India's digital stack, tracked weekly.
DPDP Rules 2025, CERT-In Directions, IT Rules amendments, RBI & SEBI cyber frameworks, the Telecommunications Act 2023, and AI governance — each anchored to the Tier 1 gazette, circular or order that actually moves. Written for counsel and founders who need to act, not skim.
Three to start with this week.
Digital Law Tracker — Week 17, 2026 (20–26 Apr)
India's digital-law week (20–26 April 2026) is quiet — no new primary notifications. The dominant thread is operationalisation of carryover rules: MeitY's Technology and Policy Expert Committee (constituted 18 April) begins work alongside the new AI Governance and Economic Group; intermediaries continue onboarding the SAHYOG portal under Gujarat HC's 10 April deepfake PIL order; and the DPDP Rules 2025 Rule 4 twelve-month consent-manager clock advances toward its 13 November 2026 trigger.
CERT-In 6-Hour Cyber Incident Reporting — Step-by-Step SOP
Service providers, intermediaries, data centres, body corporates and government organisations in India must report any of twenty listed cyber incident types to CERT-In within 6 hours of noticing, under the 28 April 2022 Directions issued under Section 70B(6) of the Information Technology Act, 2000. Non-compliance attracts imprisonment up to one year and/or a fine up to one lakh rupees under Section 70B(7).
DPDP Rules 2025 — Phased Rollout and Data Fiduciary Duties
The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E), notified 13 November 2025) operationalise India's DPDP Act, 2023 through three phases. Rules 1, 2 and 17-21 (definitions and Data Protection Board setup) are in force from 13 November 2025. Rule 4 (Consent Manager registration) commences 13 November 2026. Rules 3, 5-16, 22 and 23 (notice, consent, rights, SDF obligations, cross-border transfer, children's data) commence 13 May 2027.
12 articles across 6 pillars.
Digital Law Tracker — Week 17, 2026 (20–26 Apr)
India's digital-law week (20–26 April 2026) is quiet — no new primary notifications. The dominant thread is operationalisation of carryover rules: MeitY's Technology and Policy Expert Committee (constituted 18 April) begins work alongside the new AI Governance and Economic Group; intermediaries continue onboarding the SAHYOG portal under Gujarat HC's 10 April deepfake PIL order; and the DPDP Rules 2025 Rule 4 twelve-month consent-manager clock advances toward its 13 November 2026 trigger.
CERT-In 6-Hour Cyber Incident Reporting — Step-by-Step SOP
Service providers, intermediaries, data centres, body corporates and government organisations in India must report any of twenty listed cyber incident types to CERT-In within 6 hours of noticing, under the 28 April 2022 Directions issued under Section 70B(6) of the Information Technology Act, 2000. Non-compliance attracts imprisonment up to one year and/or a fine up to one lakh rupees under Section 70B(7).
CERT-In SBOM, AIBOM, CBOM, QBOM & HBOM Guidelines v2.0 — Explainer
CERT-In's Technical Guidelines on SBOM, QBOM, CBOM, AIBOM and HBOM (version 2.0, October 2024, reference CISG-2024-02) set India's canonical baseline for software, quantum, cryptographic, AI and hardware bills of materials. The Guidelines apply across the public sector, essential services, organisations providing services to government, and software exporters, and are expected to be contractually cascaded by the RBI, SEBI and IRDAI cyber frameworks. Minimum SBOM data fields mirror the NIST minimum elements (July 2021); AIBOMs additionally cover training-data provenance, model cards, and intended-use constraints.
Cross-Border Data Transfer Under DPDP — Compliance SOP
Section 16 of the Digital Personal Data Protection Act, 2023 read with Rule 15 of the DPDP Rules, 2025 (G.S.R. 846(E), 13 November 2025) permits transfer of personal data of Indian data principals outside India unless the Central Government restricts transfer to a specific country or class of entities — a blacklist / negative-list model. Sectoral localisation (RBI payment data, SEBI CSCRF, IRDAI, UIDAI Aadhaar) continues to apply independently. Non-compliance with Section 8(5) safeguards on cross-border data attracts penalty up to ₹250 crore.
RBI IT Governance Master Direction 2023 — Board Compliance Playbook
The RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices dated 7 November 2023 (effective 1 April 2024) requires every Regulated Entity — scheduled commercial banks (excluding RRBs), small finance banks, payment banks, select NBFCs, primary urban, state and central cooperative banks, and All India Financial Institutions — to constitute a board-level IT Strategy Committee, appoint a CIO and CISO, operate a documented IT risk framework, run periodic information security audits, and file an annual IT assurance certification. Non-compliance invites supervisory action and monetary penalty under Section 47A of the Banking Regulation Act, 1949.
SEBI CSCRF Compliance Playbook — 12-Step SOP for REs
SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), notified by circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024, requires every SEBI-regulated entity to self-classify into one of five maturity categories (MII, Qualified RE, Mid-size, Small-size, Self-certification), stand up a NIST CSF-aligned Govern/Identify/Protect/Detect/Respond/Recover control set, appoint a CISO, onboard a SOC or the NSE/BSE Market-SOC, meet 3-month VAPT closure and 1-week high-severity patch timelines, maintain a 2-hour RTO and 15-minute RPO, and submit an annual CERT-In-empanelled cyber audit. Implementation deadline was 30 June 2025 for existing cyber-framework REs; FY 2025-26 is the first full audit cycle.
IT Rules 2026 Synthetic Media Amendment — Labelling, Metadata, 3-Hour Takedown
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026 (G.S.R. 120(E), notified 10 February 2026, effective 20 February 2026) introduce a binding definition of 'synthetically generated information' (Rule 2(1)(wa)) and impose labelling, embedded-metadata, user-declaration and three-hour takedown obligations on intermediaries, significant social media intermediaries and AI-generative platforms. Non-compliance costs Section 79 safe harbour under the Information Technology Act, 2000.
DPDP Rules 2025 — Phased Rollout and Data Fiduciary Duties
The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E), notified 13 November 2025) operationalise India's DPDP Act, 2023 through three phases. Rules 1, 2 and 17-21 (definitions and Data Protection Board setup) are in force from 13 November 2025. Rule 4 (Consent Manager registration) commences 13 November 2026. Rules 3, 5-16, 22 and 23 (notice, consent, rights, SDF obligations, cross-border transfer, children's data) commence 13 May 2027.
IT Rules 2025 Amendment: Rule 3(1)(d) Takedown Overhaul
The IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2025, notified by MeitY on 23 October 2025 and effective 15 November 2025, rewrite Rule 3(1)(d): only a Joint Secretary-level officer (or a Deputy Inspector General of Police for police authorities) can now direct intermediaries to remove unlawful content, by a reasoned intimation that specifies the statutory basis, the nature of the unlawful act and the exact URL, with monthly review at Secretary level.
MeitY AI Advisory, 1 March 2024 — What It Did and Still Signals
The Ministry of Electronics and Information Technology's AI Advisory dated 1 March 2024 directed all intermediaries and platforms to obtain explicit Government of India permission before deploying under-tested or unreliable AI, Generative AI or Large Language Models in India, label outputs and trace deepfakes. MeitY softened the permission requirement on 15 March 2024 but retained labelling, consent and traceability obligations tied to intermediary safe harbour under Section 79 of the Information Technology Act, 2000.
Telecommunications Act, 2023 — Overview for Digital Practice
The Telecommunications Act, 2023 (Act 44 of 2023) received Presidential assent on 24 December 2023 and replaces the Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933 and the Telegraph Wires (Unlawful Possession) Act, 1950. Section 3 introduces an authorisation regime in place of the licence regime; Section 4 permits administrative assignment of spectrum; Sections 20, 22 and 24 vest the Union Government with interception, public-emergency and critical-telecommunication-infrastructure powers. The first tranche of sections commenced on 26 June 2024.
DPDP Act 2023 — Core Obligations for Data Fiduciaries
The Digital Personal Data Protection Act, 2023 (Act 22 of 2023, assented 11 August 2023) imposes seven core obligations on every Data Fiduciary handling personal data of data principals in India: lawful consent and notice (Sections 5-6), purpose limitation, accuracy, security safeguards, 72-hour breach notification, retention limits and grievance redressal (Section 8), and seven data-principal rights (Sections 11-14). Significant Data Fiduciaries bear additional DPIA, audit and DPO duties under Section 10. Maximum penalty: Rs. 250 crore per contravention.
Act on the rule, not the headline.
Three days, full access, no credit card. 12 gazette notification, CERT-In direction, RBI circular and AI advisory that moves India's digital stack — with the primary source attached.