Internal Security·Security Framework

Cyber Laws and Regulations — Security Framework

Constitution VerifiedUPSC Verified

Version 1Updated 7 Mar 2026

Explore This Topic

Definition Detailed Explanation Legal Precedents Security Framework Legal Reforms UPSC Importance Prelims Strategy Mains Strategy Prelims MCQs Mains Questions MCQ Practice Predicted 2026 Revision Notes Current Affairs

Security Framework

India's cyber legal framework is primarily anchored by the Information Technology Act, 2000 (IT Act), which provides the legal basis for electronic transactions, digital signatures, and addresses cybercrimes.

The IT Act, significantly amended in 2008, defines various cyber offences like hacking (Section 43, 66), publishing obscene material (Section 67), and breach of confidentiality (Section 72). It also grants powers for interception (Section 69) and designates Critical Information Infrastructure (Section 70) for enhanced protection.

A crucial aspect is Section 79, which outlines the 'safe harbour' provisions for intermediaries, balancing their liability with due diligence requirements. Complementing the IT Act, the Digital Personal Data Protection Act, 2023 (DPDP Act), is a landmark legislation focused entirely on safeguarding digital personal data.

It establishes a rights-based framework for data principals (individuals) and obligations for data fiduciaries (entities processing data), emphasizing consent, purpose limitation, and accountability. The DPDP Act also establishes the Data Protection Board of India for enforcement.

Regulatory bodies like CERT-In (Indian Computer Emergency Response Team) and NCIIPC (National Critical Information Infrastructure Protection Centre) play operational roles in incident response and critical infrastructure protection, respectively.

Landmark judgments like Shreya Singhal v. Union of India (2015) on free speech and Justice K.S. Puttaswamy v. Union of India (2017) on the Right to Privacy have profoundly shaped the interpretation and evolution of these laws, ensuring a balance between state security, technological advancement, and individual liberties.

The framework is continuously evolving to address new challenges posed by emerging technologies and transnational cyber threats, often engaging in international cooperation through various forums.

Important Differences

vs Digital Personal Data Protection Act, 2023

Aspect	This Topic	Digital Personal Data Protection Act, 2023
Primary Focus	Information Technology Act, 2000 (IT Act)	Digital Personal Data Protection Act, 2023 (DPDP Act)
Scope	Cybercrimes, e-commerce, digital signatures, e-governance, intermediary liability.	Protection of digital personal data, rights of data principals, obligations of data fiduciaries.
Key Concepts	Cyber offences, digital signatures, electronic records, intermediaries, protected systems.	Data Principal, Data Fiduciary, consent, purpose limitation, Data Protection Board of India.
Regulatory Body	CERT-In, NCIIPC, Cyber Appellate Tribunal (now TDSAT).	Data Protection Board of India (DPBI).
Constitutional Basis	State's power to legislate on trade, commerce, national security.	Right to Privacy (Article 21) as declared in Puttaswamy judgment.
Penalties	Imprisonment and/or fines for cybercrimes (e.g., Section 66, 67).	Monetary penalties for non-compliance with data protection obligations (e.g., data breach, consent violations).

The IT Act, 2000, serves as India's foundational law for the digital realm, primarily addressing cybercrimes, e-commerce, and the legal validity of electronic transactions. Its focus is broad, encompassing various aspects of information technology. In contrast, the DPDP Act, 2023, is a specialized legislation with a singular, comprehensive focus on protecting digital personal data. It establishes a rights-based framework for individuals and imposes stringent obligations on entities handling their data, a critical area that the IT Act only touched upon peripherally. The DPDP Act represents a modern, privacy-centric approach, distinct from the IT Act's broader regulatory and punitive scope.

vs National Critical Information Infrastructure Protection Centre (NCIIPC)

Aspect	This Topic	National Critical Information Infrastructure Protection Centre (NCIIPC)
Full Form	Indian Computer Emergency Response Team (CERT-In)	National Critical Information Infrastructure Protection Centre (NCIIPC)
Mandate	Incident response, threat intelligence, advisories, vulnerability handling.	Protection of Critical Information Infrastructure (CII) from cyber threats.
Legal Basis	Section 70B of the IT Act, 2000.	Section 70A of the IT Act, 2000.
Scope of Operations	Broad, covers all types of cyber incidents affecting any computer resource in India.	Specific, focuses exclusively on identified Critical Information Infrastructure sectors.
Key Activities	Issuing alerts, coordinating incident response, conducting cyber drills, capacity building.	Identifying CII, developing protection strategies, auditing CII security, coordinating with sector-specific agencies.
Nature of Role	Reactive (incident response) and proactive (advisories, vulnerability notes).	Primarily proactive (protection, resilience building) for specific critical assets.

CERT-In and NCIIPC are both vital agencies under the IT Act, but with distinct mandates. CERT-In acts as India's national incident response team, dealing with a broad spectrum of cyber incidents across all computer resources, providing alerts and coordinating responses. Its role is more generalized and reactive/proactive in the broader cyber landscape. NCIIPC, on the other hand, has a highly specialized and focused mandate: to protect Critical Information Infrastructure (CII) – those vital digital assets whose disruption would have a severe impact on national security or the economy. NCIIPC's role is primarily proactive, focusing on identifying, protecting, and ensuring the resilience of these specific critical systems. Together, they form complementary layers of India's cybersecurity defence.