Cybercrime Laws in India: What Every Business Should Know

Category: Blog
In 2026, a data breach is no longer just an IT failure—it's a legal liability. Indian businesses face a dual-edged sword: digital transformation has unlocked unprecedented growth, but it has also exposed organizations to sophisticated cyber threats, ranging from data breaches and ransomware to AI-generated fraud. As India's digital economy expands, the enforcement of cybercrime laws has become more rigorous, demanding proactive legal and technical compliance from all businesses.

For expert legal guidance on navigating these complex regulations, you can rely on ASV Legal . If your business faces a cyber incident, consulting a criminal lawyer is critical for ensuring procedural compliance and protecting your legal position. Many businesses in the Delhi NCR region seek the support of a criminal law firm in Delhi to manage the legal consequences of cyber incidents and regulatory investigations.

This guide provides a comprehensive overview of India's cybercrime legal framework and the critical compliance obligations for businesses.

The Core Legal Framework for Cybercrime in India


The Information Technology (IT) Act, 2000


The primary legislation addressing cybercrime and e-commerce in India is the IT Act. It provides legal recognition for electronic transactions and prescribes penalties for various cyber offenses. Key sections affecting businesses include:

  • Section 43: Penalizes unauthorized access to computer systems, networks, and data.

  • Section 66: Deals with hacking and computer-related offenses, carrying imprisonment of up to three years and fines up to ₹5 lakh.

  • Section 66C/66D: Targets identity theft and cheating by impersonation using computer resources, with imprisonment of up to three years and fines up to ₹1 lakh.

  • Section 67: Criminalizes the publishing or transmission of obscene material online, with penalties including imprisonment and fines up to ₹10 lakh.

  • Section 72: Imposes penalties for breach of confidentiality and privacy by service providers or employees who disclose sensitive information without consent.


The IT Act is supported by the Indian Penal Code (IPC) , which contains overlapping provisions for offenses like fraud (Section 420), forgery (Section 468), and criminal intimidation (Section 506) when perpetrated in digital spaces. There is an active debate and legal complexity regarding whether digital property falls under the definition of "movable property" under the IPC, leading to an "uneasy co-existence" of provisions.

The Digital Personal Data Protection (DPDP) Act, 2023


This legislation strengthens India's data security framework by giving data rights to individuals, requiring consent for data processing, and placing significant obligations on data fiduciaries, with penalties up to ₹500 crores. It mandates that data fiduciaries protect personal data and take reasonable security safeguards.

The Companies Act, 2013


This act holds directors and officers accountable for a company's compliance, including its cybersecurity posture. Section 447, for instance, makes directors liable for fraudulent acts that harm company assets, which can include failures in implementing adequate cybersecurity measures.

The Critical Compliance Obligations for Every Business


Mandatory Cyber Incident Reporting (The 6-Hour Rule)


Under the CERT-In Directions, organizations are required to report a wide range of cyber incidents, including data breaches, ransomware attacks, and unauthorized access, within six hours of noticing them. This is not optional; failing to report can lead to significant regulatory scrutiny and potential penalties. The six-hour clock starts when the organization becomes aware of the incident.

Mandatory Cybersecurity Audits and Documentation


Recent CERT-In guidelines mandate annual third-party cybersecurity audits that align with ISO/IEC 27001 standards for all public and private enterprises. These audits are not merely compliance checkboxes; they must drive operational accountability and provide board-level visibility into security risks.

Furthermore, organizations must maintain a detailed inventory of their digital assets. This has expanded beyond software to include a comprehensive "Bill of Materials" (BOM) covering software (SBOM), cryptographic components (CBOM), hardware (HBOM), and even AI models (AIBOM).

Data Log Retention and Infrastructure


Businesses are required to retain their security logs for a rolling period of 180 days within India. This data must be readily accessible and tamper-proof to support investigations. They must also ensure their ICT system clocks are synchronized with trusted national time sources.

Special Regulations for MSMEs and Specific Sectors


CERT-In has also issued "15 Elemental Cyber Defense Controls" specifically for Micro, Small and Medium Enterprises (MSMEs). This framework mandates baseline security measures, including asset management, access control, and regular vulnerability audits, to help smaller firms safeguard their digital infrastructure.

Sector-specific regulators like RBI, SEBI, and IRDAI have also introduced their own cybersecurity measures. For instance, SEBI's framework requires regulated entities to maintain software and hardware BOMs (SBOMs/HBOMs) and adhere to strict vulnerability assessment and penetration testing (VAPT) timelines.

Key Challenges in Enforcing Cybercrime Laws


Despite a robust legal framework, enforcing cybercrime laws in India faces significant hurdles:

  • Rapidly Evolving Technology: The pace of technological change makes it challenging for legislation to keep up with threats like AI-driven fraud and deepfakes.

  • Cross-Border Jurisdiction: Cybercrime often transcends national borders, creating enforcement complexities due to differing international laws and regulations.

  • Resource and Expertise Gaps: Many law enforcement agencies lack the advanced training and technical resources for digital forensics and cyber investigations.

  • Balancing Privacy and Security: Cyber investigations often necessitate digital tracking and surveillance, raising concerns about data privacy and civil liberties.

  • Legislative Gaps: There are still ambiguities distinguishing civil from criminal wrongs and a lack of amendments addressing new technologies like AI, IoT, and blockchain.


Steps to Protect Your Business and Ensure Compliance


To mitigate legal and financial risks, businesses should take proactive steps:

  1. Conduct Regular Cybersecurity Audits: Engage CERT-In empanelled auditors to identify vulnerabilities and ensure compliance with ISO standards.

  2. Update Vendor Contracts: Ensure all IT vendors agree to data protection standards and include liability clauses for breaches.

  3. Encrypt Sensitive Data and Implement Access Controls: Use strong encryption for data at rest and in transit, and restrict employee access based on a "need-to-know" basis.

  4. Maintain Incident Response and Business Continuity Plans: Have a clear, tested plan for responding to a cyber incident, including a protocol for the 6-hour reporting requirement to CERT-In and the 72-hour detailed reporting to the Data Protection Board (once effective).

  5. Obtain Cyber Insurance: Cyber insurance helps cover the costs associated with data breaches, legal claims, and recovery efforts.


Conclusion


Cybercrime is a business-critical legal issue. The legal and regulatory obligations are not just about preventing attacks but about ensuring operational resilience and corporate accountability within the criminal justice framework. As the criminal law landscape surrounding cybersecurity evolves, non-compliance is not an option. By adopting a proactive stance on cybersecurity and ensuring a clear understanding of the legal obligations, businesses can protect their assets, reputation, and future in the digital age.
123456789101112131415

Leave a Reply

Your email address will not be published. Required fields are marked *