The Changing Architecture Of Digital Governance In India

India’s digital regulatory architecture is undergoing a major structural transformation as the country seeks to align rapid digital expansion with stronger accountability, privacy protection, platform responsibility and user safety.

The emerging framework reflects a shift from a largely safe-harbour-based model to a more proactive system designed to address data governance, artificial intelligence, competition, cybersecurity, telecommunications and digital public infrastructure in an increasingly complex digital economy.

The Changing Regulatory Direction

• Structural transition: India is moving from a reactive digital regulatory model to a sovereign-led framework that aims to balance innovation with accountability. This shift is linked to the country’s broader ambition of building a $1 trillion digital economy.
• Rapid digital expansion: India’s digital ecosystem has expanded sharply, with over 800 million internet users and more than 460 million social media users. Nearly one-third of social media users are minors, which has heightened concerns around governance, safety and accountability.
• Rising governance concerns: Cyberbullying, sleep disruption and distorted self-image among youth have become increasingly documented concerns. At the same time, global scrutiny of algorithm-driven harms has reinforced the need to reassess engagement-based digital business models.

Core Statutory Framework

• Digital Personal Data Protection Act, 2023: The DPDP Act creates a consent-based privacy regime and places the Data Principal at the centre of the framework. It also establishes the Data Protection Board of India as a key enforcement institution.
• DPDP Rules, 2025: The Rules operationalise the DPDP Act by laying down procedures for consent notices, data breach reporting, grievance redressal and phased compliance. They were notified on 14 November 2025 and complete the transition from legal principle to procedural implementation.
• Information Technology Act, 2000: The IT Act remains the foundational law for India’s digital space, though it is being phased into the proposed Digital India Act. The proposed replacement is intended to address newer domains such as AI, blockchain, Web3 and modern cyber offences.
• Telecommunications Act, 2023: This law modernises legacy telegraph-era regulation while retaining strong sovereign powers relating to national security. It also simplifies administrative spectrum allocation and expands the legal basis for contemporary telecommunications governance.
• Bharatiya Nyaya Sanhita, 2023: The BNS replaces the IPC and introduces criminal liability for digital offences such as AI-driven impersonation and the spread of disinformation. It forms part of the wider legal restructuring of India’s digital governance regime.
• Digital Competition Bill and Competition Amendment Act, 2023: These measures seek to prevent digital market concentration by enabling ex-ante scrutiny of dominant firms and high-value mergers. Their focus is on preserving contestability and reducing the anti-competitive effects of platform dominance.

Digital Personal Data Protection Framework

• Citizen-centred privacy regime: The DPDP framework is designed as a citizen-centred system that gives equal importance to individual rights and lawful data processing. It seeks to make privacy regulation understandable, practical and easier to comply with.
• Foundational principles: The Act rests on seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability. These principles govern every stage of personal data processing.
• Rights of Data Principals: Individuals can give or refuse consent, seek information about the use of their data, access their personal data, request correction or updating, seek erasure in certain situations and nominate another person to act on their behalf. These rights are reinforced by the Rules, which require time-bound responses from Data Fiduciaries.
• Obligations of Data Fiduciaries: Data Fiduciaries must keep personal data safe, remain accountable for its use and issue separate, clear and easy-to-understand consent notices. They must also provide contact information for personal-data-related queries and comply with grievance redressal obligations.
• Breach notification requirements: Entities must report data breaches within seventy-two hours and affected individuals must be informed without delay in plain language. The communication must explain the incident, possible impact, remedial steps and contact information for assistance.
• Children’s data protection: Verifiable parental consent is mandatory for users under eighteen. The Rules mention verification methods such as DigiLocker or authorised digital tokens, while also providing exceptions where processing relates to essential services such as healthcare, education or real-time safety.
• Special protection for persons with disabilities: Where a person with disability cannot make legal decisions even with support, consent must be provided by a lawful guardian verified under the relevant legal framework. This extends the consent-based structure to vulnerable categories requiring supported decision-making.
• Cross-border data flows: The DPDP regime permits cross-border transfer of personal data unless a country has been specifically blacklisted by the government. This approach allows data mobility while preserving state control over restricted jurisdictions.
• Phased implementation timeline: The Rules introduce an eighteen-month compliance period and a staggered rollout. Institutional setup began on 14 November 2025, the Consent Manager ecosystem becomes effective on 14 November 2026 and core operational requirements take full effect on 13 May 2027.
• Data retention and grievance timelines: Platforms such as e-commerce or gaming sites are generally required to erase user data after three years of inactivity after giving a forty-eight-hour warning. Data Fiduciaries must also respond to requests relating to access, correction, updating or erasure within a maximum of ninety days.

Institutional Architecture

• Whole-of-government approach: India’s digital governance architecture relies on multiple specialised institutions working across privacy, cybersecurity, telecom, competition and grievance redressal. This institutional design reflects a broad administrative approach rather than a single unified regulator.
• Role of MeitY: The Ministry of Electronics and Information Technology serves as the apex ministry for digital policy and AI governance. It also led the notification process for the DPDP Rules and conducted multi-city consultations involving startups, MSMEs, industry bodies, civil society groups, government departments and citizens.
• Data Protection Board of India: The Data Protection Board is established as a digital-first regulatory institution tasked with oversight, inquiries into breaches and corrective action. It is designed as a fully digital office with online complaint filing, mobile-based case tracking and an inquiry timeline of six months.
• Composition and location of the Board: The Rules establish the Board as a four-member body headquartered in the National Capital Region. Its digital structure is intended to support quicker decisions and easier grievance redressal.
• Appellate mechanisms: Appeals against decisions of the Data Protection Board will be heard by the Appellate Tribunal, TDSAT. In the wider content moderation system, Grievance Appellate Committees hear user appeals against platform moderation decisions.
• CERT-In and TRAI: CERT-In functions as the national agency for cybersecurity incident response and reporting, while TRAI regulates telecom services and in-building digital connectivity ratings. Both institutions are integral to India’s broader digital regulatory system.

Content Moderation And Platform Accountability

• Tightening intermediary obligations: India’s regulatory approach is moving away from blanket safe-harbour protections towards direct responsibility for platforms, especially in relation to misinformation, deepfakes and unlawful synthetic content. This marks a significant shift in platform accountability.
• Synthetic media labelling: The IT Amendment Rules notified in February 2026 target Synthetically Generated Information by requiring prominent platform-level labelling. Another formulation within the material also notes a watermark or label covering at least 10 per cent of the display area.
• Reduced takedown timelines: Social media platforms are required to remove certain categories of unlawful content within two to three hours, replacing earlier twenty-four to thirty-six hour windows. Deepfake pornography is subject to an especially tight two-hour removal requirement in one part of the material.
• Three-tier grievance redressal: The IT Rules create a three-level redressal mechanism through which user complaints may move from the platform to industry bodies and finally to the Grievance Appellate Committee. This is intended to formalise remedies in online content disputes.
• Traceability requirement: Messaging platforms may be required to identify the first originator of a message on court order. This provision remains linked to ongoing concerns relating to privacy and encryption.
• Reclassification of intermediaries: The proposed Digital India Act moves away from a one-size-fits-all intermediary category and instead differentiates between cloud providers, social media platforms and gaming applications. This suggests a more tailored regulatory classification system.
• Digital news creators and influencers: Proposed 2026 changes may treat independent news creators and influencers as publishers, bringing them under ethics codes and direct takedown obligations. This would expand the scope of formal digital content regulation.

Competition And Big Tech Regulation

• Move towards ex-ante competition regulation: India’s digital competition philosophy is shifting from reactive anti-trust litigation towards proactive regulation of gatekeeper platforms. The objective is to prevent anti-competitive harm before it becomes entrenched.
• Systemically Significant Digital Enterprises: Dominant firms may be designated as Systemically Significant Digital Enterprises based on a dual test involving both financial strength and user spread. This classification is meant to identify firms whose market power justifies heightened obligations.
• Restrictions on dominant platform behaviour: Once identified, such enterprises may be restricted from self-preferencing, anti-steering and using non-public platform data to compete against their own sellers. These measures are meant to protect market contestability and reduce barriers faced by local startups.
• Deal Value Threshold: The Competition Amendment Act, 2023 subjects high-value mergers and acquisitions above ₹2,000 crore to regulatory scrutiny where there is significant India presence, even if traditional asset or turnover thresholds are not met. This expands the ability of regulators to examine digital-era acquisitions.

Cybersecurity, Telecom And Sectoral Regulation

• Cybersecurity strengthening: India is moving towards an active-defense cybersecurity posture built around stronger incident reporting, zero-trust frameworks and protection of critical digital infrastructure. This approach aims to improve resilience against systemic vulnerabilities and state-sponsored espionage.
• CERT-In reporting timeline: Updated CERT-In guidelines require severe cyber breaches affecting critical grids to be reported within six hours by both corporate and government entities. This reflects a stringent incident-reporting model.
• National Cyber Security Reference Framework: The NCRF prescribes mandatory baseline security standards to protect vital digital public goods. It is part of the effort to create a resilient cybersecurity architecture.
• Telecom modernisation: The Telecommunications Act, 2023 replaces colonial-era legal arrangements and updates the regulatory structure for telecommunications, including over-the-top communication services. At the same time, it preserves the government’s power to temporarily suspend or intercept networks during public emergencies.
• Satellite spectrum policy: Satellite spectrum is to be allocated administratively rather than through auction. This decision is presented as aligning domestic policy with global practices for shared spectrum usage.
• Digital lending regulation: The RBI’s Digital Lending Directions of May 2025 prescribe norms on recovery practices, data privacy and grievance redressal for regulated entities, Lending Service Providers and Digital Lending Apps. Authorities are also working with internet platforms and complaint systems to curb unauthorised loan applications.
• Fraud reporting channels: The Indian Cyber Crime Coordination Centre monitors unauthorised loan applications, while fraud may be reported through the National Cybercrime Reporting Portal, helpline 1930, the RBI’s SACHET portal and State Level Coordination Committees. These mechanisms add an enforcement and complaint dimension to digital finance governance.