Monday, October 16, 2023
The Information Technology Act, 2000 is a landmark legislation regarding cybersecurity in India. It was the country's first-ever cybersecurity law and provides a legal framework for addressing various cybercrimes and related issues.
On 28th April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new cybersecurity directions under section 70B of the Information Technology Act, 2000. CERT-In is a government-appointed agency responsible for performing cybersecurity-related functions. These directions aim to strengthen the country's cybersecurity practices and address emerging threats.The Information Technology Rules, 2021, released by the Indian Ministry of Electronics and Information Technology, also play a role in cybersecurity regulation. These rules, which replace the original rules from 2011, introduce new obligations for intermediaries and digital media companies.
It's important to note that cybersecurity laws and regulations are continually evolving, so it's recommended to refer to official government sources for the most up-to-date information on cyber security legislation in India.
In India, the Information Technology Act of 2000 is currently the main legislation that addresses cyber security. This Act is a broad piece of legislation that addresses multiple areas of information technology, with multiple amendments over time to keep it up to date with current technological advances. As far as specific cyber security-related aspects, the Act addresses the use of technology for crime prevention and investigation, as well as the right to privacy and data protection. There are several other laws and policies related to cyber security in India, but the IT Act of 2000 is currently the foundational legislative framework.
Here are some of the key pieces of cybersecurity legislation and regulations in India:
Information Technology (IT) Act, 2000: The IT Act, 2000, is the primary legislation governing cybersecurity and electronic commerce in India. It covers various aspects of cybercrimes, such as unauthorized access to computer systems, data theft, and the distribution of malicious software.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These rules were framed under the IT Act to regulate the collection, handling, and protection of sensitive personal data and information by entities operating in India.
National Cyber Security Policy, 2013: This policy outlines the government's approach to cybersecurity and aims to protect information and information infrastructure in the country. It provides a framework for responding to cyber threats and incidents.
Data Protection Bill (Draft): India has been working on a comprehensive data protection law that will regulate how personal data is collected, processed, and stored. While the draft bill was introduced in 2019, it has not been enacted into law as of my last update.
Indian Computer Emergency Response Team (CERT-In): CERT-In is the national agency responsible for responding to and mitigating cybersecurity incidents. It operates under the Ministry of Electronics and Information Technology (MeitY).
Reserve Bank of India (RBI) Guidelines: The RBI has issued cybersecurity guidelines for banks and financial institutions to protect customer data and financial systems.
Sector-Specific Regulations: Various industries and sectors in India, such as banking, healthcare, and telecom, have specific regulations and guidelines related to cybersecurity.
Cybercrime Investigation and Forensics: Indian law enforcement agencies investigate cybercrimes under the IT Act and may collaborate with international agencies for cross-border cybercrime investigations.
The Indian Computer Emergency Response Team (CERT-In) Directions, 2021, which were issued by CERT-In on May 25, 2021. These directions contain a broad range of new obligations for entities that own, operate, or control any computer resource that directly or indirectly affects the Critical Information Infrastructure (CII) of India. These obligations include notifying security breaches within six hours, keeping detailed logs of network activity for at least 180 days, conducting regular security audits and assessments, and complying with the standards and guidelines issued by CERT-In.
I hope this information is helpful!