The complete guide to the Information Technology Act 2000

01What the IT Act is

The Information Technology Act 2000 (Act 21 of 2000, in force from 17 October 2000) is India's foundational cyber law. It was enacted to give legal recognition to electronic records and digital signatures, to enable e-commerce and e-governance, to define computer-related offenses, and to set obligations on intermediaries that handle electronic data.

In structure, the Act has 13 chapters and 90+ sections, and is the parent statute under which every major Indian rule on data security, intermediary conduct, content moderation and incident reporting is framed. The most important rule sets sitting under it are:

• Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (the "SPDI Rules") — framed under §43A.
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the "IT Rules 2021") — framed under §79 and §87.
• CERT-In Direction dated 28 April 2022 — framed under §70B(6).
• Blocking Rules 2009 — framed under §69A.
• Interception, Monitoring and Decryption Rules 2009 — framed under §69.

02The 2008 amendment

The Information Technology (Amendment) Act 2008 (in force from 27 October 2009) is the single most consequential change to Indian cyber law. It transformed a thin e-commerce statute into a working cybercrime and data-protection regime. Key insertions:

• §43A — compensation for a body corporate's failure to protect "sensitive personal data or information" via "reasonable security practices".
• §66 series — expanded computer-related offenses: identity theft (66C), cheating by personation (66D), violation of privacy (66E), cyber terrorism (66F).
• §66A — the controversial offensive-messages provision, struck down in entirety by the Supreme Court in Shreya Singhal v Union of India (2015) for vagueness and over-breadth.
• §67 series — publishing/transmitting obscene, sexually explicit or child sexual abuse material.
• §69, §69A, §69B — interception/monitoring/decryption, content blocking, and traffic monitoring powers.
• §70A — National Critical Information Infrastructure Protection Centre (NCIIPC).
• §70B — Indian Computer Emergency Response Team (CERT-In) and its statutory powers.
• §79 rewritten — the modern intermediary safe-harbor in its current form.
• §84A — Central Government's power to prescribe modes/methods of encryption.

03Key sections every CTO must know

Section	What it covers
§43	Civil liability for unauthorised access, data theft, denial-of-service, contamination by virus — up to compensation, no cap.
§43A	Compensation for body corporate's failure to maintain reasonable security practices over SPDI — no cap on damages.
§65	Tampering with computer source documents — up to 3 years imprisonment or fine up to 2 lakh.
§66	Dishonest/fraudulent acts under §43 as a criminal offense — up to 3 years imprisonment or fine up to 5 lakh.
§66B	Dishonestly receiving stolen computer resource or communication device.
§66C	Identity theft — fraudulent use of electronic signature, password or unique identification feature.
§66D	Cheating by personation using a computer resource — the workhorse section for online fraud cases.
§66E	Violation of privacy — capturing/publishing/transmitting image of a private area without consent.
§66F	Cyber terrorism — up to imprisonment for life.
§67 / 67A / 67B	Obscene, sexually explicit, and child sexual abuse material respectively.
§69	Interception, monitoring and decryption of any information through any computer resource.
§69A	Blocking public access to information — the basis for content takedown orders.
§69B	Monitoring and collecting traffic data for cyber security.
§70	Protected systems — declared by Central Government, accessing without authority carries up to 10 years imprisonment.
§70A	National Critical Information Infrastructure Protection Centre (NCIIPC).
§70B	Indian Computer Emergency Response Team (CERT-In) — statutory authority for incident response.
§79	Intermediary safe harbor — exemption from liability subject to due diligence and takedown on actual knowledge.
§84A	Central Government power to prescribe encryption modes and methods.

04§43A and the Reasonable Security Practices Rules 2011

§43A imposes civil compensation on a body corporate that possesses, deals with or handles sensitive personal data or information in a computer resource and is negligent in implementing and maintaining reasonable security practices, causing wrongful loss or wrongful gain to any person. The SPDI Rules 2011 operationalise the section by defining:

• Sensitive personal data or information (SPDI) — passwords; financial information (bank account, credit/debit card, payment details); physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; any detail relating to the above received for processing.
• Reasonable security practices — either a documented security programme commensurate with the information assets being protected, or compliance with a recognised standard. ISO/IEC 27001 is the standard expressly named; codes of best practice approved and notified by the Central Government are also accepted.
• Consent, privacy policy, grievance officer — SPDI collection requires written consent, a published privacy policy, and a designated grievance officer who must respond within one month.

05§69 interception, §69A blocking, §69B monitoring

These three sections give the Central and State Governments their lawful interception and content-takedown powers. They are also the most-litigated provisions of the Act.

• §69 — allows interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource, subject to the Interception, Monitoring and Decryption Rules 2009. The grounds are the standard sovereignty/security/public-order list. Intermediaries are bound to extend technical assistance.
• §69A — allows blocking of public access to any information. The Blocking Rules 2009 prescribe procedure, including a designated officer and a review committee. Validated by the Supreme Court in Shreya Singhal (2015) on the strength of its procedural safeguards.
• §69B — allows monitoring and collection of traffic data for cyber security purposes, the legal basis on which CERT-In and authorised agencies collect flow data.

Operationally, this means an intermediary in India must have a documented process to receive, validate and action §69 and §69A orders — including the Nodal Officer designated under the IT Rules 2021.

06§70B and the April 2022 Direction

§70B establishes CERT-In as the national agency for cyber security incident response. Under §70B(6), CERT-In can issue directions binding on service providers, intermediaries, data centres and body corporates. The most consequential exercise of this power is the Direction No. 20(3)/2022-CERT-In dated 28 April 2022, in force from 27 June 2022, which mandates:

• Mandatory reporting of 20 categories of incidents to CERT-In within 6 hours of noticing.
• NTP synchronisation to NIC or NPL servers.
• 180-day log retention within India.
• KYC and 5-year transaction log retention for VPN providers, VPS providers, cloud service providers, data centres, and crypto-exchanges.

For the full operational checklist — the 20 incident categories, the reporting template, what happens if you miss the 6-hour window — see our CERT-In Direction guide.

07§79 safe harbor

§79 exempts an "intermediary" (defined broadly to include ISPs, telecoms, search engines, online marketplaces, cyber cafes, payment sites, etc.) from liability for third-party content, subject to three conditions:

• The function is limited to providing access to a communication system, or hosting/transmitting content not initiated/modified by the intermediary.
• The intermediary observes due diligence as prescribed by the Central Government (the IT Rules 2021).
• On obtaining actual knowledge of unlawful content, or on being notified by the Government or its agency, the intermediary expeditiously removes or disables access.

08IT Rules 2011 (Reasonable Security Practices and SPDI)

The SPDI Rules 2011 are the operational layer under §43A. They cover:

• Privacy policy — must be published on the website, must cover the type of information collected, purpose of use, disclosure practices, reasonable security practices and grievance redressal.
• Consent — written consent (including electronic) before collecting SPDI; opt-out option; right to withdraw consent.
• Purpose limitation — SPDI to be collected only for a lawful purpose connected with a function or activity of the body corporate, and only where it is considered necessary.
• Disclosure — SPDI shall not be disclosed to a third party without prior permission, except where the disclosure is mandated by law.
• Transfer — SPDI may be transferred outside India only to an entity that maintains the same level of data protection.
• Reasonable security practices — ISO/IEC 27001 or another notified code of best practice; if challenged, the body corporate must be able to demonstrate documented and audited compliance.
• Grievance officer — designated, contact details published, response within one month.

Once DPDP Rules are fully notified, most of this is superseded for personal data. The SPDI Rules continue to apply for sensitive information that is not "personal data" under DPDP, and for legacy litigation under §43A.

09IT Rules 2021 (Intermediary Guidelines and Digital Media Ethics Code)

The IT Rules 2021 (notified 25 February 2021) define due diligence under §79 and impose graded obligations on three categories of entity:

• Social Media Intermediary (SMI) — any intermediary which primarily or solely enables online interaction between two or more users.
• Significant Social Media Intermediary (SSMI) — an SMI with registered users in India above a notified threshold (currently 50 lakh).
• Digital news publishers and OTT platforms — subject to Part III of the Rules and the Code of Ethics, supervised by the Ministry of Information and Broadcasting.

Core obligations across all intermediaries:

• Published rules, privacy policy, user agreement — informing users of categories of content not to be hosted.
• Grievance Officer — Indian resident, acknowledges within 24 hours, resolves within 15 days; complaints about non-consensual intimate imagery to be acted on within 24 hours.
• Takedown timelines — 36 hours on court/government order; 24 hours for nudity/intimate imagery; expeditious removal otherwise.
• Information to investigators — within 72 hours of receiving a lawful order.
• Preservation — records of removed content for 180 days for investigation purposes; registration data for 180 days after cancellation/withdrawal.

Additional obligations on SSMIs:

• Chief Compliance Officer (CCO) — Indian resident, personally liable.
• Nodal Contact Person — Indian resident, available 24x7 for coordination with law enforcement.
• Resident Grievance Officer — Indian resident, distinct role from the standard Grievance Officer.
• Monthly compliance report — complaints received, action taken, content proactively removed.
• Traceability — SSMIs providing messaging services must enable identification of the first originator of information when ordered by a competent court or under §69. Currently sub-judice in multiple High Courts.

10The 2022 and 2023 amendments to IT Rules 2021

• October 2022 amendment — introduced Grievance Appellate Committees (GACs) as an appellate forum against intermediary grievance decisions. Three GACs operational since 2023.
• April 2023 amendment — introduced online gaming intermediary obligations, including a self-regulatory body (SRB) framework to certify "permissible online real-money games". The SRB notification process remains contested; no SRB has been notified as of 2026.
• April 2023 fact-check unit clause — gave the Ministry of Electronics & IT power to notify a fact-check unit for Central Government business; struck down by the Bombay High Court in 2024 (Kunal Kamra v Union of India) on freedom-of-speech grounds.

11Section 84A and encryption

§84A empowers the Central Government to prescribe modes or methods of encryption "for the secure use of the electronic medium and for promotion of e-governance and e-commerce". A draft National Encryption Policy was floated in September 2015 but withdrawn within 24 hours after public backlash; no national encryption policy has been notified since.

Operationally, this means private-sector encryption is governed by sectoral norms (RBI mandates AES-256 / TLS 1.2+ for BFSI; SEBI for capital-markets entities; sector regulators in telecom), and there is no horizontal mandate against end-to-end encryption. The traceability requirement in the IT Rules 2021 is the closest thing to an indirect encryption constraint.

12Offenses and penalties

Section	Offense	Maximum penalty
§65	Tampering with computer source documents	3 years and/or fine up to 2 lakh
§66	Computer-related offenses (under §43)	3 years and/or fine up to 5 lakh
§66B	Dishonestly receiving stolen computer resource	3 years and/or fine up to 1 lakh
§66C	Identity theft	3 years and fine up to 1 lakh
§66D	Cheating by personation using computer resource	3 years and fine up to 1 lakh
§66E	Violation of privacy	3 years and/or fine up to 2 lakh
§66F	Cyber terrorism	Imprisonment for life
§67	Publishing obscene material in electronic form	3 years and fine up to 5 lakh (first conviction); 5 years and 10 lakh on second
§67A	Sexually explicit material	5 years and fine up to 10 lakh (first); 7 years and 10 lakh on second
§67B	Child sexual abuse material	5 years and fine up to 10 lakh (first); 7 years and 10 lakh on second
§70(3)	Unauthorised access to protected system	10 years and fine
§72	Breach of confidentiality and privacy by authorised person	2 years and/or fine up to 1 lakh
§72A	Disclosure of information in breach of lawful contract	3 years and/or fine up to 5 lakh

13The IT Act × DPDP × CERT-In × sectoral overlap

Practitioner cheat-sheet for which law fires when:

Scenario	Primary law	Also applies
Personal data breach — affects Indian data principals	DPDP Act 2023	CERT-In Direction (6-hour reporting); sectoral regulator
Cyber security incident — intrusion, ransomware, etc.	CERT-In Direction (§70B)	IT Act §43/66; DPDP if personal data implicated
Intermediary content takedown	IT Act §79 + IT Rules 2021	§69A blocking; court orders
Lawful interception request	IT Act §69 + Interception Rules 2009	Telegraph Act for telecom; IT Rules 2021 (Nodal Officer)
Online fraud / identity theft	IT Act §66C/66D + BNS	RBI Master Direction on Customer Liability for BFSI
BFSI cyber incident	RBI Master Direction (2-6h)	CERT-In (6h); IT Act; DPDP if personal data
SPDI breach (legacy claim before DPDP notified)	IT Act §43A + SPDI Rules 2011	CERT-In Direction

For the broader compliance map — including SEBI CSCRF, NCIIPC obligations and DPDP — see our India compliance hub.

14What's actually changing in 2026

The IT Act 2000 is showing its age. Three trajectories worth tracking:

• Digital India Act (DIA). The Ministry of Electronics & IT has, since 2023, signalled intent to replace the IT Act with the Digital India Act. A consultation paper has circulated; full draft is expected in 2026. The DIA is likely to redefine "intermediary" by function (e-commerce, AI, search, gaming, social media each separately regulated), introduce algorithmic accountability, and modernise offenses.
• DPDP Rules notification. The DPDP Act 2023 is in force but operational rules are being phased in. Once rules are fully notified, §43A is omitted from the IT Act and the SPDI Rules 2011 lose most of their relevance for personal data.
• Continued litigation on IT Rules 2021. Traceability (in Madras and Delhi High Courts), online gaming SRB framework, and the residue of fact-check unit jurisprudence will continue to shape what is and is not enforceable.