11 Top Cybersecurity Laws Businesses Must Follow
10 min read
A decade ago, cybersecurity law was primarily the concern of banks, healthcare organizations, and critical infrastructure operators. Today, it is the operational reality of virtually every business that handles digital data, processes payments, employs people, or operates online, which is to say, nearly every business that exists.
The regulatory environment surrounding cybersecurity and data protection has expanded dramatically across every major economy. India’s Digital Personal Data Protection Act 2023 and its 2025 implementing rules have fundamentally changed the domestic data protection landscape. The European Union’s NIS2 Directive has extended cybersecurity obligations to thousands of organizations not previously regulated. And enforcement actions in the United States, the UK, and India have demonstrated that regulatory authorities are willing and prepared to hold businesses accountable when compliance falls short.
For entrepreneurs, executives, and compliance professionals navigating this landscape, the challenge is not a shortage of information, it is the shortage of clear, practical guidance on which laws apply to their specific operations and what compliance actually requires in practice.
This feature covers the 11 top cybersecurity laws businesses must follow, with practical context on what each means, who it affects, and how businesses can build the compliance foundations that reduce risk, avoid penalties, and build stakeholder confidence.
1. India’s Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025
What it is: The DPDP Act 2023 is India’s first comprehensive data protection legislation, establishing a framework for the processing of personal data of Indian residents. The DPDP Rules 2025, issued under the Act, provide implementing detail on consent management, data fiduciary obligations, and breach notification procedures.
Who it applies to: Data fiduciaries, entities that determine the purpose and means of processing personal data, operating in India or processing the personal data of individuals in India. Significant Data Fiduciaries, designated by the central government based on volume and sensitivity of data, face additional obligations.
Main compliance obligations: Obtaining valid consent for data processing, maintaining transparency about data use, responding to data principal rights requests, implementing security safeguards appropriate to the data processed, and notifying the Data Protection Board and affected data principals in the event of a personal data breach.
Example: An Indian e-commerce company processing customer purchase data must implement a consent mechanism, maintain records of consent, respond to customer requests to access or erase their data, and notify the Board within prescribed timelines if a breach affecting customer data occurs.
Key risk: Non-compliance with breach notification obligations or failure to respond to data principal requests within mandated timelines. Always verify current obligations and timelines with qualified privacy counsel, as implementing rules continue to develop.
2. India’s Information Technology Act, 2000 and Related Cybersecurity Provisions
What it is: The IT Act 2000 is India’s foundational cyber law, establishing legal recognition for electronic transactions and creating criminal and civil liability for various cyber offenses. Section 43A creates liability for body corporates that fail to implement reasonable security practices and procedures for sensitive personal data.
Who it applies to: Body corporates collecting, processing, or storing sensitive personal data or information in India, as defined under the IT (Amendment) Act 2008 and associated rules.
Main compliance obligations: Implementing reasonable security practices and procedures, which the IT (Reasonable Security Practices) Rules 2011 define with reference to IS/ISO/IEC 27001 or other approved standards, and maintaining a privacy policy for data handling.
Example: A technology company that experiences a data breach and is found to have not implemented adequate security practices under the IS/ISO/IEC 27001 standard faces potential civil liability for damages to affected individuals.
3. CERT-In Directions and Mandatory Reporting Obligations
What it is: The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology, has issued binding directions that require service providers, intermediaries, data centers, body corporates, and government organizations to report certain cybersecurity incidents within defined timelines.
Who it applies to: All service providers, intermediaries, data centers, body corporates, and government organizations operating in India.
Main compliance obligations: Reporting specified cybersecurity incidents, including data breaches, ransomware attacks, unauthorized access, and identity theft, to CERT-In within six hours of notice or detection. Maintaining logs of specified information systems for 180 days within Indian jurisdiction. Synchronizing system clocks with Indian Standard Time. Providing requested information to CERT-In within defined timelines.
Key risk: The six-hour reporting window for many incident types is significantly shorter than comparable international requirements and demands that organizations have pre-established reporting protocols and contacts ready before incidents occur.
Example: A cloud services company operating in India that detects a ransomware infection affecting its infrastructure must report the incident to CERT-In within six hours of detection, regardless of whether the incident has been fully investigated or contained.
4. RBI Cybersecurity and Digital Payment Security Expectations
What it is: The Reserve Bank of India has issued a comprehensive framework of cybersecurity guidelines applicable to regulated entities including banks, NBFCs, payment system operators, and other RBI-regulated organizations. These include the RBI Cyber Security Framework for Banks (2016 and subsequent updates) and the Master Directions on Digital Payment Security Controls.
Who it applies to: Banks, non-banking financial companies, payment aggregators, payment gateways, and other RBI-regulated entities.
Main compliance obligations: Implementing a board-approved cybersecurity policy, establishing a Security Operations Centre, conducting regular vulnerability assessments and penetration testing, implementing specific security controls for digital payment infrastructure, and reporting cyber incidents to the RBI within defined timelines.
Example: A payment gateway operating under RBI authorization must maintain a documented incident response procedure and report security incidents, including unauthorized transactions and data breaches affecting payment data, to the RBI through prescribed reporting channels.
5. SEBI Cybersecurity and Cyber Resilience Requirements
What it is: The Securities and Exchange Board of India has issued cybersecurity frameworks applicable to stock exchanges, depositories, clearing corporations, and registered intermediaries including brokers, investment advisers, and portfolio managers. SEBI’s circular on Cybersecurity and Cyber Resilience Framework for SEBI Regulated Entities outlines mandatory requirements.
Who it applies to: SEBI-regulated entities including market infrastructure institutions, registered intermediaries, and asset management companies.
Main compliance obligations: Implementing a comprehensive cybersecurity policy, conducting regular security audits, maintaining a cyber crisis management plan, reporting cybersecurity incidents to SEBI, and meeting specific technical controls for trading systems and customer data protection.
Example: A registered stockbroker experiencing a security incident affecting trading systems must report the incident to SEBI through prescribed channels and demonstrate that their cyber resilience framework includes the specific technical controls mandated by SEBI’s framework.
6. EU General Data Protection Regulation (GDPR)
What it is: The GDPR is the European Union’s comprehensive data protection regulation, which came into force in 2018. It establishes extensive requirements for the processing of personal data of EU residents and applies to organizations worldwide that process such data.
Who it applies to: Any organization, regardless of location, that processes personal data of EU residents in connection with offering goods or services to those residents or monitoring their behavior. Indian companies with EU customers or employees are subject to GDPR.
Main compliance obligations: Establishing a lawful basis for data processing, respecting data subject rights, implementing privacy by design and by default, documenting processing activities, notifying supervisory authorities within 72 hours of awareness of data breaches, appointing a Data Protection Officer where required, and meeting data transfer requirements for transfers outside the EEA.
Example: An Indian SaaS company whose platform is used by European business customers must comply with GDPR in relation to the personal data of those customers’ employees or end users processed through the platform, including breach notification to the relevant EU supervisory authority within 72 hours where required.
7. EU NIS2 Directive
What it is: The NIS2 Directive, which entered into force across EU member states in October 2024, significantly expands the scope and requirements of EU cybersecurity regulation compared to its predecessor. It establishes mandatory cybersecurity risk management measures and incident reporting requirements for essential and important entities across a wide range of sectors.
Who it applies to: Organizations in sectors classified as essential (energy, transport, banking, healthcare, digital infrastructure) and important (manufacturing, food, postal services, waste management, digital services) that meet defined size thresholds, or are classified regardless of size in specific categories. Organizations outside the EU that provide services to EU entities may also be affected.
Main compliance obligations: Implementing risk management measures covering supply chain security, access control, incident handling, business continuity, and vulnerability disclosure. Reporting significant cybersecurity incidents to national authorities within 24 hours of awareness (early warning) and within 72 hours with full assessment.
Key risk for Indian businesses: Indian companies providing IT services, digital infrastructure, or cloud services to EU-based clients may have compliance obligations under NIS2 through their service relationships. Legal assessment of applicability is advisable for companies with significant EU market exposure.
8. UK Data Protection and Cybersecurity Obligations
What it is: Following Brexit, the UK operates its own data protection framework under the UK GDPR and Data Protection Act 2018, which broadly mirrors EU GDPR requirements while being administered by the UK Information Commissioner’s Office (ICO). For businesses operating in the UK or processing UK resident data, UK GDPR creates a parallel compliance obligation to EU GDPR.
Who it applies to: Organizations processing personal data of UK residents, including non-UK organizations that offer goods or services to UK residents or monitor their behavior.
Main compliance obligations: Similar to EU GDPR, lawful basis for processing, data subject rights, 72-hour breach notification to the ICO, appointment of a DPO where required, and compliance with UK data transfer mechanisms for international data flows.
Example: An Indian analytics company that processes data about UK consumers as part of its service offering must comply with UK GDPR in relation to that data, independently of any EU GDPR obligations.
9. U.S. HIPAA Security Rule
What it is: The Health Insurance Portability and Accountability Act Security Rule establish mandatory cybersecurity standards for covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates that handle protected health information (PHI) electronically.
Who it applies to: U.S. healthcare providers, health plans, healthcare clearinghouses, and their business associates, including IT vendors, cloud service providers, and technology companies that handle PHI on behalf of covered entities. Indian companies providing healthcare IT services to U.S. clients frequently qualify as business associates subject to HIPAA.
Main compliance obligations: Implementing administrative, physical, and technical safeguards for electronic PHI. Conducting regular risk assessments. Implementing access controls, audit controls, and transmission security. Entering into Business Associate Agreements with covered entities.
Example: An Indian healthcare technology company providing electronic health record services to U.S. hospitals is a HIPAA business associate and must implement HIPAA Security Rule compliant safeguards and enter into Business Associate Agreements with its hospital clients.
10. California Privacy Requirements, CCPA/CPRA
What it is: The California Consumer Privacy Act (2020) and its amendment through the California Privacy Rights Act (2023) establish comprehensive privacy rights for California residents and impose obligations on businesses meeting defined revenue, data volume, or data selling thresholds.
Who it applies to: For-profit businesses that collect personal information of California residents and meet any of: annual gross revenues exceeding USD 25 million, annual buying/selling/receiving for commercial purposes the personal information of 100,000 or more California residents, or deriving 50 percent or more of annual revenues from selling or sharing California residents’ personal information.
Main compliance obligations: Providing privacy notices, responding to consumer rights requests, implementing opt-out mechanisms for data sales and sharing, and implementing reasonable security measures. Businesses that have experienced a data breach affecting California residents may face civil actions from affected individuals.
Example: An Indian e-commerce company with significant U.S. revenues including California customers that meets the revenue threshold must maintain a compliant privacy policy, respond to California consumer rights requests, and implement opt-out mechanisms for any data monetization activities.
11. Cybersecurity Disclosure Requirements for Public Companies
What it is: The U.S. Securities and Exchange Commission’s Cybersecurity Disclosure Rules, which took effect for most public companies in December 2023, require registered companies to disclose material cybersecurity incidents within four business days of determining materiality, and to make annual disclosures about cybersecurity risk management, strategy, and governance.
Who it applies to: Companies registered with the U.S. SEC, including Indian companies listed on U.S. exchanges or filing with the SEC, and their U.S.-listed subsidiaries.
Main compliance obligations: Determining and disclosing material cybersecurity incidents on Form 8-K within four business days. Making annual disclosures in Form 10-K about cybersecurity risk management processes, governance, and board-level oversight of cybersecurity risk.
Key implication for Indian businesses: Indian companies cross-listed in the U.S. or with U.S.-listed ADRs must comply with SEC cybersecurity disclosure requirements, creating a specific governance and reporting obligation that sits alongside Indian regulatory requirements.
Conclusion:
The 11 top cybersecurity laws businesses must follow covered in this guide collectively represent the compliance landscape that Indian businesses, from startups to large enterprises with international operations, are navigating right now. The scope is broad, the obligations are real, and the enforcement environment is active.
But compliance is not merely a cost or a constraint. Organizations that build genuine compliance capability, documented programs, trained teams, tested response procedures, and board-level governance, consistently outperform their less compliant peers across every dimension that matters: fewer incidents, faster response, cleaner regulatory relationships, and stronger stakeholder confidence.
Build your compliance program strategically. Consult qualified legal and privacy counsel for jurisdiction-specific obligations. And treat cybersecurity compliance as the organizational capability it has become.
Contact India Prime Times
Whether you’re building compliance programs from scratch or scaling governance across global operations, your perspective can help organizations move from reactive compliance to proactive resilience.
If you would like to publish your insights or expand your reach across leading platforms, we’d be glad to collaborate.
📞 Phone: +91 9490056002
📧 Email: info@indiaprimetimes.com
💬 WhatsApp: https://wa.me/919490056002
