SEGMENT 15 — REGULATORY LANDSCAPE

REGULATORY
LANDSCAPE GAP ANALYSIS

India's cybersecurity regulatory framework is a structural failure — not of ambition, but of execution, enforcement, and political will.

Threat Level
CRITICAL
Immediate action required
3%
Conviction Rate
30+
Months Without Board
0
CLOUD Act Protection
89%
Police Never Use IT Act
VIZ-1

REGULATORY OPERATIONAL STATUS

Gap between theoretical operability and actual enforcement — DPDP Board at 0% (NOT CONSTITUTED)

Operational Status Score (0-100%)
DPDP BoardNOT OPERATIONAL
Healthcare DataNOT OPERATIONAL
IT Act Penalty3%
CII Definitions15%
Cross-border Transfers5%
Purpose Limitation10%
CERT-In 6hr Reporting20%
Consent Framework25%
VIZ-2

ENFORCEMENT TIMELINE: INDIA vs PEERS

India's 5-7 year gap between legislation and meaningful enforcement vs. GDPR rapid implementation

Enforcement Readiness — India vs. EU
India
EU (GDPR)
Sectoral Cybersecurity Regulatory Maturity
VIZ-4

COMPLIANCE THEATER INDEX

5,000+ ISO 27001 certifications produce documentation, not security

85%
Compliance
Investment Index
8%
Security
Outcome Index
The Divergence: 5,000+ ISO 27001 Certifications = Zero Actual Security Assurance
CLUSTER 1

IT ACT 2000 — A LAW MODELLED FOR A DIFFERENT INTERNET

Core Enforcement Crisis
Cybercrime Conviction Rate3%
vs ~40% for general crimes
<500
Trained Digital Forensic Experts
18,000+
Police Stations
18-24
Month Evidence Backlog
Attribution Problem
Nation-state actors use rotating infrastructure
Zero-day exploits leave no trace
Proxies in third countries
Pegasus: No prosecution possible
Key IT Act Provisions
S.43/43A3% Conviction
Penalty provisions rarely enforced
S.66FWeaponized
Cyber terrorism misuse against dissent
S.69AThousands/year
Blocking without judicial oversight
S.79Unaccountable
Safe harbor for algorithmic moderation
S.7518-24 months
Foreign attribution impossible (MLAT delays)
VIZ-6

THE 30-MONTH GAP

DPDP Act: From Passage to Enforcement — Where the Time Goes

DPDP Act: 30-Month Delay to Board Constitution
Increase
Decrease
Total
VIZ-5

GOVERNMENT EXEMPTION SCOPE

India closer to Russia/China than GDPR standards

Government Accountability Score (0-100)
India (DPDP S.16-17)5
Russia/China8
Brazil (LGPD)55
EU (GDPR)85
USA (Sectoral)65
CLUSTER 2

DPDP ACT 2023 — LEGISLATION IN NAME ONLY

Critical Provisions
Section 45: Board not constituted 30+ months
Section 7: "Voluntary" consent negated by rules
Section 16-17: Government exemption (no oversight)
Section 11: Right to access — no enforcement
Section 12: Right to erasure — illusory
Section 8: Cross-border transfers inoperative
Rights Enforcement Status
Right to Access (S.11)No enforcement mechanism
Right to Correction (S.12)No penalty for non-compliance
Right to Erasure (S.12)No Board to receive complaints
Right to Grievance (S.13)No statutory backing
Right to Nominate (S.14)Only functional right
VIZ-7

INCIDENTS vs REGULATORY RESPONSES

Major incidents continue regardless of regulatory activity

Major Incidents vs. Regulatory Activity
VIZ-8

ATTRIBUTION FAILURE FUNNEL

Where cybercrime cases disappear — 3% conviction rate

Cyber Crime Enforcement Funnel — ~3% Conviction Rate
Increase
Decrease
Total
CLUSTER 3

SECTORAL REGULATORY FRAGMENTATION

RBIBanking
Most Mature
Compliance theater — UCO Bank breached under direct supervision
SEBISecurities
Core Only
Depository participants unsupervised — 2024 leak
IRDAIInsurance
Lowest Maturity
Healthcare-adjacent data in lowest maturity sector
TRAITelecom
6-Hour Distortion
Reporting requirement creates operational distortions
GSTNTax
Extended Ecosystem
Breached through GSP callback agent network
DISHAHealthcare
NON-EXISTENT
Bill in parliamentary limbo since 2017-2018
CLUSTER 4

COMPLIANCE ECOSYSTEM DYSFUNCTIONS

6hrs
CERT-In Reporting
Impossible for sophisticated intrusions
5,000+
ISO 27001 Certs
Zero actual security assurance
40%
Auditors <3yr Exp
Audit quality degradation
0
Bug Bounty Safe Harbor
Security research criminalized
CLUSTER 5

POLICY VACUUM — STRUCTURAL CAUSES

Surveillance Over Security

Government wants surveillance capability more than security. No executive will support standards that apply equally to its own apparatus.

Industry Lobbying

Compliance cost argument is powerful because benefits (avoided breaches) are diffuse while costs are immediate and balance-sheet-visible.

Attribution Problem

Solving attribution is a technical problem, not legal. No amendment makes it possible to identify sophisticated foreign intruders with legal certainty.

Reform Attempts Abandoned
NCBB
Proposed 2018, 2020, 2022
NCSS 2020
Draft abandoned
IT Act Amendments
Not since 2008
DISHA
Parliamentary limbo since 2017
MATRIX

GAP PRIORITY MATRIX

IDGapSeverityComplexityFeasibility
G2.1DPDP Board non-constitutionCRITICALMediumLow
G2.3Government exemption (S.16-17)CRITICALHighNear-zero
G3.7Healthcare data legislative vacuumCRITICALMediumMedium
G1.83% conviction rate / enforcement vacuumCRITICALVery HighLow
G4.5Bug bounty criminalizationHIGHLowMedium
G1.9No ransomware/supply chain provisionsHIGHMediumMedium
G1.7Section 69A blocking without oversightHIGHMediumLow
G4.2ISO 27001 certification theaterHIGHHighLow

Strategic Synthesis

The Central Finding: India's regulatory landscape is not merely inadequate — it is actively counterproductive. The compliance ecosystem consumes resources that could fund actual security improvement. The appearance of legal deterrence deters neither foreign threat actors nor domestic cybercriminals.

Why This Persists
  • Surveillance capability over data security
  • Government access over citizen protection
  • Compliance documentation over security outcomes
  • Industry accommodation over meaningful requirements
What Cannot Be Fixed by Regulation Alone
  • The attribution problem — technically sophisticated threat actors from foreign jurisdictions
  • But: Enforcement vacuum, no mandatory breach disclosure, no CII security standards CAN be addressed
None of Those Addresses Are Politically Feasible in 2026