Read as
Last updated: April 29, 2026
IT Act, BNS/BSA replacement of IPC/Evidence Act, DPDP Act 2023, sectoral regulations (RBI/SEBI/IRDAI), CERT-In directions, evidence handling — a practitioner map of Indian cyber law.
A Hyderabad fintech CTO discovered an employee was running a parallel side-business using customer data. He confronted the employee, terminated employment, and considered the matter closed. Six months later, the company faced a Section 72A IT Act prosecution because they hadn’t reported the breach to CERT-In and hadn’t notified the affected customers. The technical incident was real; the legal failure was worse. This module covers Indian cybersecurity law for practitioners.
The legal stack
Cybersecurity in India is governed by overlapping statutes:
- Information Technology Act 2000 (amended 2008) — primary statute for cyber offences and electronic records
- Indian Penal Code (IPC) — traditional criminal offences extended to digital context
- Bharatiya Nyaya Sanhita (BNS) 2023 — replaces IPC; some IT-relevant provisions
- Digital Personal Data Protection Act 2023 — privacy / data protection
- SPDI Rules 2011 (under §43A) — sensitive personal data, transitional
- CERT-In Direction 28 April 2022 — incident reporting obligations
- Sectoral regulators — RBI, SEBI, IRDAI, NPCI cyber guidelines
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants