New Delhi: In a major push to fortify the country's digital infrastructure, the Ministry of Electronics and IT has notified comprehensive cybersecurity rules under the new Digital India Act. The regulations mandate strict compliance for sectors designated as Critical Information Infrastructure (CII).
Non-compliance can attract penalties up to ₹25 crore or imprisonment for key executives.
Key provisions
The new rules, which take effect immediately, introduce several stringent measures:
- 6-hour breach reporting: Any cyber incident must be reported to CERT-In within 6 hours.
- Data localisation: All sensitive personal data must be stored on servers located in India.
- Mandatory audits: Annual security audits by empanelled agencies.
- Chief Information Security Officer (CISO): Appointment of a dedicated CISO for all regulated entities.
Sectors in focus
The rules initially cover 14 sectors, including banking, telecom, power, transportation, health, and insurance. Each entity must designate a point of contact and establish a Security Operations Centre (SOC).
Industry reaction
While industry bodies have welcomed the move, some express concerns about compliance burden. "The 6-hour window is extremely tight for complex attacks. We need automated tools and clear guidelines," said the CISO of a large private bank.
Data localisation impact
Tech companies and cloud providers may need to invest in local infrastructure. Major players like AWS, Google, and Microsoft have already announced expanded India data centre regions.
International comparison
India's rules are among the strictest globally, similar to the EU's NIS2 directive but with tighter reporting timelines. The US has sector-specific regulations, while Singapore adopts a risk-based approach.
Next steps for organisations
Companies have 90 days to fully comply. The government will set up a compliance portal and conduct awareness workshops. Experts advise immediate gap assessment and legal review.