Government has strengthened the legal framework pertaining to network security and data protection
1. At a Glance
- Multi-pronged tightening of India's cyber and data-protection legal architecture: DPDP Act 2023, DPDP Rules 2025, CERT-In Directions 2022, NSD on Trusted Telecom Sources (2021), and Essential Requirements for CCTVs under MeitY [S1][S2][S5].
- Spans MeitY, DoT, MHA, CERT-In; converts ad-hoc cyber norms into statutory, enforceable obligations on intermediaries, data fiduciaries and hardware suppliers [S1][S3].
- UPSC relevance: GS-II (governance, statutory bodies), GS-III (internal security, cyber security, IT) — examiners frequently mix dates of DPDP/CERT-In directions/IT Act sections.
2. Why in the News
- 25 March 2026: PIB (MeitY) release consolidating 12 years of cyber-legal reforms; announces mandatory Essential Requirements for CCTV systems in the Indian market and bars government departments from procuring non-compliant CCTV equipment [S1].
- 13 November 2025: MeitY notified the DPDP Rules, 2025, operationalising the DPDP Act, 2023 in three phases (Nov 2025 → Nov 2026 → May 2027) [S2].
3. Background & Evolution
- 2000: Information Technology Act enacted; Sec 70B creates CERT-In [S3].
- 2008: IT Act amended post-26/11 — Sec 43A, 72A; Sec 69 interception powers.
- 2011: SPDI Rules under Sec 43A (first data-protection rules) [S5].
- 2017: Puttaswamy judgment — right to privacy a fundamental right (Art 21); triggered statutory data-protection drive.
- 2021: National Security Directive on Telecommunication Sector mandating Trusted Sources / Trusted Products for telecom equipment [S1].
- 28 April 2022: CERT-In Cyber Security Directions under IT Act Sec 70B(6) [S3].
- 11 August 2023: DPDP Act, 2023 (Act 22 of 2023) receives Presidential assent [S5].
- 13 November 2025: DPDP Rules, 2025 notified [S2].
- March 2026: Mandatory CCTV Essential Requirements notified [S1].
4. Core Static Facts
- Parent Ministry: Ministry of Electronics & Information Technology (MeitY) [S1].
- Nodal cyber agency: CERT-In (Indian Computer Emergency Response Team), under MeitY, statutory basis: Sec 70B, IT Act 2000 [S3][S6].
- Critical Information Infrastructure protection: NCIIPC under Sec 70A, IT Act (under NTRO).
- DPDP Act, 2023: Act No. 22 of 2023; assented 11 Aug 2023; creates Data Protection Board of India (DPBI) [S5].
- DPDP Rules, 2025: Notified 13 Nov 2025; Phase-1 immediate; Phase-2 (consent managers) Nov 2026; Phase-3 (substantive obligations) 13 May 2027 [S2].
- CERT-In Directions 28.04.2022: mandate reporting of cyber incidents within 6 hours; ICT clock sync to NIC/NPL; log retention 180 days; KYC for VPN/VPS/Cloud/Virtual asset providers [S3][S7].
- NSD on Trusted Sources (2021): Telecom operators must source equipment only from designated trusted vendors [S1].
- Audits: Over 9,700 CERT-In audits conducted in 2024-25 [S4].
5. Multi-Dimensional Analysis
Legal / Constitutional - Operationalises Art 21 privacy right per Puttaswamy (2017) via DPDP Act, 2023 [S5]. - CERT-In powers derive from Sec 70B(6), IT Act; non-compliance attracts up to 1 yr imprisonment / ₹1 lakh fine [S3]. - DPDP Act prescribes penalties up to ₹250 crore per instance for data fiduciaries [S5].
Strategic / Geopolitical - Trusted Sources directive effectively excludes equipment from adversarial-origin vendors (e.g., Huawei/ZTE) from Indian 5G networks [S1]. - CCTV Essential Requirements address hardware backdoor / supply-chain espionage risk [S1].
Administrative - Government-procurement lever: GeM / departmental purchases of CCTV restricted to compliant products [S1]. - Phased DPDP rollout (18 months for substantive compliance) gives industry transition window [S2].
Scientific / Technological - Mandates STQC-certified testing of CCTV under Essential Requirements; aligns with IT (Security) Order, 2017 for electronics [S1]. - CERT-In FAQs clarify obligations for VPN, cloud, virtual-asset intermediaries [S7].
Ethical / Governance - Tension between data-principal rights (consent, erasure) and state exemptions under Sec 17, DPDP Act. - Consent Manager institution introduces fiduciary intermediary (Phase 2, Nov 2026) [S2].
6. Recent Developments (last 12-18 months)
- 2024-25: 9,700+ CERT-In audits of critical sector entities [S4].
- 13 Nov 2025: DPDP Rules 2025 notified; DPBI to be constituted [S2].
- 25 Mar 2026: PIB statement on consolidated legal framework; mandatory CCTV Essential Requirements; procurement restriction on non-compliant CCTVs [S1].
7. Prelims Hooks
- DPDP Act, 2023 received Presidential assent on 11 August 2023 as Act 22 of 2023 [S5].
- DPDP Rules, 2025 notified on 13 November 2025 by MeitY [S2].
- Data Protection Board of India (DPBI) is the adjudicatory body under DPDP Act [S5].
- CERT-In established under Section 70B of IT Act, 2000 [S3].
- CERT-In Cyber Security Directions issued on 28 April 2022 [S3].
- Mandatory reporting window of cyber incidents to CERT-In: 6 hours [S3].
- Log retention period under CERT-In Directions: 180 days within India [S3].
- National Security Directive on Telecommunication Sector (Trusted Sources) — operationalised in 2021 [S1].
- Maximum penalty under DPDP Act: ₹250 crore per instance [S5].
- NCIIPC (not CERT-In) protects Critical Information Infrastructure under Sec 70A [S6].
- Essential Requirements for CCTV systems notified in March 2026; tested via STQC [S1].
- Phase-3 substantive DPDP obligations effective 13 May 2027 [S2].
- CERT-In extended MSME compliance deadline to 25 September 2022 [S3].
- Over 9,700 cyber-security audits by CERT-In in 2024-25 [S4].
8. Mains Relevance
- GS-III: "Basics of cyber security; role of media and social networking sites in internal security challenges."
- GS-II: "Government policies and interventions; statutory bodies."
- Question stems: 1. "The DPDP Act, 2023 marks a paradigm shift from the SPDI Rules regime but leaves wide state exemptions. Critically examine." 2. "Discuss how the CERT-In Directions, 2022 and the National Security Directive on Trusted Sources together constitute India's cyber-security perimeter." 3. "Hardware supply-chain risk is the new frontier of national security. Comment with reference to India's mandatory CCTV Essential Requirements."
9. Related Topics to Study Next
- Puttaswamy v. UoI (2017) — constitutional anchor for DPDP Act.
- NCIIPC & Critical Information Infrastructure — Sec 70A complement.
- National Cyber Security Policy, 2013 — predecessor framework.
- Indian Telegraph Act & Telecommunications Act, 2023 — interception powers + trusted sources.
- Bharat NCX / Cyber Surakshit Bharat — capacity-building schemes.
- Budapest Convention on Cybercrime — India's non-signatory stance.
- GDPR (EU) vs DPDP — comparative privacy regimes.
- I4C (Indian Cyber Crime Coordination Centre) — MHA's cybercrime arm.
10. Common Errors / Trap Areas
- CERT-In vs NCIIPC: CERT-In = general cyber incidents (MeitY); NCIIPC = Critical Information Infrastructure (NTRO/PMO) [S6].
- DPDP Act is 2023, but Rules were notified in 2025 — not the same year.
- CERT-In Directions are issued under Sec 70B(6), not Sec 69 (which is interception) [S3].
- DPBI ≠ "Data Protection Authority" (the 2019 Bill's body) — DPDP Act 2023 created DPBI instead [S5].
- Trusted Sources directive is from DoT (2021), not MeitY.
- CCTV Essential Requirements are under MeitY's IT (Security) framework — not BIS standards alone [S1].
11. Sources
- [S1] Government has strengthened the legal framework pertaining to network security and data protection — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2245073 — (tier 1)
- [S2] DPDP Rules, 2025 Notified — https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc20251117695301.pdf — (tier 1)
- [S3] CERT-In issues directions relating to information security practices… (28.04.2022) — https://www.pib.gov.in/PressReleasePage.aspx?PRID=1820904 — (tier 1)
- [S4] Government Strengthens Cybersecurity Across Critical Sectors; Over 9,700 CERT-In Audits Conducted in 2024–25 — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148943 — (tier 1)
- [S5] The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) — https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf — (tier 1)
- [S6] CERT-In: India's Frontline Defender against Cyber Threats — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2217537 — (tier 1)
- [S7] CERT-In releases FAQs on Cyber Security Directions of 28.04.2022 — https://www.pib.gov.in/PressReleasePage.aspx?PRID=1826388 — (tier 1)