vulnerabilities in India’s digital infrastructure. Despite being one of the world’s fastest-growing digital economies, India still struggles with fragmented and outdated laws to address these modern threats.

Currently, the Information Technology Act, 2000 (IT Act) is the backbone of India’s cyber law. When enacted, it was primarily meant to give legal recognition to electronic records and digital signatures. However, over time, it was amended to include provisions for cybercrimes, unauthorized access, and hacking. Sections 43 and 66 of the IT Act, for example, deal with data theft and hacking, while Section 67 deals with publishing obscene material online. But as technology evolved, this law began to show its age. The IT Act does not address issues like data privacy, cross-border data flow, or the growing role of artificial intelligence in cyberattacks.

Recognizing this gap, the government introduced the Digital Personal Data Protection Act (DPDPA), 2023. This law marks India’s first comprehensive attempt to regulate how personal data is collected, stored, and processed. It grants individuals the right to know how their data is being used, the right to correct or delete it, and the right to withdraw consent. It also imposes obligations on companies to ensure data security and mandates that breaches be reported promptly. On paper, it brings India closer to global standards like the European Union’s General Data Protection Regulation (GDPR).

However, the implementation of the new data protection law raises several concerns. For instance, the government retains the power to exempt any of its agencies from compliance on grounds of national security or public order. This means that while private companies are strictly regulated, state surveillance may continue without adequate checks. Moreover, the law’s enforcement depends heavily on a central authority—the Data Protection Board—whose independence is still under question.

Cybersecurity, meanwhile, is governed by a patchwork of policies and guidelines rather than a unified law. The National Cyber Security Policy, 2013, though well-intentioned, is outdated in the face of modern threats like deepfakes, crypto scams, and ransomware. India’s Computer Emergency Response Team (CERT-In) acts as the national nodal agency for incident response, but its resources and powers are limited. There is also no clear coordination mechanism between government agencies, private companies, and international actors during major cyber crises.

In essence, India’s cybersecurity and data protection landscape is a work in progress— ambitious but uneven. The country has taken crucial steps to move beyond the outdated IT Act, but much depends on how effectively the new laws are implemented. India needs a holistic digital security law that not only protects data but also ensures accountability, transparency, and international cooperation in combating cyber threats.

Ultimately, cybersecurity is not merely a technical issue—it is about trust. As India dreams of becoming a global digital powerhouse, it must build a legal system that assures its citizens that their data, identity, and privacy are safe. Without such assurance, the promise of “Digital India” risks being overshadowed by fear and vulnerability in the cyber age.