Author: Khushi Bansal, Chaudhary Charan Singh University, Meerut.

Cyber security in India is governed by a complex legal framework to protect information. Cyber security has become a critical aspect of protecting sensitive data, systems, and networks from malicious activities. Key problems and challenges in India's cyber security and legal infrastructure. This article explores the concept of Cyber security, its types, and the various threats associated with it.

Keywords: Cyber security, Cybercrime, Information Technology (IT) Act, 2000, Digital Personal Data Protection Act (DPDPA), 2023, National Security Policy.

In India, Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. The Digital revolution is very rapid, driven by the swift increase of the internet and developing dependence on technology across multiple fields. Cyber offences become more complex, with new cases of Cyber attacks like hacking and data leaks posing serious threats to people, business, communities, and national security. National and globally, need a well developed legal framework to cyber security laws. To protect data, privacy, and overall Digital ecosystem. 

In India, there is a lack of public awareness related to data privacy and digital protection. According to the PwC India survey only 16% of consumers are aware of the Digital Personal Data Protection (DPDP) Act, 2023. Many people are not aware of their rights regarding personal data. Approximately 56% of consumers are not aware of their rights and 69% are unaware of their right to withdraw consent. Cyber security measures, the legal framework protect cyber activities, prevent cyber crimes, and give punishment. 

Budapest Convention, 2001: The Budapest Convention is a treaty focused on combating cyber       crimes and is formally known as the conversation on cybercrime. The Budapest Convention on cybercrime was opened for signature in November 2001, and enforced on July 1, 2004. It is the first international treaty focused on cyber crime.  The conversation titled the “Conventions on cybercrime,” was established by the council of Europe and is the only binding international treaty on cyber crime. 

Key objectives: Harmonization of laws, Improved investigative techniques, Increased international cooperation, and Promote cybercrime prevention and capacity 

The General Data Protection Regulation (GDPR) : GDPR is a European union law. General Data Protection Regulation approved by the European Parliament in April 2016 and enforced May 25,2018. GDPR replacing the European Union Data Protection Directive, 1995. 

Key objectives: Harmonizing Data Protection Laws Across the European Union, Protecting Fundamental Rights and Freedoms, Data Protection as a Fundamental Right, and Facilitating the free flow of Personal Data. 

The European Union Cybersecurity Act, 2019 : European Union Cybersecurity Act adopted in 2019. The EU Cybersecurity Act introduces an European Union wide cyber security certification framework for ICT products, services and processes. 

Key objectives: Strengthening European Union Agency for Cybersecurity (ENISA), Establishing a European Cybersecurity Certification framework, Building Trust and Confidence, and Harmonizing cyber security certifications. 

National Institute of Standards and Technology (NIST) : The NIST Cyber security framework (CSF) is a risk based framework that helps organizations improve their cyber security posture. It is a voluntary framework that can be used by organizations of all sizes and in all sectors. 

The main five functions of the Cyber security framework (CSF) : Find risks, Protecting, Spot issues, Respond effectively, and recovering from cyber threats. 

UK Cyber Security Breaches Directive (CSBD) : The UK Cybersecurity Breaches Directive is a government set of rules introduced in May, 2021 to strengthen the UK response to cyber security breaches. The CSBD holds Personal data in the UK to notify the Information Commissioner Office (ICO) of any notifiable cyber security breaches within 72 hours of becoming aware of them. 

Gramm-Leach-Bliley Act, 1999 : The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Services Modernization Act of 1999. United States federal law regarding how financial institutions handle consumers' nonpublic Personal information. The GLBA is enforced by the Federal Trade Commission (FTC) and government agencies. Financial institutions that violate the GLBA may be subject to civil penalties, including fines and injunctions. 

GLBA provisions: The Financial Privacy Rule, The safeguards Rule, and The Pretexting provisions 

Information Technology Act, 2000 (IT Act): 

The Information Technology Act, 2000 details with cyber security and digital transactions. Information Technology Act provides a legal framework for e-commerce, cyber-crimes and data privacy and protection in India. IT Act is comprehensive legislation that governs various aspects of digital technology, electronic communication, and cyber security in India. The Information Technology (Amendment) Act, 2008 Cyber Stalking was recognized as a cybercrime under the provisions of section 66-A. 

Cyber Security Provisions Under Information Technology Act, 2000: The provisions of the Information Technology Act (IT), 2000 contains multiple measures to safeguard digital environments and prevent the unlawful access, misuse and critical information. 

Section 43: Deals with unauthorized access, computer damage, data theft, disruption of computer systems, networks, and data. It provides a legal framework for cyber-crimes and allows individuals and organizations affected by these actions to claim compensation. This section provides legal remedies and penalties for offences related to unauthorised access to computer systems, computer contamination, disruption of computer systems and unauthorised extraction of data. 

1. Section 66: This section focuses on various types of Cyber crimes, such as hacking, identity theft, cyber fraud, and dishonesty. It covers acts that would be punishable under section 43 of the Act if committed dishonesty and fraudulently. It empowers law enforcement agencies to investigate and prosecute individuals involved in these offences. 

Punishment : Violations of Section 66 can lead up to three years imprisonment ,a fine of up to five lakh rupees, or both. 

2. Section 66-F : This section provides punishment for cyber terrorism. It offences and penalties associated with acts intended to threaten India's sovereignty, security, intended through computer systems, and unity. Section 66F provides a strong legal framework to address and punish acts of Cyber terrorism. 

Punishment : The punishment for cyber terrorism under section 66F can extend to imprisonment for life. 

3. Section 67 : Punishment for publishing or transmitting obscene material in electronic form [add Information Technology (Amendment) Act, 2008.]

Punishment (First Conviction) : Imprisonment of up to three years and a fine of up to five lakh rupees. 

Punishment (Second or Subsequent conviction) : Imprisonment of up to three years and a fine of up to ten lakh rupees. 

4. Section 69 : This section is the government with the authority to intercept, monitor, and decrypt information in the interest of national security. It enables the government to take necessary measures to prevent cyber threats and ensure the safety and sovereignty of the country.  

5. Section 70 : Section 70 provides the Protection of “critical information infrastructure.” It mandates the identification and protection of vital information systems to ensure the continuity of essential services and protect national interests. This section safeguard critical national assets in the digital era by preventing unauthorized access and control.  

National Critical Information Infrastructure Protection Centre (NCIIPC) : It is an organization of the government of India. NCIIPC was established under Section 70A of the Information Technology Act, 2000 (amended 2008), and gazetted on January 16, 2014 based in New Delhi, India. NCIIPC, a branch of National Technical Research Organization (NTRO). National Critical Information Infrastructure Protection Centre (NCIIPC) main objective is to protect critical information infrastructure, which includes vital computer resources that, if compromised, could significantly impact national security. 

Indian Computer Emergency Response Team (CERT-In or ICERT) : Indian Computer Emergency Response Team (CERT-In) was established under Section 70B of the Information Technology Amendment Act, 2008. Computer Emergency Response Team (CERT-In) is a national agency that handles cyber security threats like hacking and phishing. CERT-In has been active from January 2004. It strengthens protection connected defence of the national internet domain. CERT-In comes under the Ministry of Electronics and Information Technology (MeitY).

 The main functions of Indian Computer Emergency Response Team (CERT-In) : 

1. Forecast and alerts of Cyber security incidents.

2. Emergency measures for handling cyber security incidents. 

3. Collection, analysis and dissemination of information on cyber incidents. 

4. Coordination of Cyber incident response activities. 

Digital Personal Data Protection Act (DPDPA), 2023 :

Digital Personal Data Protection Act, 2023 focuses on protecting digital personal data, both within India and across borders. DPDPA provides for the processing of personal data solely for legitimate purposes for a upon consent of the individual. The Digital Personal Data Protection Act, 2023 has some regulatory loopholes in data privacy and security. It does not provide for the protection of non personal and critical infrastructure data. In India, we do not have an effective legal framework for cross border data transfer mechanisms and cyber security.

Key provisions of Digital Personal Data Protection Act, 2023 :

1. This legislation applies to both online and offline data processing, extending its scope  to digital data obtained within India. 

2. Data fiduciaries are currently bound by clear responsibilities to ensure data accuracy and protection of data. 

3. The formation of the Data Protection Board of India is a notable element, as it will play an important role in enforcing compliance and imposing punishment. 

4. Individuals rights to information.

5. Promoting responsible data processing.

6. Establishing a dispute resolution mechanism.

7. Facilitating compliance.

8. Data protection board. 

Data Protection Board : The Data Protection Board of India (DPBI) is a statutory body established under Section 18 of the Digital Personal Data Protection Act, 2023. The Digital Protection Board of India will handle complaints, power to investigate data breaches, conduct inquiries, and impose penalties for violations of the data protection law. The Data Protection Board of India can direct data fiduciaries to take necessary steps to address data breaches and mitigate their impact. DPBI all proceedings of the board will be conducted online.  The DPBI is intended to be an independent body, free from undue influence. 

Comparison with General Data Protection Regulation (GDPR) :

The Digital Personal Data Protection Act, 2023 (DPDPA) and the European Union's General Data Protection Regulation (GDPR) have the same concept but some different key provisions.

1. The Digital Personal Data Protection Act, 2023 (DPDPA) applies only to digital personal data, while General Data Protection Regulation (GDPR) covers all forms of personal data. 

2. Data Principal Rights : DPDPA - Rights to access, correction, erasure,grievance redress.

                                       GDPR  - Rights to be informed, access, rights to rectification, 

                                                      Restriction of processing, and data portability. 

3. Cross Border Data Transfer : DPDPA - Permitted unless to jurisdictions restricted by

                                                                Indian government. 

                                                 GDPR -  Permitted based on adequacy decision. 

National Cyber Security Policy, (NCSP)  2013 :

National Cyber security Policy 2013, is a strengthened legal framework by the Indian government. National cyber security policy's main objective is to create a secure cyber ecosystem and foster trust in digital transactions. The  policy acknowledged the importance of a comprehensive, collaborative, and collective approach to cyber security at both national and international levels. The policy aims to control information such as personal information,  financial and banking information and national secrets. The Department of Electronics and Information Technology (DeitY) has formed a policy framework focused on cyber security. According to the Ministry of Communications and Information Technology (India), Cyberspace is a global network consisting of interactions between people, software services supported by globally distributed information and communication technology. It outlines strategies for promoting cyber security awareness, encouraging public-private partnerships,  and developing cyber security capabilities. A main aim of National Cyber Security Policy 2013 is the formation of a structure for implementing security best practices, risk management, and cyber defense mechanisms across multiple fields. 

National Cyber Cooperation Centre (NCCC) : 

National Cyber Coordination Centre established by the Ministry of Home Affairs (MHA) in New Delhi. National Cyber Coordination Centre is India's operational cyber security and e-surveillance agency, established to monitor and manage cyber threats and ensure national security. The NCCC objective is to prevent cyber threats by monitoring internet traffic and facilitating information sharing among relevant entities. 

In India, cyber security has many problems and challenges facing complex cyber-attacks, the prevalence of human error, lack of awareness, lack of visibility, and a global shortage of skilled professionals. The escalation of Cyber threats and data privacy has increased manifold, particularly in sectors such as banking, healthcare, public administration, and education. Cyber security laws formulation in any country is a difficult task, given the complex and dynamic of the digital era. This article will highlight the major cyber security problems and challenges. Cyber security various challenges to implementation and formulation of the cyber legal framework, the most challenging task is the rapid pace of technological advancements. Cyber security is a lack of harmonization with global Standards and effectiveness of Cyber security laws. The awareness of data security and privacy rights is low. According to a survey by PwC 60% of companies follow problematic data practices. In the case of health care, the authors have argued for the prevention of mental health care data by linking it with Aadhaar. In India, we do not have a robust legal infrastructure for international data transfer rules and regulations. We do not have a cyber security regulatory landscape that is indeed complex, with various overlapping laws, regulations, and guidelines. Overlapping laws create many challenges to business and society. 

We highlight some main problems and challenges:

1. Lack of awareness and training.

2. Rapidly evolving technology.

3. The overlapping regulations lead to jurisdictional conflicts. 

4. Evolving threats landscape. 

5. Increase in use of artificial intelligence. 

India's Cybersecurity legal framework has been expanding and adopting rapid development over the past decade. Cyber security and the legal framework governing cyber space are linked in protecting the digital environment. The National Cyber security Policy (NCSP), 2013 has made comprehensive efforts to protect the cyber security issues in India. Public awareness related to data privacy issues is comparatively low in other countries. India must strengthen its security systems sufficiently to withstand such attacks, and perhaps even develop an ability to counterattack. Digital Personal Data Protection Act (DPDPA), 2023 reflects India's strong commitment to enhancing data privacy and data security in a rapidly digital era. Data Protection Board of India (DPBI) regulates the cyber-attacks and imposes penalties. Information Technology (IT) Act, 2000 provides a strengthened legal framework for cyber security in India, enabling e-commerce, digital transactions, and addressing cyber-crime. However, the evolving nature of Cyber threats necessitates continuous strengthening of these laws and their enforcement. Data privacy laws need to be customised in the Indian context, though we found a large number of similarities with the General Data Protection Regulation (GDPR). A harmonized legal framework, with clear guidelines and coordinated enforcement mechanisms, can enhance the effectiveness of Cyber security regulations, and improve the overall cyber security ecosystem in the country. India can draw insights from global regulatory approaches and adapt improvement based on international legal framework. 

• Indira Srivastava & Shekhar Srivastava, A Comprehensive Analysis Related to Social Problems & Crime 71 (2011).

• Information Technology Act, No. 21 of 2000, §§ 43, 66, 66-F, 67, 69, 70, Acts of Parliament, 2000 (India).

• Digital Personal Data Protection Act, No. 22 of 2023, § 18, Acts of Parliament, 2023 (India).

• Manvi Gupta & Ayushman Gupta, Cyber Security Legal Framework in India – Overlaps, Problems and Challenges 12, 11 (2025) (unpublished manuscript).

• Devansh Dixit, Important Provisions of the IT Act 2000: Safeguarding Digital Spaces, blog.finology.in (July 4, 2025, 8:25 PM), https://blog.finology.in/Legal-news/it-act-2000.

• Devansh Dixit, Analysis of the Digital Personal Data Protection Act, 2023, blog.finology.in (July 5, 2025, 3:25 PM), https://blog.finology.in/Legal-news/digital-personal-data-protection-act