You are currently viewing 9 Features of Information and Cyber Security Policy in India

9 Features of Information and Cyber Security Policy in India


Last Updated on February 7, 2024 by Kanakkupillai

As cyberspace has become an increasingly vital resource, formulating an effective policy is crucial. Here are a few features that could assist India’s policymakers in improving cybersecurity:

  1. Public-Private Partnership

Private sector technology, creativity and management skills can play an invaluable role in helping projects complete on schedule and within budget. Furthermore, private partners may provide alternative financing arrangements that reduce upfront costs and risks to taxpayers.

Public-private partnerships can play a vital role in improving cybersecurity strategies within critical infrastructure. Cyberattacks targeting such organisations demonstrate their need to take stringent security precautions.

As part of this strategy, incentives should be created for small- and medium-sized businesses (SMBs) to prioritise cybersecurity. Unfortunately, these businesses often fall behind in implementing measures due to limited resources and technical capacity, leaving them exposed. Policies offering preferential loan terms when they meet minimum security standards could help SMBs increase the adoption of security technologies while strengthening resilience against attacks.

  1. Privacy

As India digitises its economy, the nation must ensure that citizens trust financial transaction systems. Ransomware cases have increased worldwide, and data breaches cost businesses an average of $2 Million, according to IBM’s 2022 Security Breach Report; therefore, new and better regulations have never been more essential.

The government must ensure that its cybersecurity policies protect the privacy of its citizens, particularly regarding banking and financial data and security information. Otherwise, trust may erode within business transactions, and users could cease relying on online services altogether.

At this juncture, governments need to create precise lines between what should be accessible and inaccessible while ensuring any new policies do not undermine existing safeguards like interception of phone calls without authorisation. A firm policy can demonstrate to customers and regulators that companies value reasonable norms while respecting privacy rights and legal or regulatory solutions.

  1. Resilience

Resilience refers to a system’s capacity to withstand and recover from disturbances or disruptions and also encompasses individuals’ abilities to cope with stressful experiences and develop positive adaptations in response.

Resilience in cyber security refers to an organisation’s ability to recover from cyberattacks and minimise economic losses quickly. Still, today’s complex and dynamic cyber threats require continuous improvements to remain resilient.

Some definitions of resilience focus on inner resilience — the ability to cope with traumatic events using personal resources. However, research has recognised that its determinants vary widely across individuals, families, communities and cultures; moreover, it appears likely that different forms of resilience exist according to what type of trauma or stressor a person endures (e.g. PTSD vs. cancer) — so a holistic approach to building strength involves understanding these variations thoroughly.

  1. Cybersecurity Education

As the world moves toward an increasingly digital economy, it is becoming more essential that individuals have access to a comprehensive cyber security policy to ward off cyber attacks and protect our data.

Cybersecurity is a global concern requiring cooperation from governments and private businesses alike. This involves working together against hackers that target any organisation with potentially devastating economic ramifications.

The National Cybersecurity Policy will serve as a framework to address these concerns and increase cybersecurity professionals in India by encouraging universities to offer courses and businesses to hire a Chief Information Security Officer to manage their cybersecurity.

India’s transition towards a digital society requires a comprehensive cybersecurity policy to instil people’s trust in the information and communication technology systems that oversee financial transactions.

  1. Law Enforcement

As India moves towards data localisation and enters the global IT market, a clear and comprehensive policy on information and cyber security must be established. At present, India’s response to cybersecurity incidents is dictated by both its Information Technology Act and Indian Penal Code provisions; these must be amended accordingly to protect personal data, whether stored on physical premises or stored online.

As individuals become more empowered by information, it is increasingly vital that there be a distinction between information that can freely move between systems and that which must be safeguarded – whether personal information, banking and financial details or security details that, should they fall into the wrong hands, could compromise national security. Therefore, timely coordination between government agencies and private sectors must occur to avoid these threats quickly.

  1. Cyber Regulations Appellate Tribunal (CRAT)

India has established the Cyber Regulations Appellate Tribunal as part of its national cybersecurity policy to help safeguard information and critical infrastructure within its borders. As an independent body, CRAT hears appeals against orders issued by the Controller of Certifying Authorities and Adjudicating Officers and provides directions regarding implementing the Information Technology Act.

India has also introduced data privacy regulations to safeguard consumer information. Telecom Regulatory Authority of India and the Department of Telecommunications have joined forces to impose stricter rules regarding how telecom providers utilise user data; under these new rules, users can withdraw consent from providers using their personal information.

The government is taking active steps to counter the rising threat of cyber attacks, which have become more sophisticated and costly in recent years. An IBM Security report published earlier this year states that data breaches cost approximately $2.2 million on average in 2022.

  1. National Critical Information Infrastructure Protection Center (NCIIPC)

In cyberwarfare, hostile states can cause significant disruptions to public and private networks, and India needs a dedicated defence agency. With hostilities typically taking form through denial-of-service attacks or weaponisation of cyber propaganda – as was seen during the Doklam conflict – having robust infrastructure security measures in place is critical for India.

NCIIPC is a government organisation established under Section 70A of the Information Technology Act 2000 as amended in 2008. Through gazette notification, it serves as a nodal body to protect critical information infrastructure (CII). By devising and executing national and international cooperation strategies, its goal is safeguarding essential infrastructures (CII).

The NCIIPC also coordinates, shares, monitors, collects, analyses and forecasts threats to critical infrastructure (CII) on a national level to inform policy, expertise sharing and situational awareness. While its goal is to strengthen agencies that operate CII systems, NCIIPC recognises that safeguarding critical infrastructure belongs to everyone and has developed relationships within key power sectors to achieve this.

  1. Revamped Distribution Sector Scheme

With the increasing digitisation of the economy and growing reliance on cyberspace, infrastructure must be created to prevent cyber-attacks and minimise damage. This involves recruiting a workforce and developing an administrative framework for damage control efforts.

The government has implemented the Revamped Distribution Sector Scheme (RDSe) to meet this objective. This program seeks to enhance operational efficiencies and financial sustainability among power distribution companies (DISCOMs). This will be accomplished using technological solutions which secure their cyber infrastructure.

Ojha advocates that India take proactive steps to safeguard citizens and businesses against digital threats rather than reacting after they occur. He suggests creating a national cybersecurity policy that addresses bilateral and multilateral relations within this field of information security.

  1. Data Consent Rules

India’s government is placing increased importance on data protection. Recently updated TRAI guidelines for telecom service providers require them to abide by multilayered rules governing personal data processing. These regulations protect consumer rights while allowing individuals to withdraw consent for collection at any time.

SEBI has also issued guidelines that govern the securities and insurance sectors, calling on regulated entities to maintain cybersecurity standards by employing encryption or conducting regular network cyber audits.

Importance of Information and Cyber Security Policy in India

India requires an updated national cyber security policy. Any delays seriously impact the digital transition process, diplomatic initiatives and domestic privacy protection.

Digitisation and system motorisation have expanded the possibilities for cyber attacks. Ransomware attacks, transaction frauds, data leakage and intellectual property rights violations could put individuals and companies at risk.


As our world becomes more digitalised, information needs to be protected by robust security protocols. Protecting personal and sensitive financial data is equally important – an effective national cyber policy could provide a framework to achieve this.

India currently does not have a specific cybersecurity law but instead relies on the IT Act and various sector-specific regulations to set cybersecurity standards. While these laws include some provisions related to cyber security, they need to be more cohesive and easier to apply effectively.

Protecting personal data, sensitive information, and critical infrastructure should be at the core of every country’s cybersecurity policies. Legal and regulatory structures must be strengthened by adding a cyber-related section in the Information Technology Act and amending the Information Technology Rules 2021. A national nodal agency with clearly outlined roles and responsibilities should also be set up to coordinate cybersecurity efforts across the government.


As India embraces digitalisation, new risks and vulnerabilities emerge. While previous cyberattack responses focused on audits and improving network security measures, an influential national Security Policy would create a practical framework that could be consistently applied throughout India.

Numerous schemes have been initiated to increase public safety and reduce crime through monitoring data transmissions. Unfortunately, they have also raised serious privacy issues; examples include centralised surveillance systems, lawful interception of communication, keyword searches and monitoring systems.

The Constitution of India recognises a fundamental right to privacy as part of its basic freedoms. This recognition casts a long shadow over Indian law. It influences legislation, policy-making, judicial decisions, and interpretation of consumer protection rights embodied in consumer protection laws (consumer protection, health, IT licensing, etc.). Therefore, India’s National Cyber Security Policy must consider constitutional concerns while enhancing privacy protections to foster trust for India’s economic development.


A national cybersecurity policy should be comprehensive and take multiple factors into account. This means providing a legal framework for research and commercialising indigenous security technologies based on cutting-edge research and solution-oriented studies with an eye to export markets.

Promote interdisciplinary collaboration and training programs; set up concept labs and workshops. Train experts in regulatory science from different fields on the assessment of QSEP to be helpful to industries, regulators, ecosystems, and post-marketing surveillance for innovation purposes, product development/marketing efforts, and post-marketing administration.

The Information Technology Act, associated laws, and provisions of the Indian Penal Code 1860 currently guide India’s response to cyber incidents. Additionally, several industry-specific regulations from bodies like RBI, IRDAI and SEBI require their regulated entities to maintain specific cybersecurity standards; the government can encourage these entities by offering incentives or fiscal schemes.


As technology rapidly develops, cyber security laws must keep up. Unfortunately, India’s rules haven’t been updated since 2008, and cyber attackers are becoming more sophisticated, potentially perpetrating fraud or other crimes more frequently.

To combat these risks, the government has implemented several tactics. These include developing the workforce to detect and respond to cyber-attacks, building infrastructure to secure information in cyberspace, and formulating policies compliant with global standards.

Additionally, the government must strengthen its ability to secure critical sectors by setting security guidelines for financial institutions such as stockbrokers, stock exchanges, AMCs (asset management companies), mutual funds and depository participants. Such rules would provide organisations with a framework to comply with the latest cyber security practices while helping mitigate cyber-attacks and providing a safe online experience for India’s citizens.


Kanakkupillai is your reliable partner for every step of your business journey in India. We offer reasonable and expert assistance to ensure legal compliance, covering business registration, tax compliance, accounting and bookkeeping, and intellectual property protection. Let us help you navigate the complex legal and regulatory requirements so you can focus on growing your business. Contact us today to learn more.