BharatNotes
What is India's Cybersecurity Framework?
India's cybersecurity framework is a multi-layered institutional and legal architecture designed to protect the nation's digital infrastructure, critical information systems, and citizen data. The framework operates under the Information Technology Act, 2000 (amended 2008) and is anchored by two key bodies: CERT-In (Indian Computer Emergency Response Team) as the national nodal agency for cybersecurity incident response, and NCIIPC (National Critical Information Infrastructure Protection Centre) for protecting critical information infrastructure (CII).
CERT-In, established in 2004 under Section 70B of the IT Act, operates under MeitY and is responsible for collecting, analysing, and disseminating information on cyber incidents, issuing advisories, and coordinating responses. NCIIPC, established on 16 January 2014 under Section 70A of the IT Act, functions under the National Technical Research Organisation (NTRO) and protects CII sectors including power, banking, telecom, transport, health, and strategic enterprises.
The government released the National Cybersecurity Reference Framework (NCRF) and the Cybersecurity Policy 2025 to address evolving threats from ransomware, state-sponsored attacks, and supply chain vulnerabilities.
Key Institutional Architecture
India's cybersecurity governance involves multiple agencies with distinct mandates. CERT-In handles incident response for non-critical systems and issues binding directions on reporting and compliance. NCIIPC focuses exclusively on protecting critical infrastructure sectors. The National Cyber Coordination Centre (NCCC) under CERT-In performs real-time threat monitoring of internet traffic metadata. The Defence Cyber Agency (DCyA), established in 2018 under the Integrated Defence Staff, handles military cyber operations. The Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs coordinates cybercrime investigation and reporting through the National Cybercrime Reporting Portal (cybercrime.gov.in).
At the policy level, the National Security Council Secretariat (NSCS) provides overarching coordination, while the Data Protection Board of India (constituted under DPDPA 2023) adjudicates data breach complaints.
Key Features
| # | Feature | Details |
|---|---|---|
| 1 | CERT-In | National nodal agency (MeitY); incident response, advisories, 6-hour reporting mandate |
| 2 | NCIIPC | CII protection (under NTRO); sectors: power, banking, telecom, transport, health |
| 3 | Legal Basis | IT Act, 2000 (Sections 70A, 70B); DPDPA 2023 for data protection |
| 4 | CERT-In Directions 2022 | 6-hour incident reporting; VPN/crypto log retention; synchronized clocks |
| 5 | NCRF | National Cybersecurity Reference Framework — strategic guidance for all sectors |
| 6 | Cyber Swachhta Kendra | Botnet cleaning and malware analysis centre (under CERT-In) |
| 7 | Skilling Target | 500,000 cybersecurity professionals in 5 years (Cybersecurity Policy 2025) |
Current Status / Latest Data
- CERT-In Audit Rules (2025): Enforcement of mandatory cybersecurity audits for organisations under CERT-In oversight began July 2025, tightening compliance.
- Cybersecurity Policy 2025: Aims to train 500,000 cybersecurity professionals in 5 years; integrates cybersecurity into school and university curricula.
- India Space Cyber Security Framework 2026: Jointly released by CERT-In and SIA-India to protect India's space assets including satellites, ground stations, and supply chains from cyber threats.
- DPDPA 2023 Rules: The Digital Personal Data Protection Act's 2025 draft rules set standards for data protection, breach notification, and consent management.
- Incident Reporting: Companies must report cyber incidents to CERT-In within 6 hours (as per April 2022 directions); the 2025 policy further tightens response timelines.
- Threat Landscape: India faced over 15 lakh cybersecurity incidents in 2024 (CERT-In data), with critical infrastructure increasingly targeted.
UPSC Exam Corner
Prelims: Key Facts
- CERT-In: Established 2004, under Section 70B of IT Act, under MeitY
- NCIIPC: Established 16 January 2014, under Section 70A of IT Act, under NTRO
- CII sectors: Power, Banking, Telecom, Transport, Health, Strategic/Public Enterprises
- Incident reporting deadline: 6 hours (CERT-In Directions, April 2022)
- Cyber Swachhta Kendra: Botnet cleaning centre under CERT-In
- DPDPA 2023: India's data protection law; replaces earlier IT Act rules
- NCRF: National Cybersecurity Reference Framework for strategic guidance
- Defence Cyber Agency (DCyA): Military cyber operations (est. 2018)
- I4C: Indian Cyber Crime Coordination Centre under MHA
- Cybercrime Reporting Portal: cybercrime.gov.in
- NCCC: National Cyber Coordination Centre for real-time threat monitoring
- India faced over 15 lakh cybersecurity incidents in 2024
Mains: Probable Themes
- "Critically examine India's institutional framework for cybersecurity — is it adequate for emerging threats?"
- "Discuss the challenges in protecting Critical Information Infrastructure in India." — NCIIPC mandate, sector-specific gaps
- "Evaluate the CERT-In 2022 Directions on incident reporting — impact on startups, privacy, and compliance."
- "India needs a dedicated cybersecurity law, not scattered provisions under the IT Act. Discuss."
- "Analyse the intersection of data protection (DPDPA 2023) and national cybersecurity — complementary or conflicting?"
- "Discuss the significance of space cybersecurity in the context of India's expanding space assets." — CERT-In/SIA-India framework 2026
Sources: NCIIPC Official | Chambers — Cybersecurity India 2026 | Carnegie — India Cybersecurity 2025 | UpGuard — India Cybersecurity Regulations 2026
