Understanding Cyber Law in India: The IT Act 2000 & Beyond

Introduction: Why Cyber Law Matters More Than Ever

India is the world's largest democracy and one of the fastest-growing digital economies. With over 900 million internet users by 2025, the country processes trillions of rupees in digital transactions every single day. Startups are born in garages in Pune, scale to millions of customers in months, and soon operate across borders — all relying entirely on digital infrastructure.

Yet most Indian entrepreneurs, founders, and business owners are dangerously under-informed about the legal framework governing their digital operations. Cyber law in India is not a niche subject reserved for lawyers and compliance officers — it is the foundation upon which every digital business must be built.

This comprehensive guide breaks down India's entire cyber law ecosystem: from the foundational Information Technology Act 2000 to the landmark Digital Personal Data Protection Act 2023, from CERT-In Directions to the new Bharatiya Nyaya Sanhita 2023. Whether you are a solo founder, a scaling startup, or an established enterprise, this article will tell you exactly what the law requires of you — and what the consequences are if you ignore it.

Part 1: The Information Technology Act, 2000 — The Foundation

### Historical Context

The Information Technology Act, 2000 (IT Act) was India's first comprehensive legislation dealing with electronic commerce, digital communication, and cybercrime. Enacted on June 9, 2000, it was modeled on the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce. The Act was India's legislative response to the explosive growth of the internet in the late 1990s.

Before the IT Act existed, electronic records had no legal validity in India. A contract signed digitally could not be enforced in court. A hacker who broke into a computer system faced no specific criminal penalty. The IT Act changed all of that.

### Core Provisions of the IT Act 2000

Electronic Records and Digital Signatures (Chapters II & III)

The IT Act gives legal recognition to electronic records — any information generated, sent, received, or stored in electronic form. This means emails, PDFs, WhatsApp messages, website terms and conditions, and digital contracts are all legally valid documents.

Digital signatures under the IT Act are cryptographic signatures issued by Certifying Authorities licensed by the Controller of Certifying Authorities (CCA). They are legally equivalent to handwritten signatures for most purposes under Indian law.

Electronic Governance (Chapter III)

The Act enables government departments to accept electronic records for filing, creation, retention, and issuance of licenses and permits. This was the legal foundation for India's digital governance initiatives — from income tax e-filing to GST returns to Aadhaar-based KYC.

Certifying Authorities (Chapter VI)

The Act establishes a hierarchical system of Certifying Authorities under the Root Certifying Authority. Organizations that want to issue Digital Signature Certificates (DSCs) must be licensed under this framework. Currently, major CAs operating in India include (n)Code Solutions, eMudhra, NSDL, and others.

Cyber Offences (Chapter XI) — Sections 65-78

This is the chapter most relevant to cybercrime investigations. Key offences include:

Section 65 — Tampering with Computer Source Code: Intentionally concealing, destroying, altering, or causing another to alter computer source code when required to be maintained by law. Punishment: Up to 3 years imprisonment and/or fine up to ₹2 lakh.

Section 66 — Computer Related Offences (Hacking): Dishonestly or fraudulently doing any act referred to in Section 43 (unauthorized access, data theft, system disruption). Punishment: Up to 3 years imprisonment and/or fine up to ₹5 lakh.

Section 66A — Sending Offensive Messages (Struck down by Supreme Court in Shreya Singhal v. UoI, 2015 — unconstitutional): This section has been declared void. Any FIR under 66A is illegal.

Section 66B — Receiving Stolen Computer Resource: Knowingly receiving or retaining any stolen computer resource or communication device. Punishment: Up to 3 years and/or ₹1 lakh fine.

Section 66C — Identity Theft: Fraudulently or dishonestly using the electronic signature, password, or any other unique identification feature of any other person. Punishment: Up to 3 years and ₹1 lakh fine.

Section 66D — Cheating by Personation Using Computer Resource: Punishment: Up to 3 years and ₹1 lakh fine.

Section 66E — Violation of Privacy: Intentionally capturing, publishing, or transmitting the image of a private area of any person without their consent. Punishment: Up to 3 years and ₹2 lakh fine.

Section 66F — Cyber Terrorism: Acts committed with intent to threaten the unity, integrity, security, or sovereignty of India, or to strike terror in people, by denying access to computer resources, introducing malicious code into critical infrastructure, or stealing confidential information. Punishment: Life imprisonment.

Section 67, 67A, 67B — Obscene Material: Publishing, transmitting, or causing to publish obscene material in electronic form. Child sexual abuse material carries the harshest penalty: Section 67B — up to 7 years.

Section 72 — Breach of Confidentiality: Any person who has secured access to electronic records, books, registers, or documents under the powers conferred by the Act and discloses them without consent faces punishment: Up to 2 years and/or ₹1 lakh fine.

### The IT (Amendment) Act, 2008

The original IT Act was significantly amended in 2008 to address emerging threats and close legislative gaps. Key additions included:

Section 66A (later struck down), 66B-66F — new cybercrime offences

Section 43A — Compensation for failure to protect sensitive personal data by body corporates

Section 69 — Power to issue directions for interception, monitoring, or decryption of any information through any computer resource

Section 69A — Power to block public access to any information through any computer resource

Section 69B — Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security

### The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

These Rules (popularly called IT Rules 2021) were issued under Sections 87(2)(zg) and 79(2) of the IT Act and significantly impacted social media platforms, digital news portals, and OTT platforms.

For Significant Social Media Intermediaries (SSMIs) — platforms with 5 million+ registered users in India (WhatsApp, Facebook, Twitter/X, YouTube, Instagram):

Appoint a Chief Compliance Officer (Indian resident)

Appoint a Nodal Contact Person (24/7 for law enforcement coordination)

Appoint a Grievance Officer (Indian resident, public-facing)

Publish monthly compliance reports

Enable traceability of the originator of messages on end-to-end encrypted platforms (hugely controversial provision)

For all intermediaries:

Publish a Privacy Policy and Terms of Service in English and all 22 scheduled languages

Acknowledge user complaints within 24 hours; resolve within 15 days

Remove content flagged as illegal, obscene, or hateful within 24-36 hours (with specific timelines for different content types)

Part 2: The Digital Personal Data Protection Act, 2023 — India's GDPR Moment

### Background and Legislative Journey

India's journey toward a comprehensive data protection law was long and turbulent. The Justice B.N. Srikrishna Committee submitted its Personal Data Protection Bill draft in 2018. After years of deliberation, multiple redrafts, and a Joint Parliamentary Committee report in 2021, the entire bill was withdrawn in August 2022. The Digital Personal Data Protection (DPDP) Act was finally enacted in August 2023 — a leaner, more pragmatic law compared to its predecessor.

### Key Concepts

Data Principal: Any individual whose personal data is being processed. In other words, you and me — every Indian citizen or person located in India.

Data Fiduciary: Any person or entity who alone or in conjunction with others determines the purpose and means of processing personal data. If your company collects customer names, phone numbers, email addresses, or purchase history — you are a Data Fiduciary.

Significant Data Fiduciary (SDF): Data Fiduciaries notified by the Central Government based on volume and sensitivity of data processed, risk to data principals, national security concerns, etc. SDFs face additional obligations including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and periodic audits.

Data Processor: An entity that processes personal data on behalf of a Data Fiduciary (e.g., your cloud hosting provider, your CRM vendor, your SMS gateway).

Consent Manager: A new entity registered with the Data Protection Board — an intermediary through which a Data Principal can give, manage, review, and withdraw consent.

### Lawful Bases for Processing

Unlike GDPR's six lawful bases, the DPDP Act primarily relies on two:

Consent: The Data Principal must give free, specific, informed, unconditional, and unambiguous consent. Consent must be given by a clear affirmative action and can be withdrawn at any time.

Legitimate Uses: Certain processing is permitted without consent:

- Processing for performing a State function under law

- Compliance with any judgment or order

- Medical emergency

- Employment-related processing

- Breakdown of public order

### Rights of Data Principals

The DPDP Act grants individuals the following rights:

Right to Access Information: Know what personal data is being processed, the purposes of processing, and the identities of all Data Fiduciaries to whom data has been shared.

Right to Correction and Erasure: Request correction of inaccurate or misleading data; erasure of data no longer necessary for the purpose it was collected for.

Right of Grievance Redressal: Make a complaint to the Data Fiduciary, and if unsatisfied, escalate to the Data Protection Board.

Right to Nominate: Nominate another individual to exercise rights in the event of death or incapacity.

### Children's Data

The DPDP Act has strict provisions for data of children (below 18 years) and persons with disabilities:

Verifiable parental consent required before processing

No behavioral monitoring or tracking of children

No targeted advertising directed at children

Data Fiduciaries must implement age-verification mechanisms

### Penalties Under DPDP Act

The penalty structure is tiered:

Breach of child data provisions or security safeguards: Up to ₹200 crore per instance

Failure to notify a personal data breach: Up to ₹200 crore

Failure to fulfill obligations as Data Fiduciary: Up to ₹150 crore

Breach of additional obligations of Significant Data Fiduciaries: Up to ₹150 crore

General non-compliance: Up to ₹50 crore

The maximum cumulative penalty for multiple violations of the same provision: ₹500 crore.

### Data Protection Board of India

The DPDP Act establishes a Data Protection Board of India — a quasi-judicial body with the power to:

Investigate personal data breaches

Impose penalties on Data Fiduciaries

Accept complaints from Data Principals

Issue directions for compliance

Board decisions can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and thereafter to the High Court.

Part 3: CERT-In Directions, 2022 — Mandatory Cybersecurity Reporting

### What Are the CERT-In Directions?

The Indian Computer Emergency Response Team (CERT-In) issued landmark Directions under Section 70B(6) of the IT Act on April 28, 2022, effective June 28, 2022 (for major entities) and September 25, 2022 (for MSMEs, VPS providers, and VPN services).

These Directions are legally binding on all service providers, intermediaries, data centers, body corporates, and government organizations.

### Key Mandatory Requirements

6-Hour Incident Reporting Obligation

This is the most significant — and controversial — requirement. All covered entities must report the following types of cybersecurity incidents to CERT-In within 6 hours of noticing them:

Targeted scanning/probing of critical networks and systems

Compromise of critical systems and applications

Unauthorized access to IT systems and data

Defacement of websites or intrusion into a website and unauthorized changes

Attacks on servers and network infrastructure

Identity theft, spoofing, phishing attacks

Denial of Service (DoS) and Distributed DoS attacks

Attacks on critical infrastructure, SCADA systems, operational technology systems

Attacks on Internet of Things (IoT) devices and associated systems

Data breaches and data leaks

Attacks on digital payment systems

Malicious code attacks such as spreading of virus, worm, trojan, bots, spyware, ransomware

Rogue mobile apps

Fake mobile apps

Unauthorized access to social media accounts

Incidents affecting digital payment systems

180-Day Log Retention

All ICT system logs must be maintained within Indian jurisdiction for 180 days. This applies to servers, network devices, firewalls, applications, and any system that generates logs. Organizations that use foreign cloud providers must ensure logs are retained in India or ensure they are accessible to CERT-In on demand.

NTP Synchronization

All ICT infrastructure components must be synchronized to the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or National Physical Laboratory (NPL). Accurate timestamps are essential for forensic investigation of cybersecurity incidents.

KYC for VPN and Cloud Providers

VPN service providers, cloud service providers, and data center operators must:

Maintain accurate information of subscribers for 5 years — name, email, phone, IP address, address, KYC documents, usage patterns

Enable names of hiring entities if servers are provisioned to them

Maintain transaction records of customers

This provision caused several international VPN providers to withdraw their Indian servers.

### Consequences of Non-Compliance

Failure to comply with CERT-In Directions constitutes an offence under the IT Act. Penalties include:

Imprisonment up to 1 year and/or fine up to ₹1 lakh (for failure to furnish information when directed)

Additional penalties under Section 69 for obstruction of lawful orders

Part 4: The Bharatiya Nyaya Sanhita, 2023 — Criminal Law Meets Cyberspace

### Overview

The Bharatiya Nyaya Sanhita (BNS) 2023 replaced the Indian Penal Code 1860 on July 1, 2024. While the IT Act contains specific cyber offences, the BNS also contains provisions that intersect significantly with cyberspace.

### Key Cyber-Relevant Provisions of BNS 2023

Section 318 — Cheating: Online fraud, phishing scams, e-commerce fraud, and investment scams all fall under this section. Online cheating is treated identically to offline cheating for criminal liability purposes. Punishment: Up to 7 years and fine for cheating with dishonest inducement to deliver property.

Section 316 — Criminal Breach of Trust: When a service provider, employee, or trustee misuses data entrusted to them. Data breach by insiders, unauthorized sale of customer data by employees — all fall here. Punishment: Up to 7 years and fine.

Section 308 — Extortion: Ransomware attacks, where criminals encrypt data and demand payment, constitute extortion under BNS. Punishment: Up to 10 years and fine.

Section 319 — Cheating by Personation: Creating fake social media profiles, impersonating celebrities or businesses to defraud customers. Punishment: Up to 5 years and fine.

Section 85 — Husband's Cruelty: Sending abusive messages, harassment through electronic means in domestic violence contexts.

Section 79 — Sexual Harassment: Sending sexual messages, images, or making sexually suggestive comments electronically.

Section 196 — Sedition (Replaced provisions): Creating or spreading content that promotes enmity between groups — relevant to social media content moderation.

### The Bharatiya Nagarik Suraksha Sanhita (BNSS) 2023

The BNSS 2023 replaced the Code of Criminal Procedure. From a cyber law perspective, it introduces:

Section 94: Summons to produce documents — now explicitly covers electronic records

Section 178: Venue of inquiry or trial — for cybercrime, trial can be in the place where the offence was committed, where the victim is located, or where the offender is arrested

Section 530: Electronic trial — provision for using video conferencing in trials, relevant for cybercrime cases with witnesses in multiple locations

Part 5: Sector-Specific Cyber Regulations

### RBI Cybersecurity Framework (Banks and NBFCs)

The Reserve Bank of India has issued comprehensive cybersecurity frameworks for regulated entities:

RBI Circular on Cyber Security Framework in Banks (2016): Mandates inventory of IT assets, vulnerability assessment, patch management, network security, and a Board-approved cybersecurity policy.

Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices (2021): Comprehensive governance framework for all RBI-regulated entities.

RBI Guidelines on Digital Payment Security Controls (2021): For payment aggregators and payment gateways — mandatory secure software development, regular security testing, customer authentication.

### SEBI Cybersecurity Framework

SEBI has issued a Cybersecurity and Cyber Resilience Framework for market infrastructure institutions (stock exchanges, depositories, clearing corporations). Key requirements include:

Mandatory ISO 27001 certification

Annual cybersecurity audits

Business Continuity Plans with regular testing

Incident reporting to SEBI within specified timelines

### IRDAI Cybersecurity Guidelines

The Insurance Regulatory and Development Authority of India has issued information and cybersecurity guidelines requiring insurers to:

Implement a comprehensive Information Security Management System (ISMS)

Conduct regular vulnerability assessments and penetration testing

Establish a 24/7 Security Operations Center (SOC)

Report cyber incidents to IRDAI within 6 hours (same as CERT-In)

### TRAI Regulations

The Telecom Regulatory Authority of India's regulations on commercial communication (the TCCCPR) govern SMS, robocalls, and WhatsApp Business API usage. Violations can result in blacklisting of sender IDs and template IDs, with cascading commercial consequences.

Part 6: Practical Compliance Framework for Indian Businesses

### Step 1: Legal Foundation

Privacy Policy: Every website, app, and digital service that collects personal data must have a Privacy Policy. Under IT Act Rule 5, this is mandatory for body corporates handling sensitive personal data or information (SPDI). Your Privacy Policy must disclose:

What data you collect and why

How long you retain it

With whom you share it

How users can access, correct, or delete it

Your security practices

Contact details for grievances

Terms of Service: Governs the contractual relationship between you and your users. Must be accessible and agreed to before use of the service.

Cookie Policy: If your website uses cookies for analytics, advertising, or tracking, you must disclose this and obtain consent.

Data Processing Agreements (DPAs): Under the DPDP Act, Data Fiduciaries must have written contracts with their Data Processors specifying the terms of data processing.

### Step 2: Technical Safeguards

Encryption: All sensitive data — passwords, payment card data, health information, Aadhaar numbers — must be encrypted at rest and in transit. Use AES-256 for data at rest, TLS 1.2+ for data in transit.

Access Control: Implement role-based access control (RBAC). Employees should only access data necessary for their job function — the principle of least privilege.

Vulnerability Assessment and Penetration Testing (VAPT): Conduct VAPT at least annually, and after every major system change. VAPT by a CERT-In empaneled auditor is increasingly required by regulators.

Incident Response Plan: Document what you will do when a breach occurs — who to notify, how to contain the breach, how to communicate with affected users, how to report to CERT-In within 6 hours.

Multi-Factor Authentication (MFA): Mandatory for administrative access to all systems. Strong recommendation for all user accounts.

Patch Management: Maintain an inventory of all software and firmware. Apply security patches within defined SLAs (critical patches: within 24-72 hours).

### Step 3: Organizational Measures

Designate a Data Protection Officer (DPO): While mandatory only for Significant Data Fiduciaries under DPDP Act, best practice for all mid-to-large companies.

Employee Training: Regular cybersecurity awareness training covering phishing, social engineering, password hygiene, and data handling procedures.

Vendor Due Diligence: Assess the cybersecurity posture of all third-party vendors who process your customer data. Contractual safeguards are not enough — conduct technical audits.

Business Continuity Plan (BCP): Document how your business will continue operating during a cyber incident. Test your BCP at least annually.

### Step 4: Incident Response

When a breach occurs, time is of the essence:

Contain: Isolate affected systems immediately to prevent spread

Assess: Determine the scope and nature of the breach — what data was compromised, how many people affected

Notify CERT-In: Within 6 hours — even if the investigation is incomplete, send a preliminary notification

Notify affected individuals: Under DPDP Act — as soon as practicable

Preserve evidence: Do not delete logs or alter systems before forensic investigation

6. Post-incident review: Conduct a root cause analysis and implement improvements

Part 7: Emerging Legal Challenges

### Artificial Intelligence and Accountability

India does not yet have a specific AI regulatory framework, but existing laws apply:

Algorithmic discrimination may violate the right to equality under the Constitution

AI-generated deepfakes violate Section 66E (privacy) and 67 (obscenity) of the IT Act

Automated decision-making that affects individuals' rights may be challenged under the DPDP Act's right to grievance redressal

The Ministry of Electronics and IT (MeitY) has issued Advisory on AI, asking intermediaries to get government permission before deploying AI models that can "undermine India's electoral process, sovereignty, or public order"

### Blockchain and Crypto

While cryptocurrencies are not banned in India (though the government has imposed 30% tax + 1% TDS on crypto income), blockchain technology itself sits in a regulatory gray zone:

Smart contracts — are they legally binding? The IT Act recognizes electronic contracts, but smart contracts have unique enforcement challenges

NFTs — the DPDP Act and anti-money laundering regulations apply

DeFi platforms — may be subject to SEBI regulations if they issue securities-like tokens

### Cross-Border Data Flows

The DPDP Act empowers the Central Government to restrict or permit transfer of personal data to specific countries or territories. Until the list of "trusted countries" is notified, default cross-border transfers remain complex. Businesses must:

Include contractual provisions protecting Indian data in agreements with foreign processors

Ensure foreign processors comply with CERT-In log retention requirements

Be prepared to produce data to Indian authorities on lawful demand

### The Emerging AI-Cyber Threat Landscape

Cybercriminals are increasingly using AI to:

Vishing (Voice Phishing): AI voice cloning to impersonate family members and demand money

Spear Phishing: AI-generated, highly personalized phishing emails with perfect grammar and accurate personal details

Automated Vulnerability Discovery: AI tools scanning millions of endpoints to find and exploit vulnerabilities faster than human defenders can patch them

Indian businesses must factor AI-enhanced threats into their security architecture and incident response plans.

Part 8: The Road Ahead — India's Cyber Law Evolution

### Digital India Act (Proposed)

MeitY has been working on a Digital India Act (DIA) to replace the aging IT Act 2000. The DIA is expected to:

Establish a new regulatory framework for artificial intelligence

Create a separate regulatory regime for online intermediaries, with tiered obligations

Address emerging technologies like blockchain, metaverse, and IoT

Strengthen consumer rights in digital markets

Create a comprehensive cybersecurity legal framework

### National Cybersecurity Policy (Updated Framework)

India's original National Cybersecurity Policy was issued in 2013. A new framework is in development, expected to:

Define critical information infrastructure more comprehensively

Mandate cybersecurity standards for specific sectors

Create a national cybersecurity certification scheme

### International Engagement

India is increasingly active in global cyber governance forums — the UN Group of Governmental Experts (GGE), the Open-Ended Working Group (OEWG), the Budapest Convention (India is not a signatory but observer), and bilateral cybersecurity agreements with multiple countries.

Conclusion: Compliance as Competitive Advantage

Cyber law compliance in India is not a bureaucratic burden — it is a fundamental business requirement and, increasingly, a competitive differentiator. Customers trust businesses that protect their data. Investors conduct cybersecurity due diligence. Government contracts require compliance certifications. Enterprise clients require vendor cybersecurity assessments before onboarding.

The cost of non-compliance is not just regulatory penalties — it is reputational damage, customer loss, operational disruption, and potential criminal liability for directors and officers under both the IT Act and the DPDP Act.

As a Bar Council of India registered Advocate with over 15 years of experience at the intersection of technology and law, I have helped dozens of startups, enterprises, and government organizations navigate India's complex cyber law landscape. The businesses that treat compliance as a strategic investment — not a checkbox exercise — are the ones that build lasting trust and sustainable growth.

Start with the basics: a proper Privacy Policy, a documented Incident Response Plan, employee training, and a VAPT audit. Then layer on the more sophisticated requirements as your business scales.

For a comprehensive cyber law compliance review or legal consultation, reach out at [Mr.VimleshDwivedi@gmail.com](mailto:Mr.VimleshDwivedi@gmail.com). I am happy to help your business navigate the legal landscape of India's digital economy.

Found this useful?

Share it with your network or connect with Vimlesh.

Connect More Articles