As India fast-tracks its way towards a $1 trillion digital economy, the digital transformation seen in this journey has not been without its challenges. For Indian businesses, cybersecurity remains a primary concern, especially considering the increasing cyberattack volume. According to Prahar, India experienced the 3rd most cyberattacks in the world in 2023, with a whopping 79 million attacks targeted at the region by bad actors ranging from profit-seeking cybercriminals to state-sponsored groups. An ever-expanding attack surface, combined with a series of high-profile security incidents, saw India in a precarious place at the beginning of 2024.
By the end of it, the Indian government had put into place a range of new compliance regulations to supplement the landmark Digital Personal Data Protection (DPDP) Act that was passed the year before. These efforts saw India achieve Tier 1 status in the Global Cybersecurity Index 2024. With a score of 98.49 out of 100, India joined the top tier ranks of ‘role-modelling countries’ that demonstrate a strong commitment to creating robust cybersecurity practices. This blog goes through all the important dates that shaped India’s cybersecurity laws and led to this massive achievement.
August 20, 2024 - Introduction of CSCRF
Who It Applies To: SEBI’s Regulated Entities (REs)
While the financial services sector has always been an attractive target for cyberattackers, things have gotten especially worrisome in the last few years. According to a report from the RBI, India’s financial sector faced more than 13 lakh cyberattacks between January to October 2023, and 2024 saw the biggest cyberattack so far on an Indian exchange, with hackers stealing more than $230 million worth of investor holdings from cryptocurrency platform WazirX.
The increasingly alarming scenario led to SEBI releasing the Cyber Security & Cyber Resilience Framework (CSCRF) for all its regulated entities (REs). This exhaustive framework was established after advice from industry leaders (Market Infrastructure Institutions, CERT-In, Industry Standard Forum, National Critical Information Infrastructure Protection Centre) and adherence to industry-leading guidelines (ISO 27001. CIS Controls Version. 8, NIST SP 800-53, BIS Financial Stability Institute Guidelines and CPMI-IOSCO Guidelines).
This framework features mandates for all the important aspects consisting of a comprehensive cybersecurity posture:
| Cybersecurity Aspect | CSCRF Mandate |
| Governance | A risk management framework to assess, mitigate & monitor risks, then subsequently define processes to address them. Employee security training comes under this. |
| Supply Chain Fortification | Requirement of a Software Bill of Materials (SBOM) from all your vendors to account for any third-party or open-source components. |
| Secure Access | Incorporation of the principle of least privilege and zero trust across your entire ecosystem, including MFA with strong authentication factors. |
| API Security | Processes include, but are not limited, to rate limiting, clarified API discovery, and secure-by-design API development that adheres to OWASP guidelines. |
| Data Protection | Securing data-at-rest through the perfect mix of full disk encryption & file-based encryption, and data-in-transit through the asymmetric encryption provided by TLS. |
| Continuous Monitoring and Incident Response | A 24x7x365 SOC that monitors, prevents, detects, investigates, and responds to cyber threats. This includes a collection of logs, setting baselines for normal behavior & monitoring for any deviations, isolating affected systems in the case of a breach, and undertaking remediation steps to rectify. |
What’s interesting about CSCRF is that REs have different requirements according to the category they fall under between MIIs, qualified REs, mid-size, small-size, and self-certification REs. For example, if you are an MII or a qualified RE, you must measure your SOC’s functional efficacy every 6 months, while the rest have to do it yearly.
November 21, 2024 - Gazette Publishes The Telecommunications (Telecom Cyber Security) Rules, 2024
Who It Applies To: Telecom Entities, defined as ‘any person providing telecom services or establishing, operating, maintaining or expanding the telecom network’
India has now become the second largest mobile network in the world, currently undergoing a data explosion due to factors like 5G, IoT devices, streaming services, and more data-intensive apps. However, cybersecurity for the sector came to the fore earlier this year, when CloudSEK unveiled a massive breach that exposed the sensitive information of over 750 million Indians, including names, mobile numbers, addresses, and AADHAAR details.
This led to the introduction of The Telecommunications (Telecom Cyber Security) Rules, 2024, which is an extension of The Telecommunications Act, 2023. Here are some of the important components of these rules:
- A Robust Cybersecurity Policy: This includes a mix of security safeguards, risk management approaches, actions, training, best practices & complementary technology to enhance your security. Furthermore, periodic audits have to be undertaken to maintain and evolve your security posture.
- The CTSO Position: The Indian government requires a liaison in the form of a Chief Telecom Security Officer (CTSO).
- 24x7x365 SOC: The CTSO has to establish and oversee a SOC that uses 24×7 monitoring to identify, mitigate, and respond to threats.
- Strict Incident Reporting Timelines: Within 6 hours of an incident, a report has to go to the government describing the nature of the incident and the systems affected. An additional report has to go within 24 hours, featuring details like duration, number of users affected, geographical area, and remediation measures taken or proposed.
So what does 2025 bring for your organization if any of these rules apply?
Well, critical infrastructure security laws like CSCRF and Telecom Cyber Security have strict deadlines for adherence that you will have to keep track of when formulating your strategies. Moreover, the new year will most likely see the full implementation of an essential law that was issued back in 2023.
August 11, 2023 - Issuance of the Digital Personal Data Protection (DPDP) Act
Who It Applies To: All Public & Private Organizations That Handle Indian Personal Data, including businesses operating in India and those outside the country that use this data to market & sell to Indian customers.
This landmark regulation blends recognition of the rights of individuals (data principals) while laying out guidelines for processing by data fiduciaries. While it was passed over a year ago, provisions still can’t be enforced in the absence of detailed rules. Some provisions that still require clarity include:
- Significant Data Fiduciary: The data fiduciary classification is demarcated into standard fiduciaries and significant ones, likely big companies that process vast amounts of personal data. While the parameters of classification haven’t been finalised yet, significant data fiduciaries have additional responsibilities, including appointing a Data Protection Officer (DPO) and conducting a Data Protection Impact Assessment.
- AI Supply Chains: While not explicitly mentioned in the original issuance, experts believe the rules will most likely impact entities handling personal data in AI supply chains. As AI technologies rely on massive amounts of data to train their algorithms, entities within that chain may be classified as fiduciaries.
- Fiduciary Scope: While the DPDP Act will apply to the processing of Indian personal data outside of India, it may not apply to Indian outsourcing companies that process data in India but collect it abroad.
On January 3, 2025, after sixteen months since enactment, the union government introduced the Draft Digital Personal Data Protection Rules (DPDP Rules) for public consultation. The Ministry of Electronics and Information Technology (MeitY) extended the feedback deadline for the draft rules.
MeitY initially set the consultation period to end on February 18, 2025, but it now extends until March 5, 2025. This extension follows multiple requests from various sectors seeking additional time to review the draft in detail and provide comprehensive feedback.
In 2025, partner with a cybersecurity provider that delivers best-in-class solutions and meets every regulatory requirement. At iValue, we offer a robust cybersecurity suite that seamlessly complies with all India 2024 data protection and cybersecurity regulations. Click here to discuss your 2025 cybersecurity posture.
