India’s cybersecurity ecosystem is grappling with significant structural weaknesses including an outdated national policy from 2013, absence of a legally accountable cyber regulator, and ineffective breach reporting consequences, according to multiple experts assessing the current landscape.
- India’s national cybersecurity policy has not been updated since 2013.
- CERT-In lacks legal accountability and enforcement powers.
- Companies face no penalties for failing to report or mishandling breaches.
What happened
Experts analyzing India’s cybersecurity framework highlight deep systemic faults, notably the outdated national cybersecurity policy last revised in 2013. The central agency, CERT-In, is widely criticized for its lack of teeth—it does not compel entities to fix reported vulnerabilities nor penalize non-compliance. This has led to a situation where security breach reports are collected but largely go unacted upon, sometimes with false claims of remediation.
Security researchers and industry insiders unanimously point out the absence of legal accountability mechanisms for CERT-In. The agency functions more as a passive data repository rather than an active regulator empowered by law. Such deficiencies contribute to widespread skepticism about CERT-In’s effectiveness and ongoing cybersecurity risks that remain unmitigated.
Why it matters
India’s growing digital economy and expanding online footprint make robust cybersecurity governance critical. Without a functional regulatory body empowered by statute, vulnerabilities remain hidden or unaddressed, exposing businesses, government services, and users to significant risk. The ineffectual response system undermines trust in national cybersecurity efforts and leaves key infrastructures vulnerable to exploitation.
The current setup discourages organizations from reporting incidents or cooperating fully with authorities, as there are no repercussions for non-disclosure and no assurance of confidentiality or follow-up. This climate limits the ability to coordinate timely and effective responses to emerging threats, potentially impacting national security, economic stability, and citizen privacy.
What to watch next
Experts suggest the urgent passage of a comprehensive cybersecurity law that mandates accountability and transparency for CERT-In. Models discussed include making CERT-In answerable either to Parliament or converting its functions to a public-interest institution similar to the US CERT Coordination Center, which operates outside direct government control but provides critical incident coordination.
Stakeholders will closely monitor government initiatives and legislative proposals aimed at overhauling India’s cyber regulatory framework. Effective reform should establish clear consequences for non-compliance, protocols for vulnerability disclosure, and a transparent mechanism that balances confidentiality with public awareness. The evolving approach to making CERT-In a truly service-oriented regulator will be pivotal.