Cybersecurity Legal Compliance Guide for Indian Companies

The Legal Framework Governing Cybersecurity in India

India's cybersecurity legal landscape is not governed by a single comprehensive statute. Instead, obligations arise from a layered framework of legislation, subordinate rules, and sector-specific regulations that have accumulated since the Information Technology Act, 2000 was enacted. For compliance teams, the challenge is mapping each layer to the enterprise's specific sector, data processing activities, and technology infrastructure. Gaps in any layer create legal exposure — and, in the current enforcement environment, regulators are increasingly willing to impose penalties.

The principal instruments are: the Information Technology Act, 2000 and its subordinate rules (particularly the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, commonly called the SPDI Rules); the CERT-In Directions of April 2022 on information security practices, procedures, and cyber incident reporting; the Digital Personal Data Protection Act, 2023; and sector-specific frameworks issued by the Reserve Bank of India, SEBI, and IRDAI for regulated entities in their respective sectors.

Delhi NCR-headquartered companies across sectors — from fintech in Gurgaon to IT services in Noida — face the full weight of this framework. Many are also subject to the cybersecurity requirements of international customers and platforms, creating a dual obligation to comply with both Indian law and contractual standards derived from GDPR, SOC 2, or ISO 27001.

IT Act Section 43A: Reasonable Security Practices

Section 43A of the Information Technology Act, 2000 (inserted by the 2008 amendment) imposes a duty of care on body corporates that possess, deal, or handle any sensitive personal data or information in a computer resource that they own, control, or operate. A body corporate that is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person is liable to pay damages by way of compensation to the affected person.

The SPDI Rules define sensitive personal data as: passwords, financial information (bank account, credit/debit card details), physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. The Rules further require that body corporates implement a comprehensive documented information security programme and that such programme be in accordance with a security standard — specifically ISO 27001 or any other standard specified by the Central Government.

Section 43A liability is civil in nature and does not require proof of intent or wilful negligence — a failure to implement reasonable practices that results in a data incident is sufficient to trigger liability. The quantum of damages is not capped in the statute, which means that compensation claims can be substantial.

CERT-In April 2022 Directions: The 6-Hour Reporting Obligation

The Directions on Information Security Practices, Procedures, Prevention, Response and Reporting of Cyber Incidents issued by the Indian Computer Emergency Response Team in April 2022 introduced the most operationally demanding cybersecurity obligation currently in force. The Directions require that any service provider, intermediary, data centre, body corporate, or government organisation that experiences a cyber incident must report the incident to CERT-In within six hours of noticing the incident or being brought to notice about the incident.

The twenty categories of reportable incidents include: targeted scanning and probing of critical networks; compromise of critical systems; unauthorised access to IT systems and data; defacement of websites or intrusion into a website; attacks on servers and network infrastructure; identity theft and spoofing; denial of service attacks; attacks on critical infrastructure; data breaches and data leaks; attacks on internet-of-things devices; and attacks or incidents affecting digital payment systems.

The six-hour window is extremely tight. Most organisations that experience a significant cyber incident spend the first six hours in initial triage — understanding what has happened, whether the attack is ongoing, and what systems are affected. Meeting the CERT-In reporting deadline while simultaneously managing an active incident requires that the incident response plan be prepared, tested, and understood before any incident occurs. Organisations that have not conducted at least one tabletop incident response exercise per year are, in practice, unable to meet this obligation reliably.

The Directions also require organisations to maintain logs of all ICT systems for a rolling period of 180 days and to produce them on demand for CERT-In. Non-compliance with CERT-In Directions is an offence under Section 70B(7) of the IT Act, punishable with imprisonment up to one year or a fine up to one lakh rupees, or both.

DPDP Act Security Obligations and Breach Notification

The Digital Personal Data Protection Act, 2023 establishes a statutory framework for the processing of digital personal data in India. Section 8(5) of the DPDP Act requires every Data Fiduciary to protect personal data in its possession or under its control by implementing appropriate technical and organisational measures to ensure compliance with the Act and to prevent personal data breach. The standard of appropriate measures will be further defined by the Data Protection Board and by rules made under the Act, but organisations should benchmark against established standards such as ISO 27001 and the NIST CSF in the interim.

Section 8(6) requires that in the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board and each affected Data Principal in the prescribed form and manner. The notification must be made without unreasonable delay. Rules prescribing the precise timelines and content of breach notifications are expected to be finalised; in the interim, the CERT-In 6-hour reporting obligation provides the operative timeline for incidents that fall within its scope. The DPDP Act also imposes significant financial penalties for breach notification failures — up to INR 200 crore for failure to notify the Board of a personal data breach.

Sector-Specific Frameworks: RBI and SEBI

Regulated entities in the financial sector face additional cybersecurity obligations layered on top of the general framework. The Reserve Bank of India's Cybersecurity Framework for Banks requires banks and payment system operators to maintain a Cyber Security Policy approved by the Board, establish a Security Operations Centre, implement a network intrusion detection system, submit cybersecurity incident reports to the RBI-CSITE within two to six hours depending on severity, and conduct annual cyber resilience assessments.

SEBI's Cybersecurity and Cyber Resilience Framework for Market Infrastructure Institutions and Regulated Entities requires stock exchanges, depositories, clearing corporations, registered investment advisers, and portfolio managers to implement a minimum baseline of cybersecurity controls. These include penetration testing at prescribed intervals, vulnerability assessments, cyber incident response plans, and annual cybersecurity audits by CERT-In empanelled auditors. Non-compliance is a basis for regulatory action, including suspension of registration.

Incident Response Legal Obligations and Evidence Preservation

When a cyber incident occurs, the enterprise simultaneously faces technical, operational, legal, and regulatory obligations. The legal obligations that arise in the immediate aftermath of an incident include: CERT-In reporting within six hours; DPDP Act notification to the Board and affected individuals; sector-regulator notifications (RBI, SEBI, IRDAI as applicable); notifications to contractual counterparties under data processing agreements and material adverse event provisions; and potential notifications to law enforcement.

Law Enforcement Reporting

Cyber offences in India are cognisable offences that may be investigated by the police and prosecuted in criminal courts. The primary offences relevant to corporate cyber incidents are set out in the Information Technology Act, 2000 — unauthorised access under Section 43/66, data theft under Section 43/66B, identity theft under Section 66C, and cheating by personation under Section 66D — and in the Bharatiya Nyaya Sanhita, 2023, which replaced the Indian Penal Code with effect from 1 July 2024. Cyber fraud, cheating, and criminal breach of trust involving electronic records are now prosecuted under the BNS. Reporting a cyber incident to the cybercrime police — whether through the National Cyber Crime Reporting Portal or directly to the nearest police station — is advisable where there has been a financial crime, ransomware attack, or data theft by an identified perpetrator.

Evidence Preservation

The admissibility of electronic evidence in Indian courts is governed by the Bharatiya Sakshya Adhiniyam, 2023, which carries forward the provisions of the Indian Evidence Act on electronic records, including the requirement for a certificate from a responsible official confirming the manner in which the record was produced, stored, and retrieved.

Organisations responding to a cyber incident must therefore preserve digital evidence in a forensically sound manner from the first moment of discovery. This means: capturing volatile memory before systems are powered down; creating forensic images of affected storage media rather than copying files; maintaining chain of custody records for all seized or preserved media; preserving network logs, authentication logs, and system logs in their original format; and ensuring that incident response activities are themselves logged so that the response timeline can be reconstructed.

Cybersecurity Compliance Checklist

• Appoint a designated cybersecurity incident reporting contact and register with CERT-In as required for your organisation category.
• Deploy and maintain system and network logs for a minimum rolling period of 180 days in an immutable log management system.
• Prepare, document, test, and annually rehearse a cyber incident response plan that includes the CERT-In 6-hour reporting step as a first-hour action.
• Conduct a personal data mapping exercise to identify what personal data is held, where it is processed, and what security measures are applied, in preparation for DPDP Act compliance.
• Implement ISO 27001-aligned information security controls and maintain documented evidence of implementation for regulatory purposes.
• For regulated entities: comply with applicable RBI or SEBI cybersecurity frameworks and appoint a CISO at the requisite seniority level.
• Review all outsourcing and vendor contracts to ensure cybersecurity obligations flow down to processors and sub-processors.
• Obtain cyber insurance and review the policy annually to ensure cover matches the organisation's current risk profile and revenue base.
• Establish an evidence preservation protocol so that forensic data is collected correctly from the first moment of incident discovery.
• Engage external legal counsel on retainer for cyber incident response; legal advice obtained in anticipation of litigation may attract legal professional privilege, protecting internal communications from disclosure.