How India's Cybersecurity Architecture Works
India's cybersecurity administration is a multi-layered institutional structure with three primary national agencies — the Indian Computer Emergency Response Team (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the National Cyber Coordination Centre (NCCC) — supplemented by sector-specific teams, the Defence Cyber Agency (DCyA) for military cyber operations, and the Indian Cyber Crime Coordination Centre (I4C) for cybercrime investigation.
CERT-In, established under Section 70B of the IT Act, 2000, is the nodal agency for national cyber incident response; it handled 1.97 million cyber incidents in 2024 (up 33% from 2023) and 29.44 lakh (2.944 million) in 2025. NCIIPC, under the National Technical Research Organisation, protects India's Critical Information Infrastructure (CII) — power grids, banking systems, telecom networks, transport infrastructure, water supply, and oil and gas networks. The NCCC scans India's cyberspace continuously for threats and facilitates coordination among agencies.
 |
| Representational Image: How India's Cybersecurity Architecture Works |
The RBI reported data breach costs of $2.18 million in 2023, a 28% increase in
three years. Most cyberattacks on India are attributed to Chinese or Pakistani
actors (Jackson School, 2025); 83% of Indian organisations face cyber threats
annually; only 24% of Indian organisations are prepared to face cyberattacks
(CISCO, 2023). The government allocated ₹782 crore for cybersecurity in the
2025-26 Union Budget — significant but small relative to the scale of the
threat.
What You Need to Know
- CERT-In
2024: handled 1.97 million cyber incidents (33% increase from 2023); in
2025: 29.44 lakh incidents; 1,530 alerts, 390 vulnerability notes, 65
advisories issued; 231 cybersecurity audit organisations empanelled; 98%
digital population covered by Cyber Swachhta Kendra malware detection;
nearly 10,000 audits conducted in FY2024-25 across critical sectors.
- CERT-In
2022 directions: mandatory 6-hour cyber incident reporting to CERT-In;
180-day log retention; applicable to all service providers,
intermediaries, data centres, government entities; controversial provision
requiring VPN providers to maintain subscriber logs for 5 years triggered
several major VPN providers to delete Indian servers.
- NCIIPC:
designates and protects Critical Information Infrastructure; issues
vulnerability reports; conducts security exercises for CII entities;
coordinates with NTRO; maintains the National Cybersecurity Reference
Framework for critical sectors.
- Defence
Cyber Agency: established 2019, operational 2021; tri-service military
cyber agency; implements the Joint Doctrine for Cyberspace Operations
(2024, Chief of Defence Staff); manages military cyber defence, offence,
and intelligence.
- India's
international cyber standing: achieved Tier 1 status in the ITU Global
Cybersecurity Index (2024) — assessed on legal, technical, capacity
development, and cooperation measures; WEF Global Cybersecurity Outlook
2025 recognised CERT-In for AI-driven situational awareness systems.
How It Works in Practice
1. Incident reporting and response lifecycle: CERT-In
operates a 24/7 helpdesk for cyber incident reporting; organisations must
report incidents within 6 hours of detection; CERT-In analyses the incident,
provides mitigation guidance, and coordinates with affected organisations. The
6-hour reporting requirement — initially very controversial (technology
industry argued it was too fast) — has produced a significant increase in
reported incidents; the 33% year-on-year increase in reported incidents
reflects both increasing attacks and improving reporting compliance.
2. Critical infrastructure protection: NCIIPC works
with CII operators — power companies, banks, telecom providers, and government
agencies — to harden their infrastructure, share threat intelligence, and
respond to attacks. The 2024 BSNL data breach (cyber attack on the state-owned
telecom company's network, confirmed by the Union government in May 2024)
illustrated that even government-owned infrastructure is vulnerable. The
Department of Telecommunications' Telecom Cyber Security Rules (November 2024)
mandate telecom providers to report cyber breaches within 6 hours and share
traffic data for cybersecurity purposes.
3. The I4C and cybercrime coordination: The Indian
Cybercrime Coordination Centre (I4C) coordinates law enforcement's response to
cybercrime across states; it operates the National Cybercrime Reporting Portal
(cybercrime.gov.in); between 2024–25, I4C's Samanvay Platform helped block 7
lakh SIMs used in frauds; I4C blocked 1,11,185 items of "suspicious"
content between 2024–25 — approximately 290 daily.
4. Sector-specific CERTs: CSIRT-Fin (for the
financial sector, under CERT-In) and CSIRT-Power (for the power sector)
coordinate cybersecurity within their domains, sharing sector-specific threat
intelligence. The RBI's cybersecurity framework for banks — including the
FREE-AI Committee guidelines on AI risk management in finance — supplements
CERT-In's general guidance with sector-specific requirements.
5. The cybersecurity skill gap: India faces an 8 lakh
(800,000) cybersecurity professional shortage (Drishti IAS data); 57% of
organisations lack cyberhygiene practices; 73% are unaware if they have been
attacked. The government aims to train 500,000 cybersecurity professionals in
five years through its cybersecurity skilling programme; CERT-In trained 12,014
officials in 23 training programmes in 2024.
What People Often Misunderstand
- India's
ITU Tier 1 status does not mean strong cyber defence: The ITU Global
Cybersecurity Index assesses the existence of legal, technical, and
institutional frameworks; India's Tier 1 status reflects framework
existence, not operational effectiveness; the 24% organisational
preparedness rate and 57% lack of cyberhygiene practices illustrate the
gap between framework and capability.
- 6-hour
reporting is technically challenging: Many organisations do not know
they have been attacked within 6 hours; the reporting requirement produces
compliance effort rather than necessarily better security outcomes; the
6-hour rule reflects a reasonable aspiration but is technically difficult
for small and medium organisations.
- India's
offensive cyber capabilities are documented: Jackson School analysis
identified four Indian Advanced Persistent Threat (APT) groups (Dropping
Elephant, Viceroy Tiger, Dark Basin, and a fourth); India's DCyA is
explicitly tasked with offensive cyber capabilities; India is both a cyber
victim and a cyber actor.
- Sector-specific
cybersecurity regulation is fragmented: RBI, SEBI, TRAI, IRDAI, and
MoP each have their own cybersecurity requirements for their regulated
sectors; this creates compliance complexity for conglomerates regulated by
multiple authorities and potential inconsistencies in security standards.
- The
Budapest Convention non-membership is a diplomatic oddity: India has
not joined the Budapest Convention on Cybercrime — the primary
international cybercrime cooperation treaty — citing concerns about not
participating in its drafting; this limits India's formal cybercrime
cooperation with EU member states while India participates in bilateral
cybercrime cooperation.
What Changes Over Time
The National Cybersecurity Policy 2025 — still under development by the National Security Council Secretariat as of mid-2026 — will replace the outdated 2013 policy; its provisions on AI threats, critical infrastructure protection, and international cooperation will set India's cyber governance direction for the next decade.
CERT-In's 2025 comprehensive audit
guidelines — standardising annual third-party cybersecurity audits for critical
sectors — represent the most significant near-term compliance development for
India's critical infrastructure operators.
Sources and Further Reading
- PIB
— CERT-In achievements 2025: https://www.pib.gov.in/PressReleasePage.aspx?PRID=2217537®=3&lang=1
- Carnegie
Endowment — India Cybersecurity Administration 2025: https://carnegieendowment.org/research/2025/09/mapping-indias-cybersecurity-administration-in-2025?lang=en
- Jackson
School — India Cybersecurity Profile 2025: https://jsis.washington.edu/news/cybersecurity-profile-2025-india/
- 6clicks — India Critical Infrastructure CERT-In audit rules: https://www.6clicks.com/resources/blog/india-critical-infrastructure-cybersecurity-cert-in-audit-rules
- Chambers — India Cybersecurity 2025: https://practiceguides.chambers.com/practice-guides/cybersecurity-2025/india