Cybersecurity · India
Cybersecurity regulation in India (2026)
India shaded by its cybersecurity status
India has no single dedicated comprehensive cybersecurity law. Obligations rest on a patchwork: the IT Act 2000 (which created CERT-In and the NCIIPC and underpins critical-infrastructure protection), CERT-In's binding 2022 incident-reporting directions applying horizontally to all entities, sector-specific regimes from RBI, SEBI and IRDAI, and breach-notification duties under the newly notified DPDP framework. The proposed National Cyber Security Strategy has not been finalized, so the regime is best characterized as sectoral/patchwork rather than a unified comprehensive law.
Key points
The Information Technology Act, 2000 is the core statute. Section 70B establishes CERT-In as the national nodal incident-response agency, while sections 70/70A empower the NCIIPC to protect Critical Information Infrastructure. There is no separate omnibus cybersecurity act.
CERT-In's directions of 28 April 2022 (under s.70B(6) IT Act) require all service providers, intermediaries, data centres, bodies corporate and government bodies to report listed cyber incidents within 6 hours of becoming aware, and to retain ICT logs for 180 days.
The NCIIPC (under NTRO) is the nodal agency for Critical Information Infrastructure across banking, telecom, power, government and other sectors, and can call for information and issue directions to protect designated CII.
RBI's Cyber Security Framework for banks (2016) mandates incident response and audits, with significant incidents reported via the CIMS portal (initial report within 6 hours, root-cause analysis within 21 days). SEBI's CSCRF (Circular dated 20 Aug 2024) imposes a graded cyber-resilience framework on regulated entities.
The Digital Personal Data Protection Act, 2023 was operationalised when MeitY notified the DPDP Rules, 2025 on 13–14 November 2025. Breach provisions phase in ~18 months later (full compliance by mid-2027), requiring notice to affected individuals without delay and to the Data Protection Board.
India relies on overlapping IT Act provisions, CERT-In directions and sectoral regulators rather than a single NIS2-style cybersecurity statute; a National Cyber Security Strategy has been drafted but remains unfinalized.
Timeline - major decisions & events
MeitY operationalised the DPDP Act with 23 rules covering breach reporting, mandatory 'reasonable security safeguards', and the Data Protection Board, on a phased timeline (most obligations effective May 13, 2027). It sets India's first detailed statutory data-security baseline for all data fiduciaries.
Press Information Bureau (Government of India) ↗SEBI consolidated all prior cyber circulars into a single graded framework for Regulated Entities (exchanges, brokers, AIFs, mutual funds), mandating SOCs, incident response, audits and resilience testing aligned to ISO 27000 and NIST. It standardised cyber obligations across India's securities market.
SEBI ↗India's first dedicated data-protection statute received Presidential assent, requiring data fiduciaries to maintain reasonable security safeguards and notify the Data Protection Board and affected individuals of personal-data breaches, with penalties up to ₹250 crore. It replaces the IT Act's narrow Section 43A regime.
MeitY ↗A LockBit ransomware attack crippled the premier government hospital for nearly two weeks, encrypting over 100 servers and exposing up to ~40 million patient records. It became the defining case for protecting healthcare and other critical information infrastructure in India.
NLIU CSIPR ↗CERT-In mandated reporting of specified cyber incidents within 6 hours of detection, 180-day local log retention, time synchronisation to NIC/NPL clocks, and 5-year KYC retention by VPN, cloud and crypto providers. These directions created India's strictest incident-reporting regime.
CERT-In ↗The Reserve Bank required scheduled commercial banks to adopt board-approved cybersecurity policies, build Security Operations Centres, maintain Cyber Crisis Management Plans, and report incidents to RBI. It established sector-specific cyber obligations for India's banking system.
Reserve Bank of India ↗MeitY published India's first comprehensive cybersecurity policy, setting 14 objectives including protecting critical infrastructure, creating a national nodal agency, and building a skilled cyber workforce. It framed the strategic direction for subsequent regulation.
MeitY ↗Rules under Section 43A defined 'sensitive personal data' and required body corporates to implement reasonable security practices (e.g., ISO 27001-type controls), making security safeguards legally enforceable for the first time. These governed corporate data security until the DPDP Act.
WIPO Lex ↗The amendment gave CERT-In statutory status as the national incident-response agency (Section 70B), added cyber-terrorism (Section 66F), Section 70 critical-infrastructure protection, and Section 43A data-security liability. It built the core cybersecurity architecture of Indian law.
India Code (Government of India) ↗India - other topics
Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →