Regulatory Landscape

HIGH

India's cybersecurity regulatory architecture is a constellation of sector-specific regulators issuing directives within narrow purviews, creating compliance documentation that satisfies audit trails while systemic vulnerabilities persist. The consequences are not theoretical: framework after framework has existed while breaches have occurred.

IT Act 2000 Enforcement Crisis

CRITICAL

Cyber Crime Conviction Rate

vs 40% overall cognizable crime rate

Pending IT Act Cases

89K+

Cases in judicial backlog

Police Stations Never Registered Case

89%

Of 18,000+ stations nationwide

Digital Forensics Experts

487

For 18,000+ police stations

IT Act Sections: Cases Filed vs Convictions

Section 43

1247

Damage to computer systems

Convictions: ~37

Section 66

892

Computer-related offenses

Convictions: ~26

Section 67

2156

Publishing obscene content

Convictions: ~64

Section 69A

Blocking access (underused)

Convictions: ~1

Investigation Never Begins

89% of police stations never registered a cyber crime case. Most complaints are registered and queue indefinitely.

Digital Evidence Rejected

40% of digital evidence rejected by courts due to chain of custody failures under Bharatiya Sakshya Adhiniyam.

18-Month Forensics Backlog

Average evidence processing time for non-priority cases. Priority cases face separate delays.

Sectoral Regulatory Framework

RBITIER 1 - CRITICAL

Reserve Bank of India | Banking & Finance

Cybersecurity Framework 2016 (updated 2021)

Maturity Score68/100

SEBITIER 2 - SIGNIFICANT

Securities and Exchange Board of India | Capital Markets

Cybersecurity Circular 2017/2021

Maturity Score72/100

TRAITIER 2 - SIGNIFICANT

Telecom Regulatory Authority of India | Telecom

Cybersecurity Directions 2022

Maturity Score58/100

IRDAITIER 2 - SIGNIFICANT

Insurance Regulatory and Development Authority | Insurance

Cybersecurity Guidelines 2019-2020

Maturity Score42/100

GSTNTIER 2 - SIGNIFICANT

Goods and Services Tax Network | Taxation

CII designation + IT Act provisions

Maturity Score55/100

DPDP Act 2023: Promises vs Reality

CRITICAL

Data Protection Board

NOT FORMED

30+ months since enactment

Consent Framework

45/100

"Voluntary consent" undermines framework

Government Exemption

10/100

Sections 16-17: broad surveillance authorization

Individual Rights Operationalization

15/100

Mechanisms for exercising rights DO NOT exist

DPDP Act 2023 vs International Frameworks

Aspect	India (DPDP Act)	EU (GDPR)	US (Sectoral)
Consent Standard	Free, informed, unconditional, specific	Freely given, specific, informed, unambiguous	Notice and choice (opt-out)
Government Exemption	Sections 16-17: broad exemption	Law enforcement access subject to safeguards	Fourth Amendment applies
Individual Rights	Rights exist, mechanisms DO NOT exist	Enforceable rights with DPA support	Sectoral rights (HIPAA, etc.)
Data Localization	Cross-border transfers: INOPERATIVE	Adequacy decisions, SCCs	No federal requirement
Breach Notification	No individual notification required	72 hours to supervisory authority	Sectoral (HIPAA: 60 days)
Enforcement Body	Board NOT CONSTITUTED after 30+ months	Data Protection Authorities operational	Sectoral FTC + state AGs
Class Actions	Not provided	Representative actions permitted	Limited private right of action
Penalty (Max)	INR 250 crore (~0.04% of $100B revenue)	4% global turnover or €20M	Varies by sector; rarely material

Global Data Protection Index Comparison

Compliance Ecosystem Failures

ISO 27001 Paradox

5,000+

TIER 1 - CRITICAL

ISO 27001 certified organizations in India - one of highest globally

Reality:

Certifies documentation existence, NOT control effectiveness

Case: 2024 airline breach: 2.5M records leaked, ISO 27001 certified at time of breach

6-Hour Reporting Farce

<20%

TIER 1 - CRITICAL

Estimated actual compliance with CERT-In 6-hour reporting requirement

Reality:

Organizations report when publicly known or after own timeline assessment

Case: Incidents detected Friday evening reported Monday, if at all

Bug Bounty Criminalization

2019-2021

TIER 2 - SIGNIFICANT

Period when security researchers faced IT Act Section 66 threats

Reality:

Chilling effect drove vulnerability research underground or to anonymous foreign channels

Case: Indian organizations threatened legal action instead of fixing reported vulnerabilities

~100%

TIER 2 - SIGNIFICANT

Of Indian apps/websites have posted privacy policies

Reality:

Documents designed to defeat comprehension; purpose is legal cover not informed consent

Case: DPDP consent framework exists in direct contradiction to incomprehensible policy ecosystem

Data Localization Compliance

Real

TIER 2 - SIGNIFICANT

Payment data actually stored in India per RBI 2018 directive

Reality:

AWS Mumbai = data in India BUT under US CLOUD Act jurisdiction

Case: 2023 Reuters: US intelligence accessed Indian company data on US cloud platforms

Healthcare Data Security: Legislative Vacuum

CRITICAL

DISHA Status

NON-EXISTENT

Drafted 2017-2018, parliamentary limbo ever since

PM-JAY Coverage

500M+

Beneficiary data processed through PM-JAY ecosystem

PM-JAY Security Maturity

55/100

Partial anchor only; scope limited to specific scheme

Vulnerability Profile

Medical records: chronic conditions, mental health, genetic data, reproductive choices

State-sponsored interest: biometric and health intelligence

Integration between insurer systems and hospital networks creates cross-regulatory attack surfaces

Health-tech startups processing wearable data operate under general IT Act only

India's health data is some of the most sensitive personal information in existence. Medical records reveal chronic conditions, mental health histories, genetic predispositions, and reproductive choices. This data is valuable to identity thieves, insurance fraudsters, foreign intelligence services, and criminal organizations. Yet no law specifically governs its protection.

Structural Patchwork Gaps

TIER 1Regulatory Arbitrage Across Sectors

Fintech operating as bank + payments processor + telecom navigates 3 different frameworks

TIER 1Supervisory Capacity Inequality

RBI cybersecurity supervision substantially stronger than TRAI, IRDAI, or most sectoral regulators

TIER 1Compliance Theater Distribution

ISO 27001 satisfies documentation requirements for multiple regulators simultaneously

TIER 2Incident Response Fragmentation

Single incident must be reported to multiple regulators under different timelines and formats

TIER 2No Unified Incident Reporting Architecture

No single authority receives complete picture of cross-sectoral incident implications

TIER 2CII Definition Gaps

Finance CII clear, telecom contested, healthcare effectively non-existent, energy/transport ambiguous

Cross-Border Data Transfer: Legal Void

Outbound Transfers (India → Foreign)

Constrained by inoperative cross-border transfer framework. No countries notified under Section 16A. Indian companies cannot legally transfer data abroad except under ad hoc approvals.

Inbound Transfers (Foreign → India)

EU GDPR adequacy requirement not satisfied. International business relationships require SCCs for EU-India data flows despite India's domestic framework being nominally in place.

Policy Vacuum Assessment

Baseline Cybersecurity FrameworkNOT ACHIEVED

Data Protection Board OperationalizationNOT ACHIEVED (30+ months)

CII Sector Designation (complete)PARTIAL/FRAGMENTED

Unified Incident Reporting PortalNOT ACHIEVED

National Cybersecurity LawNOT ACHIEVED (2013 Policy only)

Bug Bounty Safe HarborNOT ACHIEVED

Political Economy: Surveillance Over Security

India's political establishment wants surveillance capability more than security. A security-focused framework would limit government access through lawful access provisions, transparency requirements, and data protection standards. The DPDP Act's sweeping government exemption is the defining feature: government agencies explicitly removed from the Act's scope.

Industry Lobbying Filter

Every meaningful security requirement faces consistent opposition. The CERT-In 6-hour reporting faced documented industry association opposition. Security benefits (avoided breaches, prevented intrusions) are diffuse and probabilistic. Compliance costs are immediate and affect quarterly earnings.

Structural Verdict

India's cybersecurity regulatory posture is not merely inadequate. It is actively counterproductive — creating allocated resources to compliance activities that produce no security improvement while crowding out the security investment that would. The regulatory landscape India needs is not the regulatory landscape India has. The gap is not a gap that additional regulations will close. It is a gap that structural reform — of institutions, incentives, and political priorities — might address, if India ever decides that security is worth the political cost of achieving it.

The Evidence

Banks breach despite RBI framework. Market data leaks despite SEBI. Telecom networks fail despite TRAI. GSTN is compromised. Healthcare data circulates without protection. In each case, the framework existed. The framework was insufficient.

The Root Cause

India has regulated in fragments, mistaking the existence of sectoral rules for the achievement of systemic security. No regulator has visibility across sectors. No single authority can mandate the baseline controls that a unified framework would impose.

The Fix Required

Political will to establish a coherent national framework, institutional capacity to operationalize it, and supervisory expertise to enforce it. All three currently absent. Threat actors operate across sectors and exploit the seams between regulatory regimes.

Segment 15 | Regulatory Landscape | CryptoMize Proprietary Research | March 2026