As India's digital landscape continues to expand rapidly, the need for robust cybersecurity measures across various sectors has become increasingly important. Different industries, including finance, healthcare, telecommunications, and critical infrastructure, have specific cybersecurity requirements governed by sector-specific regulations.

The Information Technology (IT) Act, 2000, is the primary legislation dealing with cybersecurity, data protection, and cybercrime. It grants statutory recognition and protection to electronic transactions and communications, aims to safeguard electronic data, and identifies punishable cyber offenses such as hacking, data theft, denial-of-service attacks, phishing, malware attacks, and identity fraud.

1. Banking, Financial, and Insurance Sector

• RBI Cyber Security Framework for Banks (2016): Mandates a comprehensive cybersecurity policy for banks, covering areas like incident response, access controls, and regular audits.
• RBI Guidelines on Digital Payments Security Controls (2021): Focuses on multi-factor authentication, encryption, and vulnerability assessments for digital payment systems.
• Data Localization Requirements (2018): Requires payment data within India to be stored locally for greater security.
• IRDAI Guidelines on Information and Cyber Security (2023): Applies to insurers and related entities, covering cybersecurity best practices.

2. Healthcare Sector

• Digital Information Security in Healthcare Act (DISHA): Aims to provide a framework for healthcare data protection, including penalties for breaches.
• Telemedicine Practice Guidelines (2020): Mandates secure communication channels and encryption for patient information in telemedicine services.
• Ayushman Bharat Digital Mission (ABDM) Guidelines: Provides regulatory frameworks for digital health data management and security.

3. Telecommunications Sector

• National Cyber Security Policy (2013): Secures telecom infrastructure with measures like audits and indigenous security equipment.
• Telecom Security Requirements (2021): Requires TSPs to adopt robust cybersecurity measures and maintain transaction logs for two years.
• Mandatory Testing and Certification of Telecom Equipment (2019): Ensures all telecom equipment undergoes security compliance testing.
• Telecommunications (Telecom Cyber Security) Rules (2024): Establishes guidelines for data collection, security, and incident reporting.

4. Critical Infrastructure Protection

Critical information infrastructure, such as power grids and defense systems, is protected under various laws and frameworks like Section 70 of the IT Act, 2000, and sector-specific guidelines.

5. E-Governance and Digital Services

• Guidelines for Indian Government Websites (GIGW): Provides a security framework for government websites and applications.
• CERT-In Guidelines: Enforces best practices for information security within government institutions.

6. Data Protection and Privacy Regulations

The Digital Personal Data Protection Act, 2023, regulates digital personal data processing, ensuring respect for individual data protection rights.

7. The Securities and Exchange Board of India

SEBI's Cybersecurity and Cyber Resilience Framework (2024) outlines strategies for anticipating and countering cyber threats.

SEBI has introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) through Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, dated August 20, 2024. This framework outlines specific activities and their required frequency for compliance by the regulated entities.

Conclusion

India's sectoral cybersecurity regulations aim to protect sensitive data, ensure secure transactions, and safeguard critical infrastructure against cyber threats. With evolving challenges, regulatory bodies must continuously adapt to maintain a robust cybersecurity posture.

Advocate (Dr.) Prashant Mali is an International Cybersecurity Lawyer, Thought Leader, and Speaker. Contact him at +91 9821763157 or prashant.mali@cyberlawconsulting.com.