The Cyber Security Regulations, 2023 represent India’s updated and strengthened approach to safeguarding digital infrastructure in an era of rapidly increasing cyber threats. These regulations, issued primarily through the CERT-In Directions, 2022–23 under the Information Technology Act and supported by sector-specific frameworks in finance, telecom, power, and e-governance, aim to create a uniform and robust cybersecurity posture across the country. The regulations recognize that modern cyberattacks—ransomware, phishing, identity theft, data exfiltration, espionage—are sophisticated and widespread, requiring not just reactive measures but proactive legal norms.

A core feature of the 2023 regulations is the mandatory reporting of cyber incidents within strict timelines, typically within 6 hours of detection. This requirement applies to service providers, intermediaries, data centres, cloud platforms, virtual asset businesses, and entities handling sensitive or critical information. The purpose of such rapid reporting is to enable CERT-In (Indian Computer Emergency Response Team) to quickly analyse incidents, coordinate national-level responses, and prevent the spread of attacks across interconnected systems. Such immediacy is crucial when dealing with ransomware or coordinated attacks on critical infrastructure such as banking networks, power grids, or communication systems.

The regulations further require all organizations to maintain system logs for a minimum of 180 days and to store these logs within India. These logs include information about network activities, user authentication, system events, and application usage. Maintaining such logs ensures traceability, supports forensic investigations, and enables law enforcement agencies to reconstruct the sequence of events in a cyberattack. Storing logs within India also strengthens data sovereignty and prevents investigative delays caused by cross-border data access restrictions.

Another significant dimension of the Cyber Security Regulations, 2023 is the emphasis on cyber hygiene, secure configurations, and organizational accountability. Entities must implement essential security controls such as multi-factor authentication, encryption of sensitive data, periodic patching of software systems, and regular vulnerability assessments or penetration testing. Critical sectors—such as banking, insurance, digital payments, health services, energy, transport, and telecom—are required to appoint Chief Information Security Officers (CISOs) who act as the principal executives responsible for cybersecurity readiness. These officers must ensure that security policies, risk assessments, and incident response plans are continuously updated and effectively implemented.

The regulations also encourage adoption of zero-trust architecture, restricting user privileges to the minimum necessary and verifying all requests irrespective of origin. Organizations are expected to maintain detailed incident response plans, conduct cyber drills, and ensure business continuity even when facing large-scale disruptions. This proactive approach reflects a recognition that cyberattacks are no longer hypothetical risks but real, frequent, and potentially crippling events.

Importantly, the Cyber Security Regulations, 2023 integrate India’s cybersecurity strategy with global norms by promoting cross-border cooperation, threat intelligence sharing, and alignment with international standards such as ISO/IEC 27001. Entities dealing with sensitive personal data or financial transactions must follow strict authentication measures and maintain audit trails in accordance with global best practices. These regulatory measures also support enforcement of the Digital Personal Data Protection Act, 2023 by ensuring that cybersecurity mechanisms complement data protection obligations.

Overall, the Cyber Security Regulations, 2023 mark a major step toward creating a safe, resilient, and accountable digital ecosystem in India. By mandating rapid reporting, securing system logs, strengthening organizational responsibility, and emphasizing continuous monitoring, the regulations aim to prevent cyber incidents, minimize their impact, and enhance national cyber preparedness. They protect not just critical infrastructure and businesses but also the rights, data, and digital trust of citizens in an increasingly interconnected world.