Recent Articles

Monday, October 16, 2023

Current Cyber Security Legislation in India

Monday, October 16, 2023 - 0 Comments

The Information Technology Act, 2000 is a landmark legislation regarding cybersecurity in India. It was the country's first-ever cybersecurity law and provides a legal framework for addressing various cybercrimes and related issues.

On 28th April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new cybersecurity directions under section 70B of the Information Technology Act, 2000. CERT-In is a government-appointed agency responsible for performing cybersecurity-related functions. These directions aim to strengthen the country's cybersecurity practices and address emerging threats.

The Information Technology Rules, 2021, released by the Indian Ministry of Electronics and Information Technology, also play a role in cybersecurity regulation. These rules, which replace the original rules from 2011, introduce new obligations for intermediaries and digital media companies.

It's important to note that cybersecurity laws and regulations are continually evolving, so it's recommended to refer to official government sources for the most up-to-date information on cyber security legislation in India.

In India, the Information Technology Act of 2000 is currently the main legislation that addresses cyber security. This Act is a broad piece of legislation that addresses multiple areas of information technology, with multiple amendments over time to keep it up to date with current technological advances. As far as specific cyber security-related aspects, the Act addresses the use of technology for crime prevention and investigation, as well as the right to privacy and data protection. There are several other laws and policies related to cyber security in India, but the IT Act of 2000 is currently the foundational legislative framework.

Here are some of the key pieces of cybersecurity legislation and regulations in India:

  1. Information Technology (IT) Act, 2000: The IT Act, 2000, is the primary legislation governing cybersecurity and electronic commerce in India. It covers various aspects of cybercrimes, such as unauthorized access to computer systems, data theft, and the distribution of malicious software.


  2. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These rules were framed under the IT Act to regulate the collection, handling, and protection of sensitive personal data and information by entities operating in India.


  3. National Cyber Security Policy, 2013: This policy outlines the government's approach to cybersecurity and aims to protect information and information infrastructure in the country. It provides a framework for responding to cyber threats and incidents.


  4. Data Protection Bill (Draft): India has been working on a comprehensive data protection law that will regulate how personal data is collected, processed, and stored. While the draft bill was introduced in 2019, it has not been enacted into law as of my last update.


  5. Indian Computer Emergency Response Team (CERT-In): CERT-In is the national agency responsible for responding to and mitigating cybersecurity incidents. It operates under the Ministry of Electronics and Information Technology (MeitY).


  6. Reserve Bank of India (RBI) Guidelines: The RBI has issued cybersecurity guidelines for banks and financial institutions to protect customer data and financial systems.

  7. Sector-Specific Regulations: Various industries and sectors in India, such as banking, healthcare, and telecom, have specific regulations and guidelines related to cybersecurity.


  8. Cybercrime Investigation and Forensics: Indian law enforcement agencies investigate cybercrimes under the IT Act and may collaborate with international agencies for cross-border cybercrime investigations.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which were notified by the government on February 25, 2021. These rules impose new obligations and responsibilities on intermediaries, such as social media platforms, messaging apps, e-commerce sites, etc., to ensure compliance with the law, protect user data and privacy, and prevent the spread of unlawful or harmful content. The rules also provide for a grievance redressal mechanism and a code of ethics for digital media1.

The Personal Data Protection Bill, 2019, which is a draft bill that aims to establish a comprehensive framework for the protection of personal data of individuals in India. The bill proposes to create a Data Protection Authority to oversee and enforce the data protection regime. The bill also defines various categories of data, such as personal data, sensitive personal data, and critical personal data, and prescribes different levels of consent, notice, and safeguards for their processing.

The Indian Computer Emergency Response Team (CERT-In) Directions, 2021, which were issued by CERT-In on May 25, 2021. These directions contain a broad range of new obligations for entities that own, operate, or control any computer resource that directly or indirectly affects the Critical Information Infrastructure (CII) of India. These obligations include notifying security breaches within six hours, keeping detailed logs of network activity for at least 180 days, conducting regular security audits and assessments, and complying with the standards and guidelines issued by CERT-In.

I hope this information is helpful! 


Subscribe

Designed by SpicyTricks