Cybersecurity Compliance in India

Introduction

India's cybersecurity regulatory landscape is one of the most complex in the Asia-Pacific region. Unlike jurisdictions with a single, unified cybersecurity law, Indian businesses must navigate a patchwork of legislation, sector-specific regulations, and government directions that collectively define their cybersecurity obligations. For organisations operating across multiple sectors or serving diverse customer bases, the compliance burden is compounded by overlapping - and sometimes conflicting - requirements from different regulators. This guide provides a comprehensive overview of every major cybersecurity regulation that Indian businesses must follow in 2025, helping compliance teams build a unified strategy that addresses all applicable frameworks.

The Information Technology Act, 2000

The Information Technology (IT) Act, 2000, as amended in 2008, is the foundational legislation for cybersecurity in India. It provides the legal framework for electronic governance, defines cybercrimes and their penalties, and establishes the authority of CERT-In. Section 43A of the IT Act requires body corporates that possess, deal with, or handle any sensitive personal data or information to implement and maintain reasonable security practices and procedures. Failure to do so, resulting in wrongful loss or gain, makes the body corporate liable to pay compensation. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, issued under Section 43A, specify that ISO 27001 is a recognised standard for reasonable security practices. Section 66 through 66F define various cybercrimes including hacking, identity theft, cyber terrorism, and publishing obscene material, with penalties ranging from fines to imprisonment. Section 69 empowers the government to intercept, monitor, and decrypt information in the interest of national security.

• Section 43A mandates reasonable security practices for sensitive personal data
• Section 66 series defines cybercrimes and associated penalties including imprisonment
• Section 69 authorises government interception and monitoring of digital communications
• Section 70B establishes CERT-In as the national agency for incident response
• Section 72A penalises disclosure of personal information in breach of lawful contract
• IT Rules 2011 recognise ISO 27001 as a reasonable security practices standard

CERT-In Directions (April 2022)

Building on the authority granted by the IT Act, CERT-In issued its landmark cybersecurity directions in April 2022. These directions represent the most prescriptive cybersecurity regulation in India's history and apply universally to all organisations with digital infrastructure. The mandatory 6-hour incident reporting window, 180-day log retention requirement, NTP synchronisation mandate, and KYC obligations for service providers have fundamentally changed how organisations approach cybersecurity operations. The directions require organisations to designate a Point of Contact (PoC) for CERT-In communications, maintain incident response capabilities, and cooperate fully with CERT-In during investigations. Non-compliance can result in penalties under the IT Act, including fines and imprisonment. For many organisations, the CERT-In directions have been the catalyst for investing in proper Security Information and Event Management (SIEM) platforms, formalising incident response procedures, and establishing dedicated cybersecurity operations teams.

The Digital Personal Data Protection Act, 2023

While primarily a data protection law, the DPDPA has significant cybersecurity implications. Section 8(5) of the Act requires Data Fiduciaries to protect personal data by taking 'reasonable security safeguards' to prevent personal data breaches. The failure to implement such safeguards carries the highest penalty under the Act - up to Rs 250 crore. The DPDPA also mandates breach notification to the Data Protection Board of India (DPBI) and affected Data Principals, creating a parallel notification obligation alongside CERT-In's incident reporting requirements. Organisations that suffer a data breach involving personal data must therefore report to both CERT-In (within 6 hours) and the DPBI (without undue delay), each with different reporting formats, content requirements, and recipient audiences. The DPDPA's definition of 'reasonable security safeguards' is expected to be further detailed in the rules, but organisations should proactively adopt recognised standards such as ISO 27001 and implement encryption, access controls, and continuous monitoring.

RBI Cybersecurity Framework

The Reserve Bank of India has issued multiple circulars and frameworks governing cybersecurity for banks, non-banking financial companies (NBFCs), payment system operators, and other regulated financial entities. The RBI's Cybersecurity Framework for Banks (2016) requires banks to develop a comprehensive cybersecurity policy, establish a Security Operations Centre (SOC), and report cyber incidents to RBI within a specified timeframe. The RBI Guidelines on Information Security, Electronic Banking, Technology Risk Management, and Cyber Frauds (2011) provide detailed controls for electronic banking security. For NBFCs, the RBI's Master Direction on Information Technology Framework (2017) prescribes IT governance, information security, and cybersecurity requirements. The RBI also mandates data localisation for payment system data, requiring that all payment transaction data be stored exclusively in India.

• Banks must establish a dedicated Cyber Security Policy approved by the Board
• A SOC with 24/7 monitoring capability is mandatory for banks
• Cyber incidents must be reported to RBI CSITE within specified timelines
• Payment system data must be stored exclusively within India
• NBFCs must comply with the IT Framework Master Direction covering IT governance and security
• Regular vulnerability assessments and penetration testing are mandatory

SEBI Cybersecurity and Cyber Resilience Framework

The Securities and Exchange Board of India (SEBI) has issued the Cybersecurity and Cyber Resilience Framework (CSCRF) for Market Infrastructure Institutions (MIIs), stock exchanges, depositories, clearing corporations, and regulated entities such as asset management companies, stock brokers, and mutual funds. The framework requires these entities to establish a comprehensive cybersecurity governance structure, conduct regular risk assessments, implement technical controls, and maintain incident response capabilities. SEBI mandates that regulated entities designate a Chief Information Security Officer (CISO) at a senior level, conduct quarterly vulnerability assessments and annual penetration tests, and report cybersecurity incidents within six hours of detection. The framework also requires periodic cybersecurity audits by CERT-In empanelled auditors and submission of compliance reports to SEBI. For stock brokers and depository participants, SEBI has issued specific guidelines on cybersecurity that include requirements for two-factor authentication, encryption of client data, and secure software development practices.

IRDAI Cybersecurity Guidelines

The Insurance Regulatory and Development Authority of India (IRDAI) has issued Information and Cybersecurity Guidelines applicable to all insurance companies, intermediaries, and insurance repositories. The guidelines require insurers to establish a Board-approved information security policy, designate a CISO, implement access controls and encryption, and maintain audit trails. IRDAI mandates regular vulnerability assessments, penetration testing, and cybersecurity audits. Cyber incident reporting to IRDAI is required within specified timelines, and insurers must maintain a Cyber Crisis Management Plan. The guidelines also address emerging risks including cloud security, mobile application security, and third-party risk management. For insurance intermediaries and brokers, simplified but still rigorous cybersecurity requirements apply, ensuring the entire insurance value chain maintains adequate cybersecurity hygiene.

Telecom Security Regulations

The Department of Telecommunications (DoT) and the Telecom Regulatory Authority of India (TRAI) impose cybersecurity obligations on telecom service providers through licence conditions and regulatory directions. Telecom licence conditions require operators to maintain secure networks, protect subscriber data, and cooperate with lawful interception requirements. The Indian Telegraph Act and associated rules govern the security of communication networks. With the Telecommunications Act, 2023, additional cybersecurity provisions are expected, including enhanced obligations around network security, user data protection, and incident reporting. Telecom operators must also comply with CERT-In directions, creating a dual reporting obligation for cyber incidents affecting telecom infrastructure.

• Licence conditions mandate network security measures and subscriber data protection
• Lawful interception capabilities must be maintained per DoT requirements
• TRAI mandates privacy protections for subscriber information
• The Telecommunications Act 2023 introduces enhanced cybersecurity provisions
• Telecom operators face dual reporting obligations to DoT and CERT-In

Building a Unified Compliance Strategy

Given the multiplicity of cybersecurity regulations, Indian businesses need a unified compliance strategy that addresses all applicable frameworks without creating redundant or conflicting controls. The most effective approach is to adopt a comprehensive security framework such as ISO 27001 or NIST CSF as the baseline and map sector-specific requirements onto it. This ensures that the core security controls satisfy multiple regulatory requirements simultaneously, while sector-specific additions are layered on top as needed. Organisations should maintain a regulatory mapping matrix that tracks which controls satisfy which regulations, enabling efficient audit preparation and gap analysis.

• Adopt ISO 27001 or NIST CSF as the baseline security framework
• Map all applicable sector-specific regulations onto the baseline framework
• Maintain a regulatory mapping matrix for efficient compliance tracking
• Establish unified incident reporting workflows that satisfy CERT-In, DPDPA, and sectoral requirements
• Centralise log management and retention to meet the most stringent requirement across all regulations
• Conduct unified security audits that address multiple regulatory requirements simultaneously

How Kraver.ai Unifies Cybersecurity Compliance

Kraver.ai's platform provides a unified compliance dashboard that maps your security controls against all applicable Indian cybersecurity regulations - CERT-In, DPDPA, RBI, SEBI, IRDAI, and the IT Act - in a single view. Our AI engine automatically identifies which regulations apply to your organisation based on your industry, size, and data processing activities, and generates a tailored compliance roadmap. When regulatory requirements overlap, Kraver.ai consolidates them into unified controls, eliminating duplication and reducing compliance costs. Automated incident reporting workflows generate the right reports for the right regulators in the right format, ensuring you meet every reporting deadline without maintaining separate processes for each regulator. With Kraver.ai, managing India's complex cybersecurity regulatory landscape becomes a streamlined, intelligent operation rather than a fragmented compliance burden.