Cybersecurity - India

The Information Technology Act, 2000 is the core statute. Section 70B establishes CERT-In as the national nodal incident-response agency, while sections 70/70A empower the NCIIPC to protect Critical Information Infrastructure. There is no separate omnibus cybersecurity act.

CERT-In's directions of 28 April 2022 (under s.70B(6) IT Act) require all service providers, intermediaries, data centres, bodies corporate and government bodies to report listed cyber incidents within 6 hours of becoming aware, and to retain ICT logs for 180 days.

The NCIIPC (under NTRO) is the nodal agency for Critical Information Infrastructure across banking, telecom, power, government and other sectors, and can call for information and issue directions to protect designated CII.

RBI's Cyber Security Framework for banks (2016) mandates incident response and audits, with significant incidents reported via the CIMS portal (initial report within 6 hours, root-cause analysis within 21 days). SEBI's CSCRF (Circular dated 20 Aug 2024) imposes a graded cyber-resilience framework on regulated entities.

The Digital Personal Data Protection Act, 2023 was operationalised when MeitY notified the DPDP Rules, 2025 on 13–14 November 2025. Breach provisions phase in ~18 months later (full compliance by mid-2027), requiring notice to affected individuals without delay and to the Data Protection Board.

India relies on overlapping IT Act provisions, CERT-In directions and sectoral regulators rather than a single NIS2-style cybersecurity statute; a National Cyber Security Strategy has been drafted but remains unfinalized.