TL;DR for founders
From 15 November 2025, only a very senior government or police officer can tell your platform to remove user content. Joint Secretary (or equivalent) for civil authorities; Deputy Inspector General of Police (DIG) for police. The officer must send a reasoned intimation citing the specific statute, the specific unlawful act and the specific URL. Monthly review at Secretary level is mandatory. First step: update your takedown SOP to (a) validate the sender's rank, (b) log the statutory provision invoked, (c) refuse vague or URL-less intimations.
What Rule 3(1)(d) now requires
The Ministry of Electronics and Information Technology ('MeitY') notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2025 ('Amendment Rules 2025') on 23 October 2025, with effect from 15 November 2025. The Amendment Rules 2025 rewrite the operative paragraph of Rule 3(1)(d) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ('IT Rules 2021'), which contains the due-diligence obligation on intermediaries to act on unlawful information.
The PIB explanatory release dated 23 October 2025 (Release ID 2181719) identifies four operative changes:
- Senior-level authorisation. An intimation to an intermediary for removal of unlawful information can now only be issued by "a senior officer not below the rank of Joint Secretary, or equivalent, or, where such rank is not appointed, a Director or an officer equivalent in rank — and, where so authorised, acting through a single corresponding officer in its authorised agency, where such agency is so appointed." For police authorities, the issuing officer must be "not below the rank of Deputy Inspector General of Police (DIG), specially authorised."
- Reasoned intimation with specific details. The intimation must "clearly specify the legal basis and statutory provision, the nature of the unlawful act, and the specific URL/identifier or other electronic location of the information, data or communication link … to be removed." The word "notification" that appeared in the prior Rule 3(1)(d) has been replaced with "reasoned intimation" — an express alignment with the "actual knowledge" standard in Section 79(3)(b) of the Information Technology Act, 2000 ('IT Act').
- Periodic review mechanism. All intimations issued under the amended Rule 3(1)(d) are subject to a "monthly review by an officer not below the rank of Secretary of the Appropriate Government."
- Balance of rights and responsibilities. The amendment expressly acknowledges the need to "strike a balance between the constitutional rights of citizens and the legitimate regulatory powers of the State", a formulation that echoes the proportionality test applied in Shreya Singhal v. Union of India, (2015) 5 SCC 1 ('Shreya Singhal').
The amendment chain — IT Rules 2021 to date
| # | Instrument | Effective date | Core change |
|---|---|---|---|
| 1 | IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (G.S.R. 139(E)) | 25 February 2021 | Base Rules — due-diligence obligations (Rule 3), grievance officer, significant social-media intermediary thresholds, Code for digital news publishers |
| 2 | IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022 | 28 October 2022 | Grievance Appellate Committee mechanism; tightened Rule 3(1)(a) and (b) due-diligence language |
| 3 | IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 | 6 April 2023 | Consolidated text; online-gaming self-regulatory body provisions; fact-check unit for Union Government information (subsequently struck down in Kunal Kamra v. Union of India, Bombay HC, 20 September 2024) |
| 4 | IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2025 | 15 November 2025 | Rewrite of Rule 3(1)(d): Joint Secretary / DIG threshold; reasoned intimation; monthly Secretary-level review |
| 5 | IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026 (Synthetic Media) | 20 February 2026 | Insertion of synthetic-media / deepfake labelling obligations in Rule 3(1)(b); notified 10 February 2026 |
Who is bound
The amended Rule 3(1)(d) binds every "intermediary" as defined in Section 2(1)(w) of the IT Act. The category is deliberately broad and captures three practically distinct tiers:
- Intermediaries — every entity that receives, stores or transmits an electronic record on behalf of another. Includes cloud hosts, email providers, B2B SaaS platforms with UGC surfaces, marketplaces, payment aggregators to the extent they relay customer messages, and file-sharing services.
- Social Media Intermediaries ('SMIs') — intermediaries that enable online interaction between two or more users (Rule 2(1)(w) IT Rules 2021).
- Significant Social Media Intermediaries ('SSMIs') — SMIs with more than 50 lakh registered users in India (Rule 2(1)(v) IT Rules 2021). Additional obligations under Rule 4 (Chief Compliance Officer, Nodal Contact Person, Resident Grievance Officer, periodic compliance report, physical contact address in India, first-originator traceability under Rule 4(2) for messaging intermediaries) continue unchanged.
- Digital news publishers and OTT curated-content publishers are regulated under Part III of the IT Rules 2021 (Code of Ethics, three-tier grievance mechanism). The Rule 3(1)(d) amendment does not directly rewrite their Part III obligations but affects them indirectly because Rule 3 binds the hosting intermediary through which they publish.
No intermediary is out of scope because of its size or its place of incorporation. A foreign-incorporated platform with users in India is equally bound — a position affirmed by the Karnataka High Court in X Corp v. Union of India, Writ Petition No. 13710 of 2022 (pending appeal).
SAHYOG Portal — the administrative wiring
The Rule 3(1)(d) amendment does not, in terms, reference the SAHYOG Portal. However, the practical pipeline through which the newly senior-authorised intimations will reach intermediaries is SAHYOG — the single-window platform stood up by the Indian Cyber Crime Coordination Centre ('I4C') under the Ministry of Home Affairs to route takedown requests and data-disclosure orders from designated Union and State law-enforcement nodal officers. The expectation communicated by MeitY and I4C in the 2025 consultation cycle is that:
- Joint Secretary / DIG-rank authorised officers will be on-boarded as credentialled senders on SAHYOG;
- Intermediaries will receive intimations through SAHYOG with the mandated specification fields pre-populated (legal basis, statutory provision, nature of unlawful act, URL/identifier);
- A structured audit log will be preserved for the monthly Secretary-level review.
SAHYOG itself is under constitutional challenge. The Bombay High Court is seized of Kunal Kamra v. Union of India (writ challenging SAHYOG + the IT Rules 2025 amendment) and the Karnataka High Court continues to hear X Corp on overlapping grounds. Platforms should treat SAHYOG compliance as provisional — maintain parallel paper-trail records for every SAHYOG intimation received, so that the platform can evidence good-faith compliance if the portal is later read down.
Takedown timelines — the amendment does not move the 36-hour clock
The amended Rule 3(1)(d) preserves the Rule 3(2)(b) IT Rules 2021 timeline: the intermediary must "remove or disable access" to the notified information "as soon as possible, but in no case later than thirty-six hours from the receipt of the court order or on being notified by the Appropriate Government or its agency." What the amendment changes is the front end — who can notify and how. It does not shorten the 36-hour window.
Three adjacent timelines remain relevant:
| Obligation | Timeline | Source |
|---|---|---|
| Removal after court order / reasoned intimation under Rule 3(1)(d) | 36 hours | Rule 3(2)(b) IT Rules 2021 |
| Removal of non-consensual intimate imagery / deepfake-of-private-person (Rule 3(2)(b)(i)) | 24 hours from grievance | Rule 3(2)(b) IT Rules 2021 |
| Cyber-incident reporting to CERT-In | 6 hours from "noticing" | Direction No. (ii) CERT-In Directions dated 28 April 2022 |
Expanded "unlawful information" — or a narrowed one?
The prior Rule 3(1)(d) obliged intermediaries to remove any "information" that is "unlawful" upon receiving "actual knowledge" through a court order or notification. The amended text does not add new categories of "unlawful" content. What it does is discipline the mode of communication — by tying the "notification" leg of actual knowledge to a reasoned intimation issued by a Joint Secretary-rank (or DIG-rank) officer, the amendment narrows the class of communications that can create "actual knowledge" for Section 79(3)(b) purposes. This is an important shift. Prior to 15 November 2025, there was no statutory lower-bound on the rank of officer whose notification would bind an intermediary; the amendment inserts one.
Interaction with Shreya Singhal — does Rule 3(1)(d) survive?
The Shreya Singhal test for takedown provisions has two prongs:
- Section 79(3)(b) IT Act must be read down to mean that an intermediary's "actual knowledge" arises only from a court order or an order from "the appropriate Government or its agency" (Paragraphs 117-118, Shreya Singhal).
- The categories of content subject to takedown must be tethered to Article 19(2) grounds and must not be vague or over-broad (Paragraphs 82-83, striking down Section 66A IT Act).
The 2025 amendment strengthens the first prong — the Joint Secretary / DIG rank threshold and the "reasoned intimation" formula operationalise the Shreya Singhal read-down. The second prong is where litigation risk concentrates. Because the amended Rule 3(1)(d) does not enumerate the "unlawful" categories itself (it refers back to the underlying statute), the constitutionality of a specific takedown will turn on the underlying statute invoked. Where law-enforcement officers invoke vague provisions (e.g., a state-law public-order offence drawn broadly), intermediaries have a credible argument that the intimation fails Shreya Singhal and, on that ground, does not trigger Rule 3(2)(b) obligations. Whether intermediaries feel able to run that argument in real time — rather than downstream in a writ — depends on their risk appetite and on the Bombay/Karnataka High Court rulings due in 2026.
Practical implications — advising a platform client
For general counsel drafting the platform takedown SOP, the amendment produces six concrete workflow changes:
- Sender-rank validation. The ingestion queue must validate the designation of the issuing officer against a current list of Joint Secretary-equivalent / DIG-authorised officers, and log the validation outcome. A vendor-provided SAHYOG connector is not a substitute for this check.
- Statutory-provision logging. Every accepted intimation must have a populated "statutory provision" field. An intimation that cites only a generic "unlawful under Indian law" formula is defective under the amended Rule 3(1)(d) and should be returned for cure.
- URL specificity. The intimation must point to "the specific URL/identifier or other electronic location." Global category-level takedowns ("remove all posts about X") are textually unavailable under the amended Rule 3(1)(d) and should be escalated.
- Section 79 preservation playbook. Because the amendment changes what counts as "actual knowledge", every non-compliant intimation that the platform chooses not to act on must be recorded with a written reason, retained for at least seven years, and annexed to the compliance officer's periodic Rule 4(1)(d) report. This preserves the Section 79 defence.
- Monthly review correspondence. The Secretary-level monthly review is a government-side obligation, but intermediaries should preserve a register of intimations received in a given month and offer to share the register on request. Platforms that do so will materially improve their position in any downstream proportionality review.
- Appellate strategy. Rule 3(1)(d) intimations are directly challengeable in writ jurisdiction. For high-stakes content (journalism, political speech, whistleblower posts), platforms should have a fast-lane protocol to notify the uploader, preserve content in cold storage, and (if the uploader elects) underwrite a writ challenge within the 36-hour window.
Enforcement and penalties
Non-compliance with Rule 3(1)(d) forfeits the Section 79(1) IT Act safe harbour for the specific content, which in turn exposes the intermediary to primary liability under the underlying statute. Depending on the content, that may be Section 294 / 356 Bharatiya Nyaya Sanhita, 2023 ('BNS'), Section 67 / 67A / 67B IT Act, Section 69A IT Act read with the IT (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, or state-law offences. Officer-in-default liability under Section 85 IT Act continues to apply. Separately, MeitY retains Section 79(2)(c) IT Act's residual power to direct compliance through the Rule 4 compliance officer apparatus. The appellate path for digital news publishers and OTT curated-content publishers continues to run through the Inter-Departmental Committee (Rule 14 IT Rules 2021) and, ultimately, writ review. There is as yet no specialised tribunal for Rule 3(1)(d) challenges.
Pending challenges — what to watch
Three cases will define how the amended Rule 3(1)(d) is applied in practice:
- X Corp v. Union of India (Karnataka High Court, W.P. No. 13710 of 2022) — ongoing challenge to Section 69A blocking orders and to the 'SAHYOG' administrative architecture. Judgment on the SAHYOG limb is awaited.
- Kunal Kamra v. Union of India (Bombay High Court, writ filed 2025) — direct challenge to the SAHYOG Portal and to the IT Rules 2025 amendment. The court held hearings on the issuing-officer seniority, vagueness and Article 19(1)(a) / 19(1)(g) grounds in Q1 2026.
- Editors Guild of India v. Union of India (Bombay High Court) — carry-over challenge to the (now struck-down) fact-check unit under Rule 3(1)(b)(v). Outcome informs how courts read "unlawful information" proxies going forward.
A platform's Rule 3(1)(d) SOP should accommodate outcomes in all three — in particular, it should be straightforward to raise the sender-rank-compliance threshold or to add an independent legality check if any of the High Courts reads further safeguards into the Rule.
Founder checklist
- Rewrite the takedown SOP by 30 June 2026 — add sender-rank validation, statutory-provision field, URL-specificity check, and a 'return-for-cure' path for defective intimations.
- Stand up a SAHYOG handler and a paper-trail handler — treat SAHYOG as provisional, preserve duplicate paper records of every intimation.
- Brief the Board by 31 July 2026 on Section 79 safe-harbour risk in light of the 15 November 2025 amendment; authorise the 36-hour escalation protocol.
- Calendar the Kamra and X Corp decisions — integrate the outcomes into the SOP within 30 days of each judgment.
- Budget for a writ-fast-lane — legal retainer sufficient to file a Rule 3(1)(d) challenge within 24 hours of a high-stakes intimation.
FAQ
Does the amended Rule 3(1)(d) apply to B2B SaaS platforms?
Rule 2(1)(w) of the IT Rules 2021 defines "intermediary" by reference to Section 2(1)(w) IT Act, which covers any entity that receives, stores or transmits an electronic record on behalf of another person. A B2B SaaS platform that hosts third-party content, exchanges user messages, or mediates user-generated files is an intermediary and is bound by the amended Rule 3(1)(d) from 15 November 2025.
What happens if a platform ignores a reasoned intimation issued under the amended Rule 3(1)(d)?
Non-compliance forfeits the Section 79(1) IT Act safe harbour with respect to the specific content, exposing the intermediary to primary liability under the underlying statute — for example, Section 294 / 356 BNS, Section 67A IT Act, or Section 69A IT Act read with the Blocking Rules, 2009 — and potential prosecution of officers in default under Section 85 IT Act.
Can a foreign-incorporated platform challenge Rule 3(1)(d) in Indian courts?
Yes. X Corp's W.P. No. 13710 of 2022 in the Karnataka High Court established that a foreign intermediary with a substantial Indian user base has locus to challenge Indian takedown directions. Rule 3(1)(d)'s "actual knowledge" tie to Section 79(3)(b) IT Act and the Shreya Singhal doctrine remain live constitutional touchstones.
How does Rule 3(1)(d) interact with the DPDP Act?
Rule 3(1)(d) governs takedown of unlawful user-generated content; the Digital Personal Data Protection Act, 2023 ('DPDP Act') governs processing of personal data. A removal order under Rule 3(1)(d) does not dispense with the data-fiduciary obligations under Sections 4 to 11 DPDP Act — intermediaries must preserve forensic copies of removed data only where required for law-enforcement cooperation and must not use the takedown as a pretext for further processing.
What is the relationship between the Rule 3(1)(d) amendment and the 10 February 2026 synthetic-media amendment?
They are separate amendment instruments. The 23 October 2025 amendment rewrites the Rule 3(1)(d) takedown mechanism across all unlawful content. The 10 February 2026 amendment adds a distinct synthetic-media obligation to Rule 3(1)(b) requiring labelling and originator-disclosure metadata for AI-generated content, effective 20 February 2026. A single deepfake incident may trigger both regimes in parallel.
Sources
- Press Information Bureau, Release ID 2181719 (23 October 2025): https://www.pib.gov.in/PressReleasePage.aspx?PRID=2181719
- IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (consolidated to April 2023): https://www.meity.gov.in/static/uploads/2024/02/Information-Technology-Intermediary-Guidelines-and-Digital-Media-Ethics-Code-Rules-2021-updated-06.04.2023-1-2.pdf
- Information Technology Act, 2000: https://www.indiacode.nic.in/handle/123456789/1999
- Gazette of India: https://egazette.gov.in/
- MeitY Acts and Policies page: https://www.meity.gov.in/documents/act-and-policies