Cyber Security Regulations and Regulatory Bodies of India
With the rapid expansion of digital technology in India, the need for robust cyber security measures across various sectors has become increasingly important. The Information Technology Act (ITA), 2000/2008, is the primary legislation governing cyber security, data protection and cyber crime. It provides statutory recognition and protection to electronic transactions and communications; aims to protect electronic data, information and records, prevent unauthorised or unlawful use of computer systems and makes activities such as hacking, data theft, denial of service attacks, phishing, malware attacks, identity fraud and electronic theft as punishable offences. For more information on this, visit my earlier article on the same.
Apart from the ITA, many other acts and regulatory bodies have been framed for cyber security in the form of cyber security guidelines and rules across various sectors and industries. It aims to protect personal sensitive data, ensure the integrity of digital transactions, prevent cybercrimes, punish cybercriminals and protect national security interests. Here is an overview of other important cyber security regulations and regulatory bodies in India.
Other important cyber security regulations in India :-
- Information Technology Rules (ITR), 2011/2021 :- Both ITA and ITR are important in regulating how Indian entities and organizations process sensitive data, data protection, data retention and collection of personal data and other sensitive information. The ITR 2021 amendments aim to allow common users of digital platforms to seek redress for their grievances and seek accountability when their rights are violated and to impose additional due diligence on organizations regarding cyber security.
- Bharatiya Nyaya Sanhitha(BNS), 2023 :- This is a new law that replaced the Indian Penal Code, 1860 (IPC). It contains many provisions related to cybercrimes, which are used by the police in the case of cybercrimes along with the ITA Act.
- National Cyber Security Policy, 2013 :- The aim behind the National Cyber Security Policy is to formulate and develop more proactive policies to improve the protection of India’s cyber ecosystem. The key objectives of this policy are to create a secure cyberspace for individuals, organizations and the government, monitor and protect cyber infrastructure and information, reduce vulnerabilities and strengthen defenses against cyber attacks, create frameworks, capabilities and vulnerability management strategies to mitigate, rapidly prevent or respond to cyber incidents and cyber threats.
- Reserve Bank of India (RBI) Act, 2018 :- It aims to create cyber security frameworks and standards for banks and payment processing institutions. It mandates each bank to create cyber crisis management plans and information security policies. Apart from the RBI Act, 2018, other important rules brought out by RBI for cybersecurity include the RBI Cyber Security Framework (2016) – which mandates all banks to have a comprehensive cyber security policy, the RBI Guidelines on Digital Payment Security Controls (2021) – which focuses on enhancing security for digital payment transactions, and the Data Localisation Requirements (2018) – which mandates that all payment data related to transactions made within India be stored locally to ensure greater control and security over payment information.
- Digital Personal Data Protection Act (DPDPA), 2023 :- This is a comprehensive privacy and data protection law that applies to the processing of digital personal data in India, whether such data is collected online or offline and digitised. The Act will come into force on the date of its entry into force after the draft rules (DPDP Rules) are published and passed by Parliament. I have written about this at length before, to read it, visit the article I wrote earlier.
Major cyber security regulatory bodies in India :-
Apart from the national courts and tribunals, some major regulatory bodies have been created to enforce cyber laws and regulations, the major ones are as follows:
- Computer Emergency Response Team (CERT-In) :- It is the national nodal agency for collecting, analyzing, forecasting and disseminating non-critical cyber security incidents. It also recommends best practices, guidelines and precautions for cyber incident management so that organizations can respond effectively.
- National Critical Information Infrastructure Protection Center (NCIIPC) :- It monitors and reports on national level threats to critical information infrastructure like power, financial sector, telecom etc. It has successfully implemented several guidelines for policy guidance, knowledge sharing and cybersecurity awareness for organizations to take precautionary measures in key sectors.
- Cyber Regulations Appellate Tribunal (CRAT) :- It is the main cyber governance body which has the power to find facts, receive cyber evidence and examine and punish witnesses. It can issue summons and issue regular commissions to examine witnesses, documents, persons under oath and to review the final decisions of the court to resolve incidents and cases.
- Ministry of Electronics and Information Technology (MeitY) :- It is responsible for formulating national policies related to information technology, including cyber security policies and strategies. It monitors the implementation of cyber security measures and initiatives to ensure compliance with national policies.
- National Cyber Coordination Centre (NCCC) :- It provides real-time situational awareness of cyber threats by monitoring and analysing cyber activities across the country. It coordinates responses to cyber security incidents, ensures timely and effective action, analyses cyber threats and disseminates intelligence to relevant stakeholders for proactive threat mitigation.
- Apart from the above major national level regulatory bodies, the sectoral regulators listed below have introduced many separate cyber security guidelines and they are as follows:
- Reserve Bank of India (RBI) :- It has prescribed comprehensive cyber security standards and guidelines for banks, non-banking financial companies, payment system operators and payment aggregators.
- Securities and Exchange Board of India (SEBI) :- It has issued circulars and guidelines on cyber security for stock market participants. Another objective of this is to protect the data of market intermediaries, investors and issuers of securities, customer data and transactions from cyber criminals.
- Insurance Regulatory and Development Authority of India (IRDAI) :- It has issued guidelines on cyber security for all insurers and insurance intermediaries. It aims to encourage insurance companies to establish and maintain a robust cyber risk assessment plan, improve methods to mitigate internal and external cyber threats, and prevent ransomware attacks and other forms of cyber fraud.
- Department of Telecom (DOT) :- Telecom licensees have issued several guidelines on reporting cyber security incidents under the licensing framework and on cyber security. DoT is an executive arm of the Ministry of Communications of India and has imposed multi-tiered data consent rules that protect personal data processing.
- Telecom Regulatory Authority of India (TRAI) :- It regulates cyber security practices in the telecom sector, ensures the security of telecom networks and services. It develops and enforces standards and guidelines to secure telecom infrastructure there by protecting customer data and monitors compliance with cyber security regulations and takes corrective actions as required.
Lastly, India’s cybersecurity regulations are constantly evolving to address the unique challenges faced by various industries and organizations. These regulations aim to protect sensitive data, ensure secure digital transactions, and protect critical infrastructure from emerging cyber threats. As the digital ecosystem matures, regulatory agencies need to adapt and strengthen these frameworks to maintain the resilience of India’s cybersecurity posture in the face of new and sophisticated cyber threats.
