Cybersecurity Laws in India: Need for a Comprehensive Legislation
In the age of smartphones, online banking, AI tools, and digital public services, cyberspace has become the new frontier of opportunity—and vulnerability. India, with one of the world’s largest online populations, is pushing forward on every digital front: fintech, health tech, e governance, and more. But amid this rapid expansion lies a critical gap—India still does not have a comprehensive cybersecurity law.
Our legal framework to deal with cyber threats is scattered and outdated. The Information Technology Act of 2000, which forms the backbone of India’s cyber law, was enacted when the internet was still a novelty. At that time, cybercrime meant hacking into email accounts or sending viruses. Today, we’re dealing with ransomware attacks on hospitals, data breaches affecting millions, online financial frauds, and coordinated cyber warfare targeting critical infrastructure.
It is clear that the IT Act, even with amendments, is no longer equipped to handle the scale and complexity of modern cyber risks.
Recent incidents make this painfully obvious. The ransomware attack on AIIMS Delhi in 2022 paralyzed one of the country’s top medical institutions for days. Personal data of citizens— Aadhaar numbers, financial records, even COVID-related information—has repeatedly found its way into the hands of hackers. Yet, investigations often stall due to lack of proper reporting protocols, unclear jurisdiction, and outdated laws.
While India has made some progress with the Digital Personal Data Protection Act, 2023, that law largely focuses on data usage and consent. It doesn’t adequately cover cybersecurity threats like phishing, ransomware, cyber terrorism, or deepfake manipulation. In effect, we are managing today’s threats with yesterday’s tools.
There’s also the fragmented nature of cybersecurity governance. The Reserve Bank of India sets standards for banks. Telecom firms follow TRAI’s guidelines. Health data is loosely regulated by various state and central authorities. What we lack is a central, cohesive cybersecurity framework that applies uniformly across sectors and stakeholders.
This legal vacuum affects ordinary citizens too. Cybercrime complaints are rising sharply. From UPI frauds to identity theft, individuals often find themselves victims of crimes with no clear remedy. Police are not always equipped to investigate. Courts, meanwhile, face challenges in interpreting digital evidence under outdated laws.
Equally important is the constitutional dimension of cybersecurity. After the Supreme Court’s Puttaswamy judgment (2017), the right to privacy is now a fundamental right. Protecting personal data isn’t just a technical matter—it’s a legal obligation. Weak cybersecurity directly undermines this right. When personal data is exposed due to poor digital safeguards, it isn’t just a breach—it’s a violation of Article 21.
The time has come to bring in a dedicated cybersecurity law. One that defines new-age cybercrimes clearly, establishes response and reporting mechanisms, sets minimum security standards, protects critical infrastructure, and empowers both users and enforcement agencies. It must also include provisions for international cooperation, since many cyberattacks originate outside national borders.
Judiciary, too, must play its part—by developing specialised benches or training modules for cybercrime cases, by ensuring proper interpretation of electronic evidence, and by balancing national security with individual rights.
India’s digital growth is a success story. But without digital safety, that story could turn tragic. The country cannot afford to wait for another major crisis to act. A comprehensive cybersecurity law is no longer optional—it is essential.
In the digital age, protecting rights means protecting data. The law must lead the way.
