PRIME LEGAL: CYBERSECURITY LAWS: HOW DOES THE LEGAL FRAMEWORK IN INDIA PROTECT AGAINST CYBERATTACKS

July 18, 2026by Primelegal Team

ABSTRACT

India has undergone rapid digital transformation that has redefined its economy and life, introducing digital transactions, governance and communication beyond the tangible realm. At the same time, this big leap into the digital world has left the nation vulnerable to the advanced cyber threats. 

The principal Act dictating this situation for more than two decades has been the Information Technology (IT) Act, 2000. The statute was meant to create a safe haven for e-commerce while punishing basic cybercrimes, however this is slowly being called into question from today’s threats of ransomware, deepfakes, and state sponsored cyber espionage. 

This article addresses the nature of protection mechanisms currently in place, legal and statutory questions and the need of the hour for further legal and structural evolution of India to tackle such issues.

INTRODUCTION

The modern times are all about seamless digital connectivity which is the backbone of India’s socio-economic infrastructure. The virtual world is deeply linked now with national security, from the Unified Payments Interface (UPI) doing billions of transactions to the digitalisation of important governance systems. But, in the age of Internet interaction, criminal activity has changed as well.

This in-depth evaluation shows that cyber defense in India is a concerted effort to keep up with the rapid advancement of technology. The Constitution provides for a fundamental right to privacy in Article 21, but there is a need for stronger, flexible and effective laws to extend this right to the digital world. There is a blend of old laws from the early 2000s, the revised Penal Code and the newly enacted data protection laws to counteract the re-emerging problem of cyberattacks in the Indian legal arena.

Significant progress has been made in the cyber infrastructure deployment; India still remains a favourite target of global threat actors. From phishing attacks and ransomware to sophisticated distributed denial-of-service attacks on critical information infrastructure such as power grids and healthcare systems, cybercrime operations are organized around even more advanced techniques, perpetrated regularly. But the task of fighting back against these threats in the legal system is complex.

Despite having several cyber incident reporting requirements, the majority of companies and individuals opt out because of the risks involved in harming the reputation, affecting customer loyalty or lack of trust in the digital grievance redressal system. 

This leads to millions of cyber-attacks to go un-notified which gives cybercriminals greater incentives to continue the crime. In addition, cybercriminals often enlist a multitude of tools such as encryption, proxies, and even teleporting into another country’s purview to further complicate local investigations and prosecutions. Advanced criminals use vpns from which the regular cyber cells are not able to detect and due to technological constraints, these vpns remain unidentified. 

The legal consequences of a cyber-attack, whether it involves digital forensics or the continuing litigation, can cost Small Businesses and medium Enterprise’s (SMEs) dearly, and often they have to deal with it in silence. Creating a legal framework that moves from response to prevention is a critical first step to systemic resilience and holds digital notice and rapid justice for victims.

THE STATUTORY POSITION OF INDIA

The Indian legal landscape against cyber-attack represents an evolving tapestry made from specialised technology legislation, widespread criminal legislation and data privacy laws. The Information Technology (IT) Act, 2000 is the cornerstone of this Model at the center of which are the Sections 43(prescribing compensation for damage to computer systems and unauthorized downloading of data); 66(dishonest or fraudulent acts involving computer system including cheating by personation and identity theft); 66F (listening to Cyber Terrorism and penalties for acts threatening India’s unity, integrity, security, or sovereignty); and 70(empowering government to declare computer resources that secure “Critical Information Infrastructure” as protected systems). 

The Digital Personal Data Protection (DPDP) Act, 2023 is another important paradigm shift that sets out regulations that organizations must adhere to when dealing with citizens’ data, and puts in place tough financial punishments for not adhering to its directives to ensure the security of citizens’ data, legally requiring institutions to improve their cybersecurity posture. 

Further, the Bharatiya Nyaya Sanhita (BNS) (which succeeded the outdated Indian Penal Code (IPC)) has new sections that address ‘social crimes’ committed in the digital world, including online fraud, forgery of electronic records, and electronic harassment. 

Lastly, the national nodal agency under Section 70B of the IT Act, CERT-In (Indian Computer Emergency Response Team) is responsible for proactive response to a cyber incident, advisory, and compulsory time-bound reporting of cyber incidents by organisations.

PATHWAY TO LEGISLATIVE AND TECHNOLOGICAL REFORMS

Building a digital future for India is a dynamic, proactive, and comprehensive legal pathos to solve the shortcomings in the existing legal framework. First is the demand for a round-the-clock Comprehensive Statutory Update, wherein the legislature needs to speed up the process of introducing a new Digital India Act, which is modern, fresh and specific instead of the outdated and outdated IT Act of 2000, modern threats, such as threats related to AI-powered cyber-attacks, algorithmic biases, and the vulnerabilities of IoT devices, should be clearly defined and properly addressed in this new legislation. 

Further, bilateral mutual legal assistance treaties (MLATs) with competent global partners and engagement in international cyber-governance mechanisms is important; as aforementioned, cyberattacks routinely operate on borders, India should have deeper and more agile MLATs and engagement in international cyber-governance mechanisms to facilitate sharing of digital evidence and servicing the request for extradition.

Along with this is the need for Judicial and Law Enforcement Sensitization, underscoring the need to provide advanced technical training to police and forensic analysts and scaling up special Cyber courts across the country to ward off the risk of bottlenecks in Digital litigations. To develop a habit of cybersecurity awareness among the general public, therefore, it will be necessary to engage legal institutions, technology providers, and educational institutions together to drive Public Cyber Hygiene Initiatives.

CONCLUSION

Finally, however, the legal framework established under the IT Act helped to set out the foundations of the digital era in India, but cannot now be seen as completely adequate against the highly sophisticated cyber threat of today. The enactment of the DPDP Act is a major positive development in setting a pathway toward institutional accountability, but the law must continuously change to keep up with the times. Continuous legislation, active law enforcement capacity building and a cultural change in the levels of cyber hygiene is essential to protecting the nation from catastrophic cyberattacks.

 

 

“PRIME LEGAL is a National Award-winning law firm with over two decades of experience across diverse legal sectors. We are dedicated to setting the standard for legal excellence in civil, criminal, and family law.”

WRITTEN BY: SHEEN.