Introduction
The governance of cybersecurity for critical information infrastructure (CII) sits at the uncomfortable intersection of national security imperatives, regulatory fragmentation, operational feasibility, and fundamental rights. India’s approach to this domain has evolved through a combination of statutory designation under the Information Technology Act, 2000, directions issued by the Indian Computer Emergency Response Team (CERT-In), and a proliferating body of sector-specific circulars from financial, telecommunications, and insurance regulators. The result is a layered but partially incoherent framework that has struggled to keep pace with the sophistication of the threats it seeks to address.
The CERT-In Directions of April 2022 brought this framework into sharp international focus. The requirement that organisations report cybersecurity incidents to CERT-In within six hours of detection, accompanied by an obligation to retain system logs for 180 days and to maintain records of VPN users, drew criticism from major technology companies, civil liberties organisations, and foreign governments. Several VPN service providers chose to exit the Indian market rather than comply with data retention mandates they regarded as incompatible with their privacy commitments to users. The controversy exposed the tension between India’s ambitions as a cybersecurity-conscious state and the international standards around which the global digital economy is organised.
This article examines the statutory framework governing CII, the specific obligations created by CERT-In Directions, the sector-specific overlay from financial regulators and others, the emerging conflicts with the DPDP Act 2023, and the lessons available from the EU’s NIS2 Directive in designing a more coherent and proportionate cybersecurity regime.
Legal Framework
Section 70 of the IT Act, 2000 authorises the Central Government to designate any computer resource as a Protected System, access to which without authorisation is punishable with imprisonment. The concept of Critical Information Infrastructure is defined in Section 70(1) as computer resources, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health, or safety.
The National Critical Information Infrastructure Protection Centre (NCIIPC), established under Section 70A, is the nodal agency for protecting CII. NCIIPC operates under the National Technical Research Organisation and classifies CII across sectors including power and energy, banking and finance, telecommunications, transportation, e-governance, and strategic and public enterprises. The classification of a system as CII triggers heightened protection obligations, though the specific obligations applicable to CII owners have historically been articulated in guidelines rather than in legally binding directions.
CERT-In, established under Section 70B, serves as the national nodal agency for incident response and cybersecurity coordination. Its functions include collection and analysis of information on cyber incidents, forecasting cybersecurity threats, issuing alerts and advisories, and taking emergency measures to handle incidents. The Director General of CERT-In may issue directions to any service provider, intermediary, data centre, body corporate, or person under Section 70B(6), and non-compliance with these directions is punishable under Section 70B(7).
The Directions on Information Security Practices, Procedures, Prevention, Response and Reporting, issued by CERT-In on 28 April 2022 and effective from 27 June 2022, represent the most comprehensive exercise of this direction-making authority to date. The key obligations they imposed were threefold. First, any cybersecurity incident must be reported to CERT-In within six hours of detection, applying to a broadly defined set of incident categories including targeted scanning, compromised systems, ransomware attacks, data breaches, and attacks on CII. Second, organisations must maintain logs of ICT systems for a period of 180 days within Indian jurisdiction. Third, VPN service providers, cloud service providers, virtual private server providers, and virtual asset service providers must maintain accurate records of subscribers for a period of five years, including names, contact details, IP addresses, subscription periods, and purposes.
Judicial Developments
The CERT-In Directions have not yet been subject to a definitive constitutional or statutory challenge before Indian courts, though petitions questioning their scope have been discussed in academic and civil society circles. The absence of judicial review reflects in part the reluctance of affected entities to litigate directly against the government, particularly foreign technology companies who depend on operating licences and regulatory relationships.
The framework for challenging CERT-In Directions would likely proceed under Article 19(1)(g) (freedom to carry on any trade or profession) and Article 21 (right to privacy as articulated in Puttaswamy). The mandatory log retention and subscriber data requirements are, at their core, surveillance mandates that create comprehensive records of user activity on communication networks. Their compatibility with the Puttaswamy framework’s proportionality requirement, which demands that any restriction on privacy be necessary, proportionate, and subject to procedural safeguards, is at least debatable.
In the context of financial sector cybersecurity, the Supreme Court’s decision in Canara Bank v. CanBank Financial Services (2010) and subsequent judgments have affirmed that financial institutions owe a duty of care to customers in protecting their data and transaction integrity. Banking and securities regulators have relied on this duty of care framework to ground sectoral cybersecurity mandates that impose obligations beyond those in the IT Act.
Contemporary Issues and Analysis
The six-hour incident reporting requirement is, from a technical standpoint, extraordinarily demanding. In the immediate aftermath of a significant cybersecurity incident, organisations are typically engaged in containment and initial triage. Forensic analysis to understand the nature, scope, and origin of an attack is a process that typically takes days or weeks, not hours. The requirement to report within six hours necessarily means that early reports will be speculative, incomplete, and potentially misleading. This is not merely an operational inconvenience; inaccurate early reports can themselves cause market disruption, reputational harm, and misallocation of incident response resources.
By comparison, the EU’s NIS Directive (now superseded by NIS2, which became applicable in October 2024) required notification of significant incidents within 72 hours, with an initial notification followed by an intermediate report and a final comprehensive report. This tiered reporting model acknowledges the forensic reality of incident investigation. The NIS2 Directive also imposes a proportionality requirement, applying enhanced obligations only to entities classified as essential or important based on their sector and size, rather than applying blanket obligations to all service providers regardless of scale.
The VPN provider controversy illustrates the compliance design problem created by the Directions. Several international VPN providers, including ExpressVPN, NordVPN, Surfshark, and IPVanish, announced their exit from the Indian market in 2022 rather than comply with the subscriber retention requirements. These providers operate on a no-logs business model that is their primary privacy proposition to users. Retaining subscriber data for five years fundamentally contradicts this model and would expose their users to data requests from Indian law enforcement. The exit of these providers has left Indian users who depend on VPNs for privacy and security (journalists, researchers, corporate users) with reduced options.
The conflict between the CERT-In Directions and the DPDP Act 2023 creates a structural inconsistency that will require resolution. The Directions mandate the collection and retention of user data in ways that may not align with the DPDP Act’s requirements of purpose limitation, data minimisation, and storage limitation. A VPN provider retaining comprehensive subscriber data for five years, at the government’s behest, is collecting data in quantities and for durations that a DPDP-compliant privacy notice would struggle to justify to data principals. The government has not yet addressed how these two frameworks interact.
Sector-specific cybersecurity frameworks from financial regulators add another layer of complexity. The Reserve Bank of India’s Cybersecurity Framework for Banks (2016, updated in subsequent circulars) and the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023) impose detailed requirements on board-level IT governance, vulnerability management, security operations, and incident response. SEBI has issued cybersecurity and cyber resilience frameworks for stock brokers, depositories, mutual funds, and market infrastructure institutions. IRDAI has issued guidelines on information and cyber security for insurers. TRAI has addressed cybersecurity in the context of telecommunications service providers.
This multiplicity of regulators creates compliance complexity for entities that are regulated by more than one authority, such as a payment bank that is subject to both RBI and potentially CERT-In, and may have a fintech subsidiary subject to SEBI. The lack of coordination among regulators on cybersecurity standards means that organisations must maintain parallel compliance programmes that may have inconsistent or conflicting requirements.
Comparative and International Perspective
The EU NIS2 Directive, which replaced the original NIS Directive effective October 2024, provides a thoughtful model for comparison. NIS2 applies to entities in 18 sectors, divided into “essential” and “important” categories based on their criticality and scale. Essential entities, including operators in energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, and public administration, face stricter supervision and higher penalties. Important entities face lighter supervisory obligations but remain subject to the same substantive security requirements.
The substantive security obligations under NIS2 include risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, secure acquisition and development of network and information systems, cyber hygiene policies and training, access control policies, and the use of cryptography. These obligations are outcome-based rather than prescriptive, allowing organisations flexibility in implementation while holding them accountable for security outcomes.
The United States approach is more fragmented, with sector-specific frameworks from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Energy Regulatory Commission, the Securities and Exchange Commission, and the Department of Health and Human Services, among others. The SEC’s cybersecurity incident disclosure rules (adopted 2023) require public companies to disclose material cybersecurity incidents within four business days of determining materiality, a standard that acknowledges the forensic reality of incident investigation while still ensuring timely market disclosure.
China’s Cybersecurity Law (2017) and the more recent Critical Information Infrastructure Security Protection Regulations (2021) provide a comparison from another large economy with strong state involvement in internet governance. Chinese regulations require CII operators to store important data within China, undergo security reviews for certain data exports, and allow government inspections. India’s CERT-In Directions’ localisation requirements share some characteristics with this model, though the extent of state oversight is considerably less pervasive.
Practical and Policy Implications
For organisations operating critical information infrastructure in India, compliance with the current framework requires significant investments in security operations, log management infrastructure, and regulatory reporting capabilities. Larger organisations typically have dedicated security operations centres (SOCs) capable of detecting, triaging, and reporting incidents, though the six-hour reporting window remains operationally challenging even for well-resourced entities. Smaller organisations, including many that qualify as CII operators in healthcare, logistics, and utilities, often lack the infrastructure to meet these obligations.
The supply chain dimension of CII security deserves greater regulatory attention. Many CII operators rely on third-party technology vendors for core operational systems, and the security of those vendors determines in significant part the security of the CII operator itself. Current regulations focus primarily on the CII operator and do not systematically address vendor security requirements. The SolarWinds attack in the US (2020) and the broader problem of software supply chain compromise illustrate why this gap matters.
The absence of an updated National Cyber Security Policy is a significant governance gap. The 2013 policy is obsolescent; the threat landscape has fundamentally changed with the proliferation of ransomware-as-a-service, state-sponsored attacks targeting CII, and the expansion of attack surfaces through cloud adoption and remote work. A National Cyber Security Strategy, drafts of which have been reported to be under preparation since at least 2020, would provide strategic coherence that currently is absent.
Suggestions and Reforms
The six-hour incident reporting requirement should be revised to a tiered model: an initial notification within 24 hours confirming that an incident has occurred, an intermediate report within 72 hours with available technical details, and a comprehensive report within 30 days. This aligns with international best practice and the forensic reality of incident investigation while still providing CERT-In with timely notification.
The VPN subscriber retention requirement should be narrowed. Rather than requiring all VPN providers to retain comprehensive user data for five years, the requirement should be limited to providers that cannot demonstrate to CERT-In’s satisfaction that they operate a genuine no-logs architecture, with targeted disclosure obligations triggered by specific law enforcement requests rather than blanket preemptive retention.
The government should establish an inter-regulatory coordination mechanism for cybersecurity, under which CERT-In, NCIIPC, RBI, SEBI, IRDAI, TRAI, and sector ministries develop harmonised baseline cybersecurity standards. Entities regulated by multiple authorities should not be required to maintain parallel compliance programmes with inconsistent requirements.
The National Cyber Security Strategy should be published promptly, with clear sector-specific objectives, defined roles for each regulatory body, investment benchmarks, and a mechanism for annual review and update.
Conclusion
India’s cybersecurity regulatory framework for critical information infrastructure is ambitious in its ambitions but incoherent in its execution. The CERT-In Directions impose demanding obligations that are technically challenging, have driven privacy-conscious operators from the Indian market, and conflict with the emerging DPDP framework. Sector-specific regulators operate in parallel without coordination, creating compliance complexity and potential gaps. The absence of an updated national strategy leaves the framework without strategic guidance.
Effective CII protection requires a framework that is proportionate in its demands, coordinated across regulatory authorities, technologically informed, and internationally engaged. India has the statutory tools and the institutional capacity to build such a framework. What is needed is the political will to revise the current approach in light of both international experience and the operational realities of cybersecurity practice.