Cybersecurity Laws in India: Where It Stands Today
India’s cybersecurity framework is largely shaped by the Information Technology (IT) Act, 2000, supplemented by sector-specific regulations and government directives.
- Information Technology (IT) Act, 2000 (Amended in 2008)
India’s legal framework for cybersecurity and cybercrimes is primarily built around the IT Act.
Essential provisions include:- Section 43 & 66 – Penalizes unauthorized access, hacking, and data theft.
- Section 66C & 66D – Deals with identity theft and cyber fraud.
- Section 67 – Regulates online obscenity and child pornography.
- Section 69 – Grants the government powers to intercept, monitor, and decrypt digital communication for national security.
- Section 70 – Declares critical information infrastructure (CII) protection mandatory.
- Section 72A – Punishes breach of confidentiality and privacy by service providers.
- Personal Data Protection Bill (PDPB) 2019 (Now Digital Personal Data Protection Act, 2023)
The Digital Personal Data Protection Act, 2023 (DPDP Act) aims to regulate how businesses and the government process personal data. - CERT-In Guidelines (2022)
The Indian Computer Emergency Response Team (CERT-In) provides cybersecurity directives, which include:- Requiring cyber incidents to be reported within six hours.
- Imposing data retention policies on VPN service providers.
- Strengthening organizations’ cybersecurity frameworks.
- Other Laws
- The Indian Penal Code (IPC), 1860, addresses cyber fraud, identity theft, and online defamation.
- The Telecom Regulatory Authority of India (TRAI) establishes guidelines to safeguard user data in telecom services.
Challenges in India's Cybersecurity Legal Framework
- Absence of a Holistic Cybersecurity Law
Despite the increasing complexity of cyber threats, India lacks a comprehensive cybersecurity law covering national security, corporate responsibility, and individual protection. The IT Act, even after its 2008 amendment, does not adequately address modern challenges like ransomware, deepfake technology, and AI-powered cyberattacks. - Challenges in Data Privacy and Protection
India’s DPDP Act attempts to regulate data privacy, yet concerns about government control, inadequate data localization, and weak citizen protections remain. Unlike the EU’s GDPR, it lacks stringent enforcement and an independent data watchdog. - Weak Cybersecurity Measures for Critical Infrastructure
The NCIIPC is tasked with securing critical infrastructure, but its authority is not broad enough. Many industries, such as healthcare and financial services, remain without strong cybersecurity mandates. - Weak Cybersecurity Compliance Among Private Companies
Apart from select sectors such as banking, private companies are not obligated to perform cybersecurity audits. Startups and MSMEs frequently sideline security measures due to cost concerns.
