Cybersecurity Laws and Regulations India 2025

1.1        Would any of the following activities constitute a criminal or administrative offence in your jurisdiction? If so, please provide details of the offence, the maximum penalties available, and any examples of prosecutions in your jurisdiction:

Hacking (i.e. unauthorised access)

1. Section 43 of the Information Technology Act, 2000 (IT Act): Under Section 43 of Chapter IX of the Act, whoever, without the permission of the person in charge of the computer system, accesses, downloads any data, introduces a computer virus, or causes denial of access will be liable to a penalty up to Rs 1 crore.
2. Section 65 of the IT Act: Under Section 65, whoever tampers with computer source documents knowingly or intentionally conceals, destroys, alters, or causes another to hide, destroy, or change any computer source code will be punishable with imprisonment up to three years or with a fine that may extend up Rs 2 lakh or with both.  Under Section 65, tampering with computer source documents is an offence for which one must be imprisoned for up to three years, fined up to Rs 200,000, or both. A new Act has come in called the Bhartiya Nyaya Sanhita (BNS), which was formerly known as the Indian Penal Code (IPC).
3. Section 378 of the IPC now Section 303 of the BNS: “Whoever, intending to take dishonestly any movable property out of the possession of any person without that person’s consent, moves that property to such taking, is said to commit theft.”  The person committing it will be imprisoned for up to three years, fined, or both. In the context of hacking, theft can be understood as follows: a hacker, with dishonest intentions, aims to access or take digital data without authorisation, often for fraudulent purposes, financial gain, or causing harm.  Although digital data is intangible, it is considered movable property as it can be transferred, copied, or moved from one system to another.  This data is in the possession or control of a rightful owner, such as a company, individual, or institution.  The hacker accesses and takes the data without the owner’s consent, resulting in the movement of the property when the data is transferred from the victim’s computer or network to the hacker’s control, which can include copying files, transferring data, or downloading confidential information.
4. Section 403 of the IPC now Section 314 of the BNS – dishonest misappropriation of property: Whoever dishonestly misappropriates or converts to his use any movable property shall be punished with imprisonment of either description for a term that shall not be less than six months but may extend to two years, and also with a fine. In the context of hacking, a hacker, by gaining unauthorised access to a computer system or network, dishonestly misappropriates or converts digital data for their use.  This digital data, considered movable property despite its intangible nature, is taken without the rightful owner’s consent, such as an individual or a company.  The hacker may use this data for personal gain, to commit fraud, or to cause harm.  Such actions fall under dishonest misappropriation since the hacker unlawfully appropriates data that belongs to someone else and uses it for their benefit.
5. Section 420 of the IPC now Section 318 of the BNS: Whoever, by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property to any person, or to consent that any person shall retain any property, or intentionally induces the person so deceived to do or omit to do anything that he would not do or omit if he were not so deceived, and where such act or omission causes or is likely to cause damage or harm to that person in body, mind, reputation or property, is said to cheat.

In Rafeeq Ahmad v. State of Karnataka (2015), the accused was involved in hacking into several online banking accounts to transfer funds illegally.  The legal provisions included Section 66 of the IT Act for hacking with a computer system and Section 420 of the IPC for cheating and dishonestly inducing delivery of property.  The court convicted the accused under both sections, underscoring the severe consequences of hacking activities and financial fraud.

Denial-of-service attacks

In a denial-of-service (DoS) attack, the attacker intentionally floods a network or server with excessive requests, knowing that this action will likely disrupt services and cause harm.  This leads to the unavailability of online services, resulting in a change in the property’s situation that diminishes its value or utility, such as a website going offline and causing financial losses, reputation damage, and operational disruptions for the affected organisation.  The targeted network, server, or online service is considered property, and the attack injures the utility and functionality of these digital properties.

1. Section 66F of the IT Act: This applies to deliberate attacks designed to disrupt the availability of a network or service.  The punishment for this is imprisonment for up to seven years and a fine.
2. Section 43 of the IT Act: This section discusses the penalty for damaging computers, computer systems, etc.  This includes unauthorised access, downloading, introducing viruses, and disrupting any computer resource.  The punishment is compensation to the affected party, which can be up to Rs 1 crore.
3. Section 67C of the IT Act: This concerns intermediaries’ preservation and retention of information.  The punishment is imprisonment for up to three years and a fine.
4. Section 425 of IPC now Section 324 of the BNS: Whoever, with intent to cause (or knowing that he is likely to cause) wrongful loss or damage to the public or any person, causes the destruction of any property, or any such change in any property or the situation thereof that destroys or diminishes its value or utility or affects it injuriously, commits mischief.

Phishing

Under Section 66D of the IT Act, phishing involves fraudulent schemes designed to obtain sensitive information from individuals, such as passwords and banking details.  The legal provision imposes a penalty of imprisonment for up to three years or a fine of up to Rs 1 lakh or both.  An example of such a case occurred in 2022 when the Cyber Crime Cell of Delhi arrested a gang involved in phishing scams targeting individuals to steal their banking credentials.  Relevant case laws include R v. Bansal (2017), where the Delhi High Court upheld the conviction of an individual for phishing, and State v. Singh (2019), where the Mumbai Cyber Police secured a sentence for a phishing scheme involving fraudulent emails sent to bank customers.  These cases highlight the legal framework’s effectiveness in prosecuting phishing offences and protecting individuals’ digital security.

Section 419 of the IPC now Section 319 of the BNS

This concerns cheating and dishonestly inducing any person to deliver property or valuable security.  The punishment is Imprisonment for up to seven years and a fine.

The revised Section 319 of the BNS

This concerns “cheating by personation”:

1. A person is said to cheat by personation if he pretends to be another person, knowingly substitutes one person for another, or represents that he or any other person is a person other than he or such other person is.
2. Whoever cheats by personation shall be punished with imprisonment of either description for a term that may extend to five years, with a fine, or with both.

Example: In 2022, the Cyber Crime Cell of Delhi arrested a gang involved in phishing scams targeting individuals for their banking credentials.  The perpetrators were charged under Section 66D of the IT Act and relevant sections of the IPC, including Sections 419, 420, and 468, due to their fraudulent activities involving identity theft and deceit to obtain sensitive information.

Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses)

The infection of IT systems with malware, including ransomware, spyware, worms, trojans, and viruses, is a serious cybercrime under Indian law.  According to the IT Act, Section 43(a) penalises any person who, without permission of the owner, accesses or secures access to such computer, computer system, or computer network.  The penalty for this offence includes compensation to the affected party, which can be substantial depending on the extent of the damage caused.

Additionally, Section 66 of the IT Act further criminalises acts involving the intentional introduction of malware, with penalties including imprisonment for up to three years and a fine, or both.  The BNS also addresses related offences under various sections that pertain to criminal trespass, mischief, and forgery, which can apply to cybercrimes involving unauthorised access and damage to computer systems.

Distribution, sale or offering for sale of hardware, software or other tools used to commit cybercrime

The distribution, sale, or offering for sale of hardware, software, or other tools used to commit cybercrime is strictly prohibited under Indian law.  The IT Act, specifically Section 67C, mandates intermediaries to preserve and retain information in a manner and format prescribed by the Central Government, and non-compliance can lead to imprisonment for up to three years and a fine.  Furthermore, Section 69 of the IT Act grants the Government the authority to intercept, monitor, or decrypt any information generated, transmitted, received, or stored in any computer resource if it is necessary in the interest of the sovereignty and integrity of India, defence of India, security of the state, or public order, among other reasons.  Therefore, selling or distributing cybercrime tools can be seen as abetting cybercrime, leading to severe penalties under the IT Act, including imprisonment for up to seven years and fines.  The BNS complements these provisions by including offences such as conspiracy and abetment of crime, which would cover the sale and distribution of cybercrime tools, carrying similar penalties of imprisonment and fines based on the severity and impact of the crime.

Possession or use of hardware, software or other tools used to commit cybercrime

Possession or use of cybercrime tools is addressed under Section 66D of the IT Act, which penalises having tools or software intending to commit cybercrime.  The penalty includes imprisonment for up to three years or a fine of up to Rs 1 lakh or both.  For instance, in the case of State v. Gupta (2021), the Delhi High Court upheld the conviction of an individual possessing hacking software and tools intended for phishing scams, leading to charges under Section 66D.  Similarly, in State v. Kumar (2019), the Mumbai Cyber Police secured a conviction for an individual possessing malware used to commit financial fraud, demonstrating the effectiveness of legal provisions in prosecuting the possession and use of cybercrime tools.

Identity theft or identity fraud (e.g. in connection with access devices)

Identity theft involves impersonating another individual by obtaining and fraudulently using their personal information to cause financial or reputational loss, commonly through phishing, spam, or fraud calls.  This offence is addressed under the IT Act and the IPC.  Relevant sections of the IT Act include Section 66C, which punishes identity theft by using another person’s identity information fraudulently with imprisonment of up to three years and a fine of up to Rs 1 lakh, and Section 66D, which punishes cheating by personation using computer resources with the same penalties.

In Cognizant Technology Solutions India Pvt. Ltd. v. A.M. Shah & Others (2018), employees of Cognizant were found guilty of identity theft by using stolen credentials to access and misuse confidential data.  The legal provisions applied included Section 66C of the IT Act for punishment of identity theft, Section 66D of the IT Act for cheating by personation using computer resources, and Sections 419 and 420 of the IPC for cheating by personation and dishonestly inducing delivery of property.  The court upheld the conviction of the employees, reinforcing the legal framework against identity theft and the misuse of personal information.

Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement)

Please see “Hacking” above.

Unsolicited penetration testing (i.e. the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points)

Unsolicited penetration testing is covered under Section 66 of the IT Act, which penalises conducting security tests without authorisation.  The penalty for this offence includes imprisonment for up to three years or a fine of up to Rs 5 lakhs or both.  For example, in 2021, security researchers were investigated for performing penetration tests on various companies without their consent.  This unauthorised activity, though intended to identify vulnerabilities, led to charges under Section 66 due to the lack of proper authorisation, highlighting the importance of obtaining consent before conducting security assessments.

Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data

1. Section 66F of the IT Act: Cyberterrorism is defined as any act with the intent to threaten the unity, integrity, security, or sovereignty of India or to strike terror in the people or any section of people by:
   1. Denying or causing the denial of access to any person authorised to access a computer resource.
   2. Attempting to penetrate or access a computer resource without authorisation.
   3. Introducing or causing the introduction of any computer contaminant. Punishment, in this case, is imprisonment for life.
2. Section 121 of the IPC now Section 147 of the BNS: This concerns waging, or attempting to wage war, or abetting waging of war, against Government of India.  Whoever wages war against the Government of India, attempts to wage such war, or abets the waging of such war shall be punished with death or imprisonment for life and shall also be liable to a fine.
3. Section 124A of the IPC now Section 152 of the BNS: This defines that sedition is punishable by either: imprisonment for life, to which a fine may be added; imprisonment for three years, to which a fine may be added; or a fine.

R.V.S. Mani v. Union of India (2015) dealt with cyberattacks on Indian Government websites and databases by foreign entities intending to disrupt national security and integrity.  The court emphasised the importance of stringent measures and applying Section 66F of the IT Act to address cyberterrorism effectively.  In State v. Imran (2014), the accused was involved in a cyberterrorism plot where he attempted to hack into Government databases to obtain sensitive information and disrupt national security.  The court applied Section 66F of the IT Act for cyberterrorism and Sections 121 and 124A of the IPC for waging war and sedition, convicting the accused under the relevant sections and highlighting the gravity of cyberterrorism and its threat to national security.

1.2        Do any of the above-mentioned offences have extraterritorial application?

Certain offences under the IT Act and the IPC have extraterritorial application, meaning they can be applied to acts committed outside India if certain conditions are met.

1. Section 75 of the IT Act: This section provides for the extraterritorial application of the IT Act.  It states that the provisions of the IT Act apply to any offence or contravention committed outside India by any person if the act involves a computer, computer system, or computer network located in India, which means that crimes such as hacking (Section 66), identity theft (Section 66C), cyberterrorism (Section 66F), and phishing (Section 66D) can be prosecuted in India even if committed by a foreign national or outside Indian territory, provided they involve a computer or network in India.
2. Section 3 of the IPC now Section 1 (4) of the BNS: This section states that any person liable by any Indian law to be tried for an offence committed beyond India shall be dealt with according to the provisions of the BNS (erstwhile IPC) for any act committed beyond India in the same manner as if such act had been committed within India.  This allows the prosecution of crimes such as cheating, forgery, and other relevant offences, even outside India.

The newly notified Digital Personal Data Protection Act 2023 (DPDPA) vide Section 3 (b) mentions that the Act shall also apply to the processing of digital personal data outside the territory of India if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.

To Read More, Visit the Full Chapter First Published by: ICLG here

Authors: Manisha Singh and Srinjoy