Cybersecurity Regulations in India as of 2024

Cybersecurity Regulations in India as of 2024

As India's digital landscape continues to expand rapidly, the need for robust cybersecurity measures across various sectors has become increasingly important. Different industries, including finance, healthcare, telecommunications, and critical infrastructure, have specific cybersecurity requirements governed by sector-specific regulations. The Information Technology (IT) Act, 2000, is the primary legislation dealing with cybersecurity, data protection and cybercrime. It grants statutory recognition and protection to electronic transactions and communications, aims to safeguard electronic data, information and records, to prevent unauthorised or unlawful use of computer systems, and Identifies activities such as hacking, data theft, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft as punishable offences.

But apart from the IT Act,2000, there are sectoral regulations in the form of guidelines and rules etc. These regulations aim to protect sensitive data, ensure the integrity of digital transactions, and safeguard national security interests. Here's an overview of the key cybersecurity sectoral regulations and laws in India as of 2024.

1. Banking, Financial and Insurance Sector

The banking and financial sector is one of the most heavily regulated in terms of cybersecurity due to the sensitivity of financial data and the potential economic impact of cyber attacks. The Reserve Bank of India (RBI), India's central banking authority, has issued several guidelines and frameworks to enhance the cybersecurity posture of banks, financial institutions, and payment service providers.

- RBI Cyber Security Framework for Banks (2016): This framework mandates all scheduled commercial banks to have a comprehensive cyber security policy approved by their boards. The policy must cover areas such as network security, access controls, incident response, data loss prevention, and regular cybersecurity audits. Banks are also required to report cybersecurity incidents to the RBI within a stipulated timeframe. Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023) further establishes GRC requirements from banks.

- RBI Guidelines on Digital Payments Security Controls (2021): These guidelines focus on enhancing security for digital payment transactions. They mandate multi-factor authentication, encryption of sensitive data, and regular vulnerability assessments to protect digital payment systems.

- Data Localization Requirements (2018): The RBI has mandated that all payment data related to transactions made within India be stored locally, to ensure greater control and security over payment information. This regulation applies to payment gateways, payment aggregators, and other digital payment service providers.

-IRDAI: Guidelines on Information and Cyber Security(2023) : All Insurers including FRBs, Insurance Intermediaries covering Brokers, Corporate Agents, Web Aggregators, TPAs, IMFs, Insurance Repositories, ISNP, Corporate Surveyors, MISPs, CSCs and Insurance Information Bureau of India (IIB) shall adhere to the said Guidelines.


2. Healthcare Sector

With the growing digitization of healthcare services and the proliferation of electronic health records (EHRs), the healthcare sector faces unique cybersecurity challenges. The Ministry of Health and Family Welfare (MoHFW) and the National Health Authority (NHA) have developed guidelines to protect sensitive patient data and ensure the security of digital health services.

- Digital Information Security in Healthcare Act (DISHA): Though still in the draft stage, DISHA aims to provide a comprehensive framework for data protection in the healthcare sector. It proposes stringent guidelines for the collection, storage, and sharing of health data and prescribes penalties for data breaches.

- Telemedicine Practice Guidelines (2020): Issued by the MoHFW, these guidelines include provisions for ensuring data security and patient privacy in telemedicine services. Healthcare providers are required to use secure communication channels and encryption for transmitting patient information.

- Ayushman Bharat Digital Mission (ABDM) Guidelines: The ABDM provides a regulatory framework for digital health data management, interoperability, and security. It emphasizes the use of secure, standardized protocols for data exchange and mandates that all health data be stored securely.


3. Telecommunications Sector

The telecommunications sector is critical to national security and economic stability. The Department of Telecommunications (DoT) and the Telecom Regulatory Authority of India (TRAI) have issued several regulations and guidelines to safeguard telecom networks from cyber threats.

- National Cyber Security Policy (2013): Though this policy is overarching, it outlines specific provisions for securing telecom infrastructure. It mandates telecom service providers (TSPs) to adopt stringent security measures, including periodic audits, data localization, and the use of indigenous security equipment.

- Telecom Security Requirements (2021): The DoT has mandated TSPs to implement robust cybersecurity frameworks to protect against threats such as hacking, malware, and denial-of-service attacks. TSPs are also required to maintain logs of all transactions for a period of two years and provide them to the government on request.

- Mandatory Testing and Certification of Telecom Equipment (MTCTE) (2019): This regulation requires that all telecom equipment used in India undergo mandatory testing and certification for security compliance by designated agencies before deployment.

-Telecommunications (Telecom Cyber Security) Rules, 2024. These rules aim to bolster the cybersecurity of telecommunication networks and services, establishing comprehensive guidelines for data collection, security measures, and incident reporting.


4. Critical Infrastructure Protection

Critical information infrastructure (CII), such as power grids, defense systems, and transportation networks, is vital to national security. The National Critical Information Infrastructure Protection Centre (NCIIPC), under the National Technical Research Organisation (NTRO), is the nodal agency for the protection of CII in India.

- Information Technology Act, 2000 - Section 70: This section of the IT Act designates certain computer resources as protected systems, making unauthorized access a punishable offense. The NCIIPC identifies and protects CII and issues guidelines and advisories to ensure the security of these critical systems.

- National Cyber Security Policy (Draft 2021): The draft policy emphasizes a coordinated approach to securing CII. It mandates the adoption of best practices, regular vulnerability assessments, and collaboration with global cybersecurity agencies.

- Sector-Specific Guidelines: Different ministries, such as the Ministry of Power, Ministry of Civil Aviation, and Ministry of Railways, have issued sector-specific guidelines to protect their respective infrastructures from cyber threats. These guidelines focus on network security, incident response, and capacity building.


5. E-Governance and Digital Services

As the government increasingly moves towards digital governance, ensuring the security of digital services and platforms has become paramount. The Ministry of Electronics and Information Technology (MeitY) has developed several frameworks to secure government networks and digital services.

- Guidelines for Indian Government Websites (GIGW): These guidelines, issued by MeitY, provide a security framework for all government websites and applications. They mandate the use of secure coding practices, regular security audits, and the deployment of security patches.

- CERT-In Guidelines: The Indian Computer Emergency Response Team (CERT-In) has released guidelines on information security practices. These guidelines, issued under the powers conferred by clause (e)?of sub-section (4) of section 70B of the Information Technology Act, 2000 (21 of 2000), apply to all Ministries, Departments, Secretariats, and Offices specified in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, along with their attached and subordinate offices. They also include all government institutions, public sector enterprises, and other government agencies under their administrative purview.


6. Data Protection and Privacy Regulations

Digital Personal Data Protection Act, 2023 The primary purpose of the Act is to regulate the processing of digital personal data and respect individuals' right to protect their data while recognizing the necessity of processing and using such data for lawful purposes.


7. The Securities and Exchange Board of India

SEBI has issued a Cybersecurity and Cyber Resilience Framework (CSCRF (2024)) for various entities regulated by SEBI (Regulated Entities or RE) CSCRF is a standard-based framework and broadly covers the five cyber resiliency goals, viz. Anticipate, Withstand, Contain, Recover, and Evolve which are adopted from CERT-In Cyber Crisis Management Plan (CCMP), for countering Cyber Attacks and Cyber Terrorism. Under this framework registered entities will be graded into five categories based on various parameters:?Market Infrastructure Institutions (MIIs);?Qualified REs;? Mid-size REs; Small-size REs and self-certification REs.

National Cyber Security Reference Framework (NCRF) 2023 has been approved and will be placed in the public domain. a document that provides guidelines for organizations and regulators to help build strong cybersecurity systems. It was shared with companies and government departments for consultation in May 2023 but is not yet public. The NCRF is expected to be released to the public after a final check to ensure that no confidential information is included.?The NCRF supersedes the 2013 National Cybersecurity Policy and was developed in response to the emergence of new threats and cyber organizations since then.

The Digital India Act (DIA) the skeleton will have the legal framework and principles intact and the core constituents of the DIA will be online safety, trust and accountability, open internet, and regulations of new age technologies like artificial intelligence and blockchain technologies. Apart from The IT Act,2000, this new framework will additionally comprise Digital Personal Data Protection Act, Digital India Act Rules, National Data Governance Policy, and IPC amendments for Cyber Crimes.? DIA will include the Digital India Goals of 2026 as a $1 trillion digital economy.

Change of name and amendment of Indian Penal Code, 1860 (“IPC”) to Bharatiya Nyaya Sanhita, 2023 (“BNS”), the Code of Criminal Procedure, 1973 (“CrPC”) to Bharatiya Nagarik Suraksha Sanhita, 2023 (“BNSS”), and the Indian Evidence Act (“IE”) to Bharatiya Sakshya Bill, 2023 (“BSB”).?These traditional laws also have many sections that impact India's cybersecurity legal framework.

Conclusion

India's sectoral cybersecurity regulations are continually evolving to address the unique challenges faced by different industries. These regulations aim to protect sensitive data, ensure secure digital transactions, and safeguard critical infrastructure from emerging cyber threats. As the digital ecosystem grows, regulatory bodies will need to adapt and strengthen these frameworks to maintain the resilience of India's cybersecurity posture in the face of new and sophisticated cyber risks.

Advocate (Dr.) Prashant Mali is an International Cybersecurity Lawyer, Thought Leader, and Speaker who can be reached at +919821763157 or [email protected]

Krishnamurthy G B

Project Manager

2 个月

Adv (Dr.) Prashant Mali ? [MSc(Comp Sci), LLM, Ph.D.] @thekiranbedi Narendra Modi ISRO ISRO - Indian Space Research Organisation My FIR. #myfir 1. if the IT Act 2000 does not cross reference other acts with scope it will not be comprehensive. 2. if the DPDA does not cross reference other acts with scope it will not be comprehensive. 3. some critical lapses (including terms, definitions, their relevance) are not even referenced in the acts making it noncompehensive.

Amit K.

A Working Professional

2 个月

Very knowledgeable and helpful

Advocate SUNIL MAROTI TAYADE

Cyber Advocate - at District and Session Court, MALKAPUR and JMFC & CJJD Court, MALKAPUR. BULDANA. M.S. INDIA-443101

2 个月

?? ??. They say we are ready for the future. BUT, An Important question arises there that Will it be possible for them ignoring the Cybersecurity Regulations in India 2024 to face the future?

Kavitha Karunakaran

Director | Cybersecurity Engineering | Comcast, India

2 个月

Very informative!

要查看或添加评论,请登录

社区洞察

其他会员也浏览了