India’s Cybersecurity Policy: What’s New in 2025

India’s digital ecosystem has grown at an unprecedented pace over the past decade, with over 900 million internet users and a thriving startup economy. But this rapid digitization has also made the country a prime target for cyber adversaries. In 2024 alone, India witnessed more than 1.2 million cyberattacks, ranging from ransomware strikes on hospitals to data breaches at financial institutions. In response, the government has rolled out a series of new cybersecurity policies in 2025 that promise to reshape the landscape for businesses, innovators, and citizens alike. Understanding these changes is crucial for anyone invested in India’s technology future.

The Evolving Threat Landscape

Before diving into the policy updates, it helps to grasp why such sweeping measures were necessary. India’s digital infrastructure now includes Aadhaar, Unified Payments Interface (UPI), DigiLocker, and thousands of government services online. Each connected node represents a potential entry point for attackers. According to the Data Security Council of India, the country faced a 47% increase in cyber incidents between 2023 and 2024, with sectors like banking, healthcare, and e-commerce being the hardest hit. Additionally, the rise of AI-powered malware and deepfake scams has pushed regulators to rethink traditional security frameworks.

Key Policy Updates in 2025

The government’s response in 2025 is not a single piece of legislation but a multi-pronged strategy encompassing data protection, infrastructure hardening, and innovation-friendly compliance.

1. Full Implementation of the Digital Personal Data Protection Act

After months of deliberation, the DPDP Act, passed in 2023, is now fully operational with all rules and penalties in effect. Key provisions include:

  • Data fiduciaries must obtain explicit consent for processing personal data.
  • Data localisation for sensitive data (health, financial, biometric) — no cross-border storage without government approval.
  • Mandatory breach reporting within 72 hours to the Data Protection Board.
  • Heavy fines of up to ₹250 crore for non-compliance.

This has forced companies to overhaul their data handling practices. For startups, the compliance cost is significant, but the trust dividend is even larger.

2. National Cyber Security Strategy 2025

A refreshed version of the earlier strategy now includes five pillars: security of critical information infrastructure, enhanced threat intelligence sharing, capacity building, cyber hygiene for citizens, and international cooperation. The strategy also introduces a Cyber Security Operation Centre (CSOC) for each of the 20 critical sectors, including power, telecom, and transportation. These centres will operate 24×7 and feed data into a centralized threat analytics platform.

3. AI and Deepfake Regulation

Given the explosion of generative AI, the government has released specific guidelines for AI systems used in public-facing applications. All AI models deployed in India must undergo a security and fairness audit before launch. Deepfake detection tools will be mandated for social media platforms operating in India, with non-compliance leading to suspension of safe harbour protections.

4. Mandatory Vulnerability Disclosure and Bug Bounty Program

To encourage ethical hacking, all government agencies and critical sector companies must now maintain a public vulnerability disclosure policy. The Indian Computer Emergency Response Team (CERT-In) will run a centralized bug bounty platform with bounties ranging from ₹50,000 to ₹2 crore per finding. This move aims to tap into the country’s vast developer talent pool.

5. Cybersecurity for MSMEs and Startups

Recognizing that small and medium enterprises are the most vulnerable, the new policy offers subsidized cybersecurity audits and free access to a cloud-based security toolkit. Additionally, startups working on indigenous cybersecurity solutions can apply for fast-tracked funding through the Ministry of Electronics and Information Technology’s innovation grants.

Impact on Technology and Innovation

These policies bring both challenges and opportunities for India’s tech ecosystem.

Compliance Costs vs. Trust

On the downside, strict data localisation and audit requirements increase operational costs. A study by NASSCOM estimated that compliance with the DPDP Act alone could add 8–12% to the IT budgets of mid-sized companies. However, this investment often pays off in the form of customer trust. In a 2024 survey, 78% of Indian consumers said they would stop using a service after a data breach. Strong privacy practices are becoming a competitive differentiator.

Boost to Cybersecurity Startups

India’s cybersecurity market is expected to grow from $7 billion in 2024 to $15 billion by 2027, and the new policies are accelerating that growth. Companies offering compliance automation, AI threat detection, and encryption-as-a-service are attracting significant venture capital. For example, the bug bounty mandate has led to a surge in platforms like HackerOne and Bugcrowd expanding their India operations.

Innovation in AI Safety

The AI audit requirement has spawned a new niche: AI security testing. Startups like QNu Labs and Fornax are developing quantum-safe cryptographic tools, while others focus on adversarial machine learning detection. India’s deep tech talent is reorienting towards building solutions that are not only functional but also secure by design.

Critical Infrastructure Modernization

The establishment of sector-specific CSOCs is driving investments in OT (operational technology) security. Power grids, water supply systems, and transportation networks are being upgraded with real-time monitoring. This creates opportunities for companies specializing in industrial IoT security and anomaly detection systems.

Challenges Ahead

Despite the progressive nature of the 2025 policy suite, implementation hurdles remain.

  • Skill Shortage: India needs an additional 1.5 million cybersecurity professionals by 2026, according to a report by the Software Freedom Law Centre. The government has launched sk

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top