Authored By: Diksha Kashyap
Asian Law College, Sector 125, Noida
Abstract
India’s laws on cybersecurity have grown and changed over time but still there is an argument that while India now has strong laws on paper or the real problem is how poorly they are enforced in the country. It starts with the Information Technology Act of 2000 (IT Act) which is India’s first supreme law for the digital world. In 2008, it was updated to add certain new rules about data protection and also about new kinds of online crimes. Since then, India has built many more layers of rules. These include the new Digital Personal Data Protection Act, 2023 (DPDPA), strict rules for banks and financial markets from the RBI and SEBI and quick-response guidelines from CERT-In (the national cyber emergency team). Courts have also played an important role in cybersecurity with the help of famous Puttaswamy case and Shreya Singhal case together clarifies that these laws and judgments form a fairly advanced system.
But the biggest weakness lies in enforcement mechanisms of these laws. Police and judges often lack technical skills, government agencies do not coordinate well in order to punish some online crimes as the punishment for these crimes are too light and many people are not even aware of their rights or how to report cybercrimes. The article concludes that India’s challenge is not about making more laws, but about making sure the existing ones actually work. It is highly suggested to improvise training for police and judges, using tools like AI and digital forensics which empowers the new Data Protection Board and building partnerships between government and private companies. It also calls for regular updates to the laws and public campaigns to raise awareness. Only by fixing this enforcement gap India can build trust and make its digital future safe and secure.
Introduction
Today India is at an important turning point in its digital journey with over 900 million internet users and numerous government programs like Digital India, UPI, Digilocker and Aadhaar services, through this the country is rapidly becoming part of the global digital economy. But with this growth the risk comes along as many people and businesses goes online from shopping to payment and this ultimately leads to the opportunities for cybercriminals to make their profit too. Here, some hackers were backed by foreign governments to ransomware attacks on hospitals, banks and even everyday frauds against common citizens due to this the threats of cybercrime and cyberfraud are growing rapidly.
Now the fundamental question arises that “Whether India’s legal and institutional frameworks are robust and agile enough to keep pace with these threats and also to deter them effectively?
Lets track down the changing landscape of cybersecurity laws in India by tracing their evolution from a foundational statute to a burgeoning and complex ecosystem. And also find out that while the legislative intent and framework have matured significantly or the critical deficit lies in the realm of enforcement which includes the mechanisms, expertise and resources required to translate written law into the tangible security and justice for the public.
The Information Technology Act, 2000 (IT Act)
From passed two decades, the Information Technology Act, 2000 (IT Act) has been the cornerstone of India’s cyber law regime as it enacted primarily laws to provide legal recognition to electronic transactions like digital signature, online payments and contracts, etc. but it also becomes the first statute to acknowledge and address cyber offences. Some of the key provisions were discussed below:
– Section 43: This civil provision imposes liability on a person who, without permission, accesses a computer system, downloads data, introduces contaminants, or causes damage. It allows for compensation to the affected party.
– Section 43A: A crucial addition in 2008 amendment, it mandates that a body corporate handling sensitive personal data implements “reasonable security practices and procedures,” failing which it is liable to pay compensation for any wrongful loss or gain.
– Section 66: The criminal counterpart to Section 43, it prescribes punishment (imprisonment up to three years or a fine) for acts defined under Section 43 if done dishonestly or fraudulently.
– Section 66B to 66F: These sections, added by the 2008 amendment, specifically criminalize identity theft (66C), cheating by personation (66D), violation of privacy (66E) and cyber terrorism (66F).
– Section 67: Addresses publishing or transmitting obscene material in electronic form.
– Section 69: Grants the government power to issue directions for interception, monitoring or decryption of any information through any computer resource.
The Information Technology (Amendment) Act , 2008
As cybercrime rates and cyber threats grew with the emergence of IT technology in India, there was a need to the update the act which includes the modern trends of the technology. New crimes related to cybersecurity were started reporting in large number then it realises that the original form of the act were soon found to be inadequate. The 2008 amendment was a direct response to emerging threats and the need for a more robust framework. It includes: Focus on Data Protection through insertion of Section 43A, which laid the groundwork for data privacy principles. Explicit criminalization of cyber terrorism, identity theft, cyber fraud, digital theft, online defamation and child pornography. Establishment of Agencies like the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for cybersecurity incidents.
While the IT Act provided the essential lexicon for cyber law still its limitations became apparent where some definitions were vague and open to interpretation, the precribed punishments were seen as lenient for serious crimes like massive data breaches. The law enforcement officers and the judiciary lacked technical knowledge to handle cybercrime cases effectively and so on.
The Digital Personal Data Protection Act, 2023 (DPDPA)
The legal landscape is no longer dominated solely by the IT Act a multi-layered regulatory ecosystem has also emerged. This landmark legislation is India’s first full fledged data protection law. It moves beyond the compensatory mechanism of Sec 43A of IT Act ,2008 to establish a comprehensive data protection regime.
It is built on principles of lawful processing, purpose limitation, data minimization, and storage limitation. It imposes stringent obligations on Data Fiduciaries (entities processing data) including mandatory breach notifications to both the Data Protection Board (DPB) and data principals (individuals) in the event of a breach to the people. The efficacy of the DPDPA hinges entirely on the newly constituted Data Protection Board of India. The DPB’s ability to act as a robust, independent, technically sound, and swift adjudicatory body will be the true test of this law. Its powers to investigate, impose significant penalties (up to ₹250 crore per breach) and direct remedial measures must be backed by adequate resources and expertise.
Sector-Specific Regulations
Recognizing that a one-size-fits-all approach is ineffective and various sectoral regulators have formulated their own cybersecurity directives. These regulations create a layered defense but also risk creating a complex web of compliance requirements for organizations operating across sectors.
– RBI (Reserve Bank of India): The RBI has been a pioneer with its master directions on cybersecurity for banks, mandating the creation of a cybersecurity policy, appointment of a CISO(Chief Information Security Officer) and strict incident reporting timelines.
– SEBI (Securities and Exchange Board of India): SEBI’s cybersecurity framework for stock exchanges, brokers, and depositors mandates governance, audit trails and business continuity plans.
– IRDAI (Insurance Regulatory and Development Authority of India): It has issued guidelines on information and cybersecurity for insurers.
The Role of CERT-In Directions
Under Section 70B of the IT Act CERT-In has issued directions that have a direct bearing on enforcement. The 2022 directions mandate that : Reporting of cybersecurity incidents within 6 hours of noticing them. Maintenance of ICT system logs for 180 days. Synchronization of all ICT systems with Network Time Protocol (NTP). KYC norms for VPN providers.
These directions enhance visibility for national security agencies but place a significant compliance burden on entities. The enforcement of these mandates, including penalties for non-compliance, is a critical, yet developing, area.
The Judicial Interpretation
– Shreya Singhal vs. Union of India (2017) AIR 2015 SC 1523 (per Justice R.F Nariman) : The Supreme Court in a landmark verdict, struck down Section 66A of the IT Act for being “vague and overbroad,” a tool that violated the freedom of speech. This case underscored the need for precision in cyber laws to prevent their misuse against citizens.
– Justice K.S. Puttaswamy(Retd.) vs. Union of India (2017) 10 SCC 1 (per Justice A.K. Sikri) : The nine-judge bench’s unanimous ruling that the Right to Privacy is a fundamental right under Article 21 of the Constitution is the bedrock of all modern data protection jurisprudence in India, including the DPDPA. It forced a re-evaluation of the state’s data collection and surveillance practices.
– Ravi Srinivasan vs. State (2012) (per Chief Judicial Magistrate G.Vijayakumari) : A case where the interpretation of Section 66A (prior to its striking down) was contested, highlighting the early challenges of applying broad cyber law provisions to specific instances like a tweet.
The judiciary has played a vital role in interpreting the IT Act it often expanding its scope and emphasizing the right to privacy. These cases demonstrate the courts’ evolving understanding of technology and its intersection with fundamental rights which constantly shapes the enforcement environment of these laws.
The Enforcement Deficit
- Lack of expertise in law enforcement
The first point of contact for a cybercrime victim is the local police station. However, most police officers lack the technical training to handle digital evidence which is volatile and requires specialized forensic tools for extraction and preservation. While Cyber Crime Police Stations exist in major cities but they are overburdened and under-resourced. Thiss complex, cross-jurisdictional nature of cybercrimes (where the victim, buisnessmen and servers may be in different states or countries) further complicates investigation and coordination.
- Incognizance
Similar to the police and the judiciary often lacks technical specialization. Cases involving complex cryptographic principles, network architectures, foreign digital bugs or dark web transactions can be challenging to adjudicate without expert assistance. This leads to prolonged trials and low conviction rates, undermining the deterrent effect of the laws.
- Coordination Among Agencies
Multiple agencies are involved in cybersecurity like CERT-In (Indian Computer Emergency Response Team), MeitY (Ministry of Information and Technology), MHA(Ministry of Home Affairs), state police forces, sectoral regulators but still a seamless and real-time coordination mechanism is often missing. Information sharing between private entities whose rights were breached and government agencies can also be hesitant due to fears of reputational damage and regulatory action.
- Inadequate Penalties
While the DPDPA introduces substantial financial penalties, these penalties under the IT Act’s core cybercrime sections (e.g., Sec. 66 of the IT Act,2008) remain relatively low. A fine of a few lakhs is a mere cost of business is not a deterrent for a large corporation. The law needs to evolve to ensure that penalties are not just proportionate but also truly dissuasive.
- Public Awareness and Reporting
A vast majority of cybercrimes, especially individual frauds and data breaches where go unreported because citizens are either unaware of the reporting mechanisms (like the National Cyber Crime Reporting Portal) or lack faith in the system’s ability to deliver justice. This creates a dark figure of crime which allowing perpetrators to operate with impunity.
The Path Forward
- Investing in Human Capital
– Specialized Training should be mandate and continuous cybersecurity training programs for police officers, public prosecutors and judicial officers at all levels. This includes creating a dedicated cadre of “cyber magistrates” and “cyber prosecutors.”
– Centralized Investigation Units should be Strengthen and the National Cyber Crime Coordination Unit (NCCC) has to provide real-time support and coordination to state forces for complex and pan-India investigations.
- Leveraging Technology for Enforcement
– Artificial Intelligence and Automation were deployed to monitor the cybercrime reporting portal, identify patterns and link related cases automatically. This can help prioritize investigations and identify serial offenders.
– Digital Forensics Labs were established for accredited digital forensics laboratories in every state to ensure the integrity of evidence which is crucial for securing convictions.
- Empowering the Data Protection Board
The Data Protection Board must be constituted with members possessing expertise in technology, law and data governance. It needs to be an agile body that can conduct swift investigations, hold transparent hearings and pass orders that set strong precedents. Its success will be a bellwether for India’s entire data enforcement regime.
- Public Private Partnership (PPP)
Fostering a collaborative environment where private companies can share threat intelligence with government agencies without fear of immediate liability is crucial. Initiatives like the Cyber Swachhta Kendra are a step in this direction, but more structured forums for collaboration are needed.
- Continuous Legislative Review
Cyber threats are dynamic and vast in nature where the legal framework cannot be static. So, to tackle this a permanent law commission like body with technical experts should be tasked with continuously reviewing the adequacy of cyber laws and recommending amendments to keep them relevant.
- Mass Awareness Campaigns
Empowering the citizen is the first line of defence and a nationwide campaigns on cyber hygiene, recognizing phishing attempts and reporting crimes are essential to reduce the success rate of common cyber frauds.
Conclusion
India’s journey from the IT Act of 2000 through IT Amendment Act of 2008 to the DPDPA of 2023 shows a deeper understanding of the complexities of the digital world. The laws have certainly become more refined but still, the reality is that a law is only as strong as its enforcement. The issue now is not about a lack of laws but about the ability to enforce them. Weaknesses in police resources, judicial knowledge, and cooperation among agencies create real vulnerabilities in our national cyber defense. Closing this gap in enforcement needs a focused investment in people, processes and technology. It requires a cultural change within our institutions to prioritize cyber awareness and proactive responses.
As India aims to be a global digital leader, the strength of its digital economy will depend significantly on the trust of its users both citizens and businesses. This trust is built and maintained by showing that the digital world is not a lawless area but a place where rights are safeguarded, crimes are punished and justice is served. Therefore, improving enforcement is not just a legal or technical need, it is crucial for ensuring India’s digital future.
Bibliography
- Information Technology Act, 2000 (India Code) – Full text of the statute with sections and amendments. Website:
https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
- Information Technology (Amendment) Act, 2008 (India Code) – Key updates including Sections 43A, 66B–66F.
Website: https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077
- Cybersecurity Laws and Regulations Report 2025: India – ICLG – Analysis of IT Act, cybercrime provisions, and judicial interpretation.
Website: https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/india
- Digital Personal Data Protection Act, 2023 – Wikipedia – Overview of India’s data protection regime, Data Protection Board, and penalties.
Website: https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act%2C_2023
- Carnegie Endowment for International Peace – Analysis of consent, legitimate uses, and privacy issues under the DPDP Act.
Website: https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law
- DLA Piper – India Data Protection Overview – Discusses DPDP Act compliance, phased implementation, and penalties.
Website: https://www.dlapiperdataprotection.com/?c=IN&t=law
- IAPP – Operationalizing India’s New Data Protection Law – Challenges and opportunities of the DPDP Act.
- Economic Times – Report on DPDP Act enforcement and pending rules (as of August 2025).
- Indian Computer Emergency Response Team (CERT-In) – Wikipedia – Overview and directions under Section 70B, IT Act.
Website: https://en.wikipedia.org/wiki/Indian_Computer_Emergency_Response_Team
- Notification No. 20(3)/2022-CERT-In – Faun Publication – Official directions and obligations for intermediaries and VPN providers.
Website: https://faun.pub/report-cyber-incidents-to-cert-in-within-6-hours-meity-21543b11e459
- Shreya Singhal v. Union of India – Wikipedia – Supreme Court judgment striking down Section 66A.
Website: https://en.wikipedia.org/wiki/Shreya_Singhal_v._Union_of_India
- K.S. Puttaswamy v. Union of India – Wikipedia – Supreme Court judgement
Website : https://en.m.wikipedia.org/wiki/Puttaswamy_v._Union_of_India
