and services, including vendor risk management, business continuity, and incident response controls.

For instance, the Telecommunication Cyber Security (TCS) Rules, 2024 aim to strengthen cyber-resilience through collaborative mechanisms with entities using telecoms identifiers. It requires certain entities such as banks, e-commerce platforms and apps to verify user numbers against a government platform and share telecoms-identifier data with the government in specific circumstances.

Overall, India’s approach is largely risk and sector-based, comprised of legally binding rules, sectoral guidance and mandatory directions from nodal agencies, rather than a single codified cyber-resilience statute. Compliance is enforced through supervisory oversight, audits and mandatory reporting to authorities such as CERT-In, NCIIPC and sectoral regulators.

Please refer to 4.1 Cyber-Resilience Legislation.

The current legal framework in India does not provide for a dedicated statutory regime mandating cybersecurity certification for ICT products, services or processes on a horizontal basis.

However, India is a participant in the Common Criteria Recognition Arrangement (CCRA) and recognises Common Criteria (CC) certifications for IT products. The Indian Common Criteria Certification Scheme (IC3S) has been established by MeitY as part of the government’s cybersecurity assurance initiatives. The objective of the IC3S is to evaluate and certify IT security products and Protection Profiles (PPs) against the requirements of the Common Criteria standards, at assurance levels ranging from EAL 1 to EAL 4.

The IC3S provides national certification under an international mutual recognition arrangement with other CCRA member countries, ensuring that certifications issued under IC3S are acceptable across all CCRA member jurisdictions.

Additionally, the SPDI Rules prescribe ISO/IEC 27001 as one of the standards recommended to be implemented by organisations for compliance with reasonable security practices and procedures.

The DoT also mandates the security testing and certification for telecoms equipment sold, imported or used in India, such as IP Routers, Wi-Fi Customer Premises Equipment (CPEs), Optical Line Terminals (OLTs), etc, under the Communication Security Certification Scheme (ComSec).

With regards to CII organisations, the NCIIPC Guidelines prescribe security certifications by third-party agencies (government or private agencies) to protect the assets of a CII for smooth and error-free operation. The certifications must also deal with enforcing or implementing any international security standards available globally for the protection of critical assets working in the CII by respective organisations. Each CII must list the certifications needed to be implemented for the protection of their assets and the areas involved.

In addition to the certification of the CII facility, the CII must also ensure that the personnel hold certifications relevant to their responsibilities and up to date with the current standards. Accordingly, knowledge-upgrade programmes via new certifications, training, seminars, workshops, etc, should also be planned for employees based on the requirements of the CIIs. The implementation process of the security certifications should also be properly monitored by the CII management, so that it does not interfere with the normal functioning of the CII.

The DPDPA and the associated DPDP Rules represent a structural shift in India’s data governance landscape and introduce baseline cybersecurity obligations in the context of personal data processing. The Act requires data fiduciaries to implement reasonable security safeguards to prevent personal data breaches, taking into account the volume and sensitivity of personal data processed, the potential harm to data principals, and the nature of processing activities. These safeguards are intended to operate alongside, and not in substitution of, cybersecurity obligations under the IT Act, and sector-specific regulatory frameworks.

Further, data fiduciaries are required to take informed consent from their users and anyone whose data they collect, by giving a summary of what data they are collecting, and how they will use it. The DPDPA also gives users the right to erase or modify data they provide to data fiduciaries or to delete it. After a specific period of inactivity, data fiduciaries are under an obligation to delete the data they have on data principals. The Act and Rules also introduce the concept of a “Consent Manager”, enabling individuals to manage consent across multiple data fiduciaries through a single interface.

A personal data breach is defined broadly to include unauthorised processing, accidental disclosure, loss of access, or compromise of personal data, irrespective of whether actual harm has materialised. Data fiduciaries are required to notify the DPBI within 72 hours of becoming aware of the breach. Where the breach is likely to cause harm to data principals, affected individuals must also be informed in a clear and timely manner.

Notifications to the DPBI must include the nature and circumstances of the breach, the categories and approximate volume of personal data and data principals affected, the likely consequences of the breach, and the remedial measures taken or proposed.

At present, the SPDI Rules prescribe the protection of personal information and sensitive personal data, and reasonable security practices and procedures to be implemented for collection and the processing of personal information or sensitive personal data. The SPDI Rules require all body corporates to implement reasonable security practices and standards, as well as to document their security programmes and policies. However, once the DPDPA is implemented with full effect in May 2027, it will repeal the SPDI Rules.

These obligations operate in parallel with incident reporting requirements under the CERT-In Directions, resulting in multi-agency reporting for cyber incidents involving personal data. This mandates co-ordination between cybersecurity and data protection functions, including the preservation of logs, internal breach documentation, post-incident remediation, and evidence of compliance with security safeguards.

India does not have a comprehensive standalone AI legislation yet. However, the government has introduced AI-specific governance frameworks and guidelines that interact with the existing cybersecurity and data protection regime.

In November 2025, the MeitY released the India Artificial Intelligence Governance Guidelines (the “AI Governance Guidelines”), introducing a comprehensive framework to promote safe, inclusive and responsible AI adoption across sectors.

The AI Governance Guidelines emphasise security-by-design and secure-by-default principles across the AI lifecycle, requiring developers and deployers to integrate safeguards at the design, training, deployment and update stages. These include controls to ensure the integrity and confidentiality of training datasets, secure access to model development environments, protection against adversarial attacks, data poisoning, model inversion and unauthorised model extraction, and continuous monitoring of deployed systems. Where AI systems are used in government systems or critical sectors, these expectations are reinforced through mandatory audits, monitoring and resilience requirements under the NCIIPC framework.

The AI Governance Guidelines also highlight supply-chain and model component security as a material risk area. Organisations are expected to undertake due diligence on third-party datasets, pre-trained or foundational models, cloud infrastructure providers and outsourced AI development partners. This aligns with existing vendor and outsourcing risk management obligations under sectoral regulations, particularly in banking, telecoms and insurance, requiring contractual safeguards on information security, audit rights, incident reporting and restrictions on onward subcontracting. These expectations extend to software dependencies, model updates and embedded AI components that could affect system integrity or service continuity.

On 10 February 2026, the MeitY notified the much-needed amendments to the IT Rules to address the growing spread of digitally manipulated or AI-generated content (commonly referred to as deepfakes), that may distort reality, mislead citizens or cause reputational harm.

The amended IT Rules define Synthetically Generated Information as “audio, visual or audio-visual information which is artificially or algorithmically created, generated, modified or altered using a computer resource, in a manner that such information appears to be real, authentic or true and depicts or portrays any individual or event in a manner that is, or is likely to be perceived as indistinguishable from a natural person or real-world event”.

The amendments mandate intermediaries that provide a synthetic content creation platform to ensure that such content is prominently labelled and embedded with permanent metadata or other identifiers that allow it to be traced back to its origin. Intermediaries are also required to block synthetic content involving Child Sexual Abuse Material (CSAM), non-consensual intimate imagery, false documents, deceptive impersonation and similar unlawful material.

The timelines for compliance have been significantly tightened. Intermediaries must remove unlawful material (such as material or information that is obscene, defamatory, harmful to children, threatens national security and public order, etc), within three hours of receiving notice, as compared to the earlier 36 hour window. The grievance redressal timeline has also been reduced from 15 days to seven days. Failure to comply with these obligations may result in the loss of safe harbour protection.

The amended IT Rules also introduce an obligation on intermediaries to report offences under the Bharatiya Nagarik Suraksha Sanhita, 2023 and the Protection of Children from Sexual Offences Act, 2012 committed on its platform to the appropriate authorities to enable timely investigation and enforcement action.

Additionally, AI-related cybersecurity incidents must be reported to CERT-In within the prescribed six-hour timeline, where applicable. Where intermediaries form part of designated CII, parallel reporting to the NCIIPC is required.

Under the DPDPA and the DPDP Rules, hospitals, clinics, doctors, health-tech platforms, pharmaceutical companies, diagnostics labs, healthcare supply-chain organisations and all healthcare-related industry players are formally categorised as data fiduciaries, making them directly responsible for lawful and secure processing of digital personal data.

The Act mandates explicit, informed consent for collecting and using patients’ data and individuals can access, correct and erase their health data. The DPDP Rules provide limited exemptions for processing a child’s personal data where such processing is strictly necessary for the child’s health or medical treatment. Data fiduciaries are required to implement reasonable security safeguards to prevent personal data breaches and to notify the DPBI and affected individuals of reportable breaches within prescribed timelines.

The Ministry of Health and Family Welfare approved the Health Data Management Policy, 2020 (the “HDM Policy”) largely based on the DPDPA to govern data in the National Digital Health Ecosystem. The HDM Policy recognises entities such as data fiduciaries and data processors similar to the DPDPA, and establishes a consent-based data-sharing framework. Further, under the Policy, the Health Information Exchange and Consent Manager (HIE-CM) system has also been developed for enhanced security and privacy of electronic health data records. It operates on a decentralised network and ensures that the exchange and maintenance of personal health data across different healthcare providers is carried out using secure protocols and based on explicit patient consent.

There have also been attempts to regulate health data through specific laws. The Digital Information Security in Healthcare Act (the “DISH Act”), is one such attempt to protect health data of patients in India. Key provisions of the Act, include setting up of Health Information Exchange, and creation of regulatory and adjudicatory authorities at the national and state level.