India’s ever-expanding digital infrastructure in the wake of the pandemic has escalated the demand for new, updated, and improved regulatory mandates for strengthening cybersecurity. Rampant cybersecurity incidents have been occurring weekly, alarming businesses, organizations, and individuals across India.
The IBM Security Data Breach Report of 2022 states that, for the fiscal year of 2022, the average data breach costs in India have reached a record high of ₹17.5 crores (₹175 million) rupees, or around $2.2 million, which is an increase of 6.6% from 2021, and a staggering 25% from the average cost of ₹14 crores in 2020.
In 2021, cybersecurity incidents involved incidents revolving around unauthorized access and compromised personal data. For example, in the case of Air India, data files from more than 4.5 million customers were leaked in a cyber attack. In a separate incident, personal data leaks of around 180 million users were stolen straight from the database of Domino’s India.
In response to the rapidly shifting digital transformation, archaic cybersecurity laws, and the lack of clear, comprehensive data privacy laws, the Indian government has begun to reevaluate how it regulates cybersecurity and cybercrime.
This comprehensive guide will follow India’s most pertinent cybersecurity regulations and legislation relevant to cybercrime. Additionally, this article will examine India’s current cybersecurity laws, how they’re enforced, how they safeguard businesses and organizations, and which developments and improvements are planned for the future.
The Critical Issues of India’s Cybersecurity Laws and Regulations
One of the main problems with India’s regulations in the cybersecurity landscape is that the government still prosecutes under unclarified or outdated statutes, which can hinder progress and the implementation of adequate cyber laws and regulations. Organizations have difficulty deriving the proper guidelines and advisories from ambiguous laws and fragmented legislative approaches in data privacy and cybersecurity.
To maintain widely accepted cybersecurity standards, India must pass more comprehensive and informative cybersecurity laws and clarified regulations and reforms to develop a better cybersecurity framework and data protection legislation.
Otherwise, the Indian government, its law enforcement agencies, and designated regulators remain bound to old laws, which may result in improperly addressed and unresolved cybersecurity issues.
In a special petition filed in 2021, the Supreme Court of India ruled that cyber attacks and data thefts are a crime under the Information Technology Act (IT Act) of 200 and the Indian Penal Code (IPC). Since the IPC criminal statute is over 150 years old, a more modern and renewed IT Act of 2000 is the main regulation against cybercrime as of today.
However, more work and amendments are necessary to revise errors and provide further clarification in response to new, emerging threats of the modern-day.
Top Cybersecurity Regulations in India 2022
Here are the current legislations regarding cybersecurity used in India today:
1. The Information Technology Act, 2000
India's first-ever landmark cybersecurity law was the Information Technology Act of 2000.
The IT Act of 2000 was enacted by the Parliament of India and administered by the Indian Computer Emergency Response Team (CERT-In) to guide Indian cybersecurity legislation, institute data protection policies, and govern cybercrime. It also protects e-governance, e-banking, e-commerce, and the private sector, among many others.
While India does not have an exclusive, unitary cybersecurity law, it uses the IT Act and multiple other sector-specific regulations to promote cybersecurity standards. It also provides a legal framework for critical information infrastructure in India.
For example, in Section 43A of the IT Act, Indian businesses and organizations must have “reasonable security practices and procedures” to protect sensitive information from being compromised, damaged, exposed, or misused.
Under Section 72A of the IT Act, any intermediaries or persons that disclose personal data without the owner’s consent (with ill intention and causing damages) are punishable by imprisonment of up to three years, a fine of up to Rs500,000, or both.
2. Information Technology (Amendment) Act 2008
The Information Technology Amendment Act 2008 (IT Act 2008) was passed in October 2008 and came into effect the following year as a substantial addition to the IT Act of 2000. These amendments helped improve the original bill, which originally failed to pave the way for further IT-related development. It was hailed as an innovative and long-awaited step towards an improved cybersecurity framework in India.
IT Act 2008 added updated and redefined terms for current use, expanding the definition of cybercrime and the validation of electronic signatures. It also strongly encourages companies to implement better data security practices and makes them liable for data breaches.
The IT Act of 2008 applies to any individual, company, or organization (intermediaries) that uses computer resources, computer networks, or other information technology in India. It also includes service providers of web hosting, internet, network, and telecom. It also includes foreign organizations that have a presence in India and businesses outside of the country that has operations in India.
Covering important information security practices for cybercrime and data protection with over nine chapters and 117 sections, the new Information Technology Amendment Act of 2008 includes the following responsibilities:
- Improving cybersecurity measures and forensics
- Requiring intermediaries and body corporates to report cybersecurity incidents to CERT-In
- Preventing unauthorized/unlawful use of a computer system
- Protecting private data and information from cyber terrorism, DDoS attacks, phishing, malware, and identity theft
- Legal recognition for cybersecurity of organizations
- Safeguarding e-payments and electronic transactions and monitoring and decryption of electronic records
- Establishing a legal framework for digital signatures
- Recognizing and regulating intermediaries
It’s important to note that the biggest problem with the IT Act 2008 is in Subsection 69, which authorizes the Indian government to expeditiously intercept, monitor, decrypt, block, and remove data and content at its discretion, which can pose serious privacy concerns.
Violation of the IT Act may incur penalties ranging from $1,250 to 3-year imprisonment, while penalties for more serious offenses and cybercrimes may reach imprisonment of up to 10 years.
3. Information Technology Rules, 2011
Under the IT Act, another important segment of the cybersecurity legislation is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules).
The most significant amendments include provisions for the regulation of intermediaries, updated penalties and violation fees for cybercrime, cheating, slander, and nonconsensual publishing of private images, as well as censoring/restriction of certain speech.
Both the Information Technology Act (ITA) and the IT Rules are important for governing how Indian entities and organizations process sensitive info, data protection, data retention, and collection of personal data and other sensitive information.
Other Indian sectors, like banking, insurance, telecom, and healthcare, also include data privacy provisions as part of their separate statutes.
4. Indian SPDI Rules, 2011 for Reasonable Security Practices
The IS/ISO/IEC 27001 regulations are identified by the Indian SPDI Rules, 2011, as international standards. As such, Indian companies aren’t obligated — but are highly advised — to implement these standards, which can help meet the “reasonable security practices” under Indian jurisdiction.
The rules can also give individuals the right to correct their information and impose restrictions on disclosure, data transfer, and security measures. They only apply to corporate entities, but they aren’t responsible for the authenticity of sensitive personal data (SPD) like sexual orientation, medical records and history, biometric information, and passwords.
5. National Cyber Security Policy, 2013
In 2013, the Department of Electronics and Information Technology (DeitY) released the National Cyber Security Policy 2013 as a security framework for public and private organizations to better protect themselves from cyber attacks.
The goal behind the National Cyber Security Policy is to create and develop more dynamic policies to improve the protection of India’s cyber ecosystem. The policy aims to create a workforce of over 500,000 expert IT professionals over the following five years through skill development and training.
The NSCP’s other goals include:
- Creating a resilient and safe cyberspace for individuals, organizations, and the government
- Monitoring, safeguarding cyber infrastructure and information, reducing vulnerabilities, and strengthening defenses against cyber attacks
- Creating frameworks, capabilities, and vulnerability management strategies for minimizing, faster prevention, or responding to cyber incidents and cyber threats
- Encourages organizations to develop cybersecurity policies that align with strategic goals, business workflows, and general best practices
- Simultaneously create institutional structures, people, processes, technology, and cooperation to minimize the damage caused by cybercrime
6. IT Rules, 2021
On February 25, 2021, the Ministry of Electronics and Information Technology introduced the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 as a replacement for IT Rules, 2011. A little over a year later, on June 6, 2022, the newly updated draft amendments were published by the Indian MeitY (Ministry of Electronics and IT) to improve the IT Act to keep up with the challenges of the ever-changing digital landscape.
The new amendments aim to allow ordinary users of digital platforms to seek compensation for their grievances and demand accountability when their rights are infringed upon, as well as institute additional due diligence on organizations.
IT Rules, 2021 also distinguishes between smaller and more significant social media intermediaries based on user numbers and places a much heavier burden on larger social media intermediaries concerning personal data protection.
Additionally, there are changes to the privacy and transparency requirements of intermediaries, such as:
- Requiring intermediaries to designate a grievance officer that can address and resolve user complaints about violations of IT Rules, 2021
7. National Cyber Security Strategy 2020
The National Cyber Security Strategy of 2020 was the long-awaited follow-up plan by the Indian government to further improve cybersecurity efforts. While the plan is still under development and pending review by the National Security Council Secretariat, the plan’s main goal is to serve as the official guidance for stakeholders, policymakers, and corporate leaders to prevent cyber incidents, cyber terrorism, and espionage in cyberspace.
The strategy aims to improve cybersecurity audit quality so organizations can conduct better reviews of their cybersecurity architecture and knowledge. The hope is that, once the policy is implemented, cyber auditors will improve their security standards, ultimately encouraging organizations to step up their security programs.
8. KYC (Know Your Customer)
KYC (Know Your Customer) processes are standards and practices used worldwide and mandated by the RBI (Reserve Bank of India). KYC is the tracking and monitoring of customer data security for improved safeguarding against fraud and payment credential theft. It requires banks, insurance companies, and any other digital payment companies that carry out financial transactions to verify and identify all of their customers.
For proper KYC compliance and to meet financial regulatory requirements, businesses need to include the following cybersecurity steps:
- Having a knowledge-based questionnaire test for verifying customer identities
- Implementing pre-screening KYC verification methods like email verification, phone verification, Device ID intelligence, and reputational data, among others
- Using AI-based technology and machine learning for verifying documents and government-issued IDs
- Using biometrics like fingerprinting and facial recognition to verify a user’s identity
- Maintaining a database of customers for verification purposes
Businesses with KYC policies assure customers they have the relevant compliance management and anti-fraud solutions to protect their digital identities and payment transaction data. With KYC Compliance, Indian merchants can have peace of mind with safe and secure payment processing, complying with regulations from SEBI, as well as establishing trust with customers.
Failing to adhere to the KYC directions, banks, businesses, and corporations may face a monetary penalty of ₹2 lakh (₹200,000).
9. Reserve Bank of India Act 2018
The RBI Act of 2018 aims to:
- Create standards that equalize security frameworks of banks and payment operators according to how they adapt to new technologies and digitalization
- Mandate banks to create and present their cyber crisis management plans
- Mandate banks to implement corporate-approved (board-approved) information security policies which will successfully outline cybersecurity preparedness
- Require banks to implement mandatory breach notifications, in which UCBs must promptly detect and report cybersecurity incidents to RBI within 2-6 hours of discovery to better respond to the attacks
- Encourage banks to regularly schedule threat assessment audits
- Help banks implement their own email domains with anti-phishing and anti-malware technology, as well as enforce DMARC security controls
All Indian banks must follow these guidelines to standardize frameworks for payment processing cybersecurity and combat the ever-increasing business complications in a digital environment.
The RBI Act of 2018 imposes fines on banks and the financial sector in cases of non-compliance with their cybersecurity requirements. The penalties can be up to ₹10 lakh (₹1,000,000).
10. The Digital Personal Data Protection Act of 2023 (DPDP)
On August 11, 2023, the Indian Central Government passed its long-awaited Digital Personal Data Protection Act (DPDP). The act borrows its broad definition of personal data from the EU’s General Data Protection Regulation (GDPR) and aims to protect data principals and restrict the activities of data fiduciaries.
The DPDP obligates data fiduciaries to:
- Only appoint or involve third-party data processors who are obligated to follow DPDP procedures by a legal contract
- Ensure personal data is complete and accurate before using the data to make a decision that affects the data principal or before participating in the transfer of personal data
- Implement necessary organizational measures and technical protocols to ensure ongoing compliance
- Implement reasonable security safeguards and audits to protect personal data and prevent personal data breaches
- Notify all affected data principals and the Data Protection Board of any and all known data breaches
- Safely erase and destroy all personal data upon a data principal withdrawing their consent (unless retention of such data is required by law)
In addition, the DPDP established the Data Protection Board of India and outlined a new class of data fiduciaries. Significant data fiduciaries are organizations determined to pose increased risk based on a government assessment. Organizations determined to be significant data fiduciaries must comply with additional requirements.
Main Indian Cybersecurity Regulating Bodies
To enforce cybersecurity regulations, these are the main regulating bodies that ensure laws and standards are upheld by all Indian organizations.
1. Computer Emergency Response Team (CERT-In)
Made official in 2004, the Computer Emergency Response Team (CERT-In) is the national nodal agency for collecting, analyzing, forecasting, and disseminating non-critical cybersecurity incidents.
In addition to cybersecurity incident reporting and notifying, the CERT-In cybersecurity directive helps with issuing guidelines for Indian organizations guidelines as well, offering the best information security practices for managing and preventing cybersecurity incidents.
The Jurisdiction of Information Technology Rules, 2013 is responsible for mandating all Indian data centers, service providers, and their intermediates. All intermediaries are required to report any cybersecurity incidents to CERT-In.
CERT-In acts as the primary task force that:
- Analyzes cyber threats, vulnerabilities, and warning information
- Responds to cybersecurity incidents and data breaches
- Coordinates suitable incident response to cyber attacks and conducts forensics for incident handling
- Identify, define, and take suitable measures to mitigate cyber risks
- Recommend best practices, guidelines, and precautions to organizations for cyber incident management so that they can respond effectively
CERT-In roles and functions were later clarified in an additional amendment under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules (IT Rules, 2013).
CERT-In Newest 6-Hour Data Breach Reporting Deadline
The newest regulations by CERT-In address cybersecurity reporting, mandating all Indian companies, service providers, intermediaries, data centers, and businesses to report identified cybersecurity incidents and data breaches within a 6-hour deadline.
However, many Indian organizations disapproved of the impossible requirement, stating that the short reporting window is insufficient to respond to cybersecurity incidents with a detailed report.
Despite the backlash, affected organizations that fail to follow these regulations face up to one-year imprisonment, significant penalties, and non-compliance fines if they fail to report cybersecurity incidents to CERT-In.
2. National Critical Information Infrastructure Protection Center (NCIIPC)
The National Critical Information Infrastructure Protection Center (NCIIPC) was established on January 16, 2014, by the Indian government, under Section 70A of the IT Act, 2000 (amended 2008).
Based in New Delhi, the NCIIPC was appointed as the national nodal agency in terms of Critical Information Infrastructure Protection. Additionally, the NCIIPC is regarded as a unit of the National Technical Research Organization (NTRO) and therefore comes under the Prime Minister's Office (PMO).
The Indian Parliament divides cybersecurity into two segments: “Non-Critical Infrastructure (NCI),” which CERT-In is responsible for, and “Critical Information Infrastructure (CII),” which NCIIPIC is responsible for. CII is defined by the Indian Parliament as “facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation.”
NCIIPC is required to monitor and report national-level threats to critical information infrastructure. The critical sectors include:
- Power and energy
- Banking, financial services, and insurance
- Telecommunication and information
- Strategic and public enterprises
NCIIPC successfully implemented several guidelines for policy guidance, knowledge sharing, and cybersecurity awareness for organizations to conduct preemptive measures of these important sectors, especially in power and energy. The guidelines represent the first means for regulating such sectors and requiring “mandatory compliance by all responsible entities.”
Additionally, the Indian government approved the Revamped Distribution Sector Scheme in August 2021. The main goal of this regulation is to improve the operations of DISCOMs (distribution companies) by enhancing the cyber infrastructure with AI-based solutions. This will ultimately aid organizations and companies in meeting the framework's goals.
3. Cyber Regulations Appellate Tribunal (CRAT)
Under the IT Act, 2000, Section 62, the Central Government of India created the Cyber Regulations Appellate Tribunal (CRAT) as a chief governing body and authority for fact-finding, receiving cyber evidence, and examining witnesses.
While CRAT doesn’t have as much jurisdiction for cybersecurity notification as CERT-In, the government also serves to respond to and act on related cybersecurity incidents and breaches.
According to the Civil Court and Code of Civil Procedure, 1908, CRAT has the power to:
- Receive evidence on affidavits
- Ensure that all electronic and cyber evidence and records are presented for court
- Enforce, summon, and issue regular commissions for examining witnesses, documents, and people under oath
- Review final decisions of the court to resolve incidents and cases
- Approve, dismiss, or declare the defaulter's applications as ex-parte
4. Securities and Exchange Board (SEBI) of India
Established in 1988, the SEBI (Securities and Exchange Board of India) is the regulatory body for securities and commodity markets in India under the Ministry of Finance. It acts as an executive government entity with statutory powers thanks to the SEBI Act of January 1992. SEBI ensures that the needs of market intermediaries, investors, and issuers of securities are met, including safeguarding their data, customer data, and transactions.
As of April 2022, SEBI has six committee members that are required to oversee guidance for cybersecurity initiatives for the Indian market and advise SEBI to develop and maintain cybersecurity requirements following global industry standards.
Additionally, SEBI also communicates with other agencies like CERT-In, NCSC (National Cyber Coordination Center), DoT (Department of Telecommunications), and The Ministry of Electronics and Information Technology (MeitY).
SEBI implemented guidelines that apply to organizations within its scope — stock brokers, stock exchanges, AMCs (asset management companies), mutual funds, and depository participants, among others.
Penalties for SEBI non-compliance, for example, violating disclosure regulations, are mandated with a fine of ₹20,000 per day until companies reach compliance.
5. Insurance Regulatory and Development Authority (IRDAI)
The insurance sector of India is regulated by IRDAI, which issues information security guidelines for insurers and addresses the importance of maintaining data integrity and confidentiality.
With this new Information and Cyber Security for Insurers Guidelines, the IRDAI:
- Mandates insurance companies to have a CISO (chief information security officer)
- Puts together an information security committee
- Creates plans for managing cyber crises
- Creates and implements cybersecurity assurance programs
- Implements proper methods for protecting data
- Maintains risk identification and risk mitigation processes
The insurance sector of India mainly focuses on areas of higher risk, including ransomware attacks, transaction frauds, data leaks, and risks of violating intellectual property rights. According to a report by Sophos, 68% of Indian organizations were affected by ransomware and resorted to paying ransom to recover their data.
On October 9, 2022, IRDAI introduced an improved cybersecurity framework focused on the insurers’ main security concerns. It aims to encourage insurance firms to establish and maintain a robust risk assessment plan, improve mitigation methods of internal and external threats, prevent ransomware attacks and other types of fraud, and implement a strong and robust business continuity.
Depending on the seriousness of the violation, insurers and businesses may be penalized upward of ₹1 lakh (₹100,000). If insurers fail to protect data they may be fined up to ₹5 crores per affected person. The IRDAI Guidelines for Information and Cyber Security for Insurers apply to all insurers regulated by Insurance Regulatory.
6. Telecom Regulatory Authority of India (TRAI) & Department of Telecommunications (DoT)
The Telecom Regulatory Authority of India, along with the DoT (Department of Telecommunication), have tightened regulations for user data privacy and how it’s used.
TRAI is a regulatory body, and DoT is a separate executive department of the Ministry of Communications in India. Although TRAI has been granted more regulatory powers, both work together to govern and regulate telephone operators and service providers.
On June 16, 2018, TRAI released recommendations for telecom providers on “Privacy, Security and Ownership of the Data in the Telecom Sector.” In the newest guidelines, TRAI addresses newer responsibilities governing consumer data because most digital transactions in India are done via cell phones.
TRAI addresses data protection with the following objectives:
- Define and understand the scope of “Personal data, Ownership, and Control of Data,” namely, the data of users of the telecom service providers
- Understand and Identify the “Rights and Responsibilities of Data Controllers”
- Assess and identify the efficiency of how data is protected and which data protection measures are currently in place in the telecommunications sector
- Identify and address critical issues regarding data protection
- Collect and control user data of TISP (traffic information service providers) services
The DoT has collaborated with the Indian IT ministry to impose layered data consent rules that safeguard personal data processing. This gives users the freedom to decide whether or not they will consent to the usage of their personal data and the right to withdraw consent at any time.
The new rules state that organizations and companies will only have to collect the necessary user details and that the data may be retained only for as long as required. Additionally, Indian telecommunications service providers comply with common standards like ISO 27000, 3GPP and 3GPP2, and ISO/IEC 15408.