The Indian government today unveiled a comprehensive set of cybersecurity rules mandating strict protocols for all major digital service providers, including social media platforms, e‑commerce websites, and cloud services. The new regulations, effective from October 1, aim to bolster the country's data protection framework and reduce cyber threats.
What the new rules mandate
The Ministry of Electronics & Information Technology (MeitY) issued the Digital Platform Security Guidelines 2024, which apply to any platform with over 5 million users or ₹100 crore turnover. Key requirements include:
- Mandatory breach reporting: Any data breach affecting Indian users must be reported to CERT-In within 6 hours, and affected users must be notified within 72 hours.
- Data localisation: All sensitive personal data must be stored on servers located in India, with a copy maintained abroad only for disaster recovery.
- Security audits: Annual independent security audits by empanelled agencies, with reports submitted to the government.
- Chief Information Security Officer (CISO): Platforms must appoint a CISO residing in India, responsible for compliance.
- User verification: Voluntary but "verifiable" options for users to link accounts with Aadhaar or other government IDs (opt‑in).
“These rules are not about surveillance; they are about creating a safe and trusted digital ecosystem for every Indian.” – MeitY Secretary
Timeline and penalties
Platforms have until September 30 to comply. Non‑compliance can attract penalties up to ₹10 crore or 2% of global turnover, whichever is higher. Repeat offences may lead to blocking of services in India.
Industry reaction
Tech industry bodies expressed mixed views. The Internet and Mobile Association of India (IAMAI) welcomed the clarity but raised concerns about the 6‑hour breach reporting window. "It's extremely tight for complex forensic investigations," said a spokesperson. Some startups fear compliance costs could be burdensome. However, major players like Meta and Google indicated they are already largely compliant with similar standards globally.
Comparison with global standards
| Requirement | India (new) | GDPR (EU) |
|---|---|---|
| Breach notification | 6 hrs to CERT-In | 72 hrs to authority |
| Data localisation | Yes (sensitive data) | No, but restricted transfer |
| Penalty max | ₹10cr or 2% turnover | €20m or 4% turnover |
Protecting citizens or increasing oversight?
Privacy advocates have raised concerns about the opt‑in verification, fearing it could become de facto mandatory. The government clarified that no service can be denied to users who refuse verification, but they may get limited features. "We have built in safeguards to prevent misuse," the Minister assured Parliament.
Impact on businesses
For large platforms, compliance will require significant investment in security operations centres and local talent. Cloud providers like AWS, Azure, and Google Cloud are expanding local server capacity to meet data localisation. The new rules are expected to create thousands of cybersecurity jobs in India.
What's next?
The rules will be followed by detailed guidelines on encryption and AI governance later this year. Companies are advised to start gap assessments immediately. The government also plans to set up a "sandbox" for startups to test security innovations.
For the average internet user, the changes mean faster breach notifications and potentially better data protection. As digital India grows, these regulations mark a significant step toward a resilient cyberspace.