Exclusive

Cybersecurity in India 2026: Threats, Laws, CERT-In Rules and Best Practices

Sanjay
BySanjay
Editor-In-Chief
Sanjay Goyal is the Editor-in-Chief of The Mobile Times, India's leading telecom and technology news publication. Based in Jaipur, Rajasthan, he covers India's telecom industry with...
Follow:
- Editor-In-Chief
14 Min Read

Cybersecurity India has reached a critical inflection point in 2026, with the country recording over 1.5 million cybersecurity incidents in the first half of the year alone, making it the third most-targeted nation globally. India’s rapid digital expansion — spanning 950 million internet users, aggressive UPI adoption, and 5G rollout across 700+ cities — has dramatically widened the national attack surface. Cybersecurity India challenges now touch every sector, from banking and telecom infrastructure to healthcare and government databases, demanding urgent, coordinated response from regulators, enterprises, and citizens alike.

Contents

In This Guide

  1. India’s Cyber Threat Landscape in 2026
  2. CERT-In’s 6-Hour Reporting Rule Explained
  3. Key Laws: DPDP Act, IT Act and Telecom Security Rules
  4. Ransomware Trends and Telecom Network Security
  5. Government Initiatives and Best Practices for 2026
  6. Frequently Asked Questions

Key Facts: cybersecurity India

  • India ranked 3rd globally for cyberattacks in 2026, with 1.5 million+ incidents reported in H1 2026 alone (CERT-In Annual Report projection).
  • CERT-In — India’s national Computer Emergency Response Team — mandates all entities report cyber incidents within 6 hours of detection under the 2026 IT (Amendment) Directions, still operative in 2026.
  • India’s cybersecurity market is projected to reach $3.5 billion in 2026, growing at a CAGR of 18.3% since 2026 (NASSCOM-DSCI estimates).
  • The Digital Personal Data Protection (DPDP) Act 2026 — India’s landmark privacy law — began phased enforcement in 2026–26, covering all entities processing data of Indian citizens.
  • India’s National Cyber Security Policy 2.0, expected to be finalised in 2026, aims to train 500,000 cybersecurity professionals by 2028.

India’s Cyber Threat Landscape in 2026

Cybersecurity India’s threat environment in 2026 is defined by three dominant attack vectors: sophisticated phishing campaigns targeting UPI and digital banking users, state-sponsored Advanced Persistent Threats (APTs) aimed at critical infrastructure, and supply-chain compromises affecting India’s expanding cloud ecosystem. CERT-In — the nodal agency under the Ministry of Electronics and Information Technology (MeitY) — logged a 32% year-on-year increase in reported incidents by mid-2026. Financial services, healthcare, and power sector entities together account for nearly 60% of all high-severity incidents.

India’s 5G expansion has introduced new threat surfaces at the Radio Access Network (RAN) and core network levels, with telecom operators reporting a 47% spike in network-layer intrusion attempts compared to 2026. Threat actors increasingly exploit misconfigured cloud storage buckets — over 18,000 exposed Indian cloud assets were identified in public scans in the first quarter of 2026. Mobile malware targeting Android devices, which constitute 95% of India’s smartphone market, grew by 38% year-on-year, with fraudulent loan apps and fake KYC portals among the most common delivery mechanisms.

CERT-In’s 6-Hour Reporting Rule Explained

CERT-In — India’s Computer Emergency Response Team, operating under MeitY — requires all service providers, intermediaries, data centres, government entities, and corporates to mandatorily report cybersecurity incidents within 6 hours of detection or being made aware, under the IT (Amendment) Directions issued in April 2026 and fully enforced through 2026. This rule is among the strictest incident-reporting timelines globally, significantly shorter than the 72-hour window mandated by Europe’s GDPR. Non-compliance can result in imprisonment of up to one year or monetary penalties under Section 70B of the IT Act 2000.

Global Cyber Incident Reporting Timelines — 2026 Comparison
JurisdictionReporting AuthorityMandatory TimelinePenalty for Non-Compliance
IndiaCERT-In (MeitY)6 HoursUp to 1 year imprisonment / fine
European UnionNational CERTs / ENISA72 Hours (GDPR)Up to 4% of global annual turnover
United StatesCISA72 Hours (CIRCIA 2026)Civil penalties, subpoena authority
SingaporeCSA3 Hours (critical infra)SGD 100,000 fine
AustraliaASD / ACSC72 HoursAUD 11,000 per day

The 6-hour rule also requires organisations to maintain logs of all ICT systems, including network devices and servers, synchronised to Indian Standard Time (IST) for a rolling 180-day period. Entities must retain VPN and cloud logs even if provided by third-party vendors — a provision that initially drew industry pushback but was upheld in 2026. CERT-In processed over 2.3 million incident reports in 2026, and its 2026 capacity expansion includes a dedicated 24×7 Threat Intelligence Platform (TIP) with real-time feeds shared with 14 sector-specific CERTs across banking, energy, and telecom.

Key Laws: DPDP Act, IT Act and Telecom Security Rules

India’s cybersecurity legal framework rests on three pillars in 2026: the Information Technology Act 2000 (amended 2008), the Digital Personal Data Protection Act 2026 (DPDP Act), and the Telecommunications Act 2026. The DPDP Act — India’s first comprehensive data protection statute — classifies organisations into Data Fiduciaries and Significant Data Fiduciaries (SDFs), imposing penalties of up to ₹250 crore per violation for data breaches affecting Indian citizens’ personal data. Cybersecurity India compliance now requires organisations to align with all three frameworks simultaneously, creating a complex but necessary multi-layered obligation.

The IT Act 2000 remains the foundational cybercrime legislation, covering offences from unauthorised access (Section 43) and data theft (Section 66) to cyberterrorism (Section 66F), which carries a life imprisonment provision. The Telecommunications Act 2026 — which replaced the colonial-era Indian Telegraph Act 1885 — explicitly mandates telecom licensees to implement network security standards prescribed by the Department of Telecommunications (DOT), including mandatory equipment testing at designated Telecom Security Testing Labs. DOT’s Telecom Cybersecurity Rules 2026, operational through 2026, require all telecom entities to appoint a Chief Telecommunication Security Officer (CTSO) within their organisation.

“India’s cybersecurity India regulatory architecture in 2026 is arguably the most comprehensive in Asia, combining one of the world’s fastest incident-reporting mandates, a robust data protection law, and sector-specific telecom security rules — yet enforcement consistency across 1.4 billion users and millions of enterprises remains the defining challenge of this decade.” — The Mobile Times Analysis

Ransomware — a form of malware that encrypts victim data and demands payment for decryption — has emerged as the single most disruptive cyber threat in India’s enterprise landscape in 2026. Indian organisations faced an average ransomware ransom demand of $1.35 million in 2026, up from $860,000 in 2026, according to cybersecurity firm projections aligned with global threat intelligence. Healthcare institutions and manufacturing firms are the most targeted sectors, collectively experiencing 43% of all ransomware incidents reported to CERT-In. Notably, 68% of Indian ransomware victims in 2026 experienced data exfiltration before encryption — a double-extortion tactic.

By The Numbers: cybersecurity India

  • Cyber Incidents (H1 2026): 1.5 million+ reported to CERT-In
  • DPDP Act Penalty Ceiling: ₹250 crore per data breach violation (2026)
  • India Cybersecurity Market Size: $3.5 billion projected for 2026
  • Average Ransomware Demand (India 2026): $1.35 million per incident
  • Telecom Network Intrusion Attempts: 47% spike YoY in 2026 vs 2026
  • Log Retention Mandate (CERT-In): 180 days, synchronised to IST
  • Cybersecurity Professional Target: 500,000 trained by 2028 (National Policy 2.0)

Telecom network security in 2026 is governed by a converging set of mandates from DOT, TRAI, and CERT-In. TRAI — the Telecom Regulatory Authority of India — issued recommendations in late 2026 for mandatory AI-driven anomaly detection across all core network elements for operators with more than 50 million subscribers, directly targeting Jio, Airtel, and Vi. SS7 protocol vulnerabilities, which allow call interception and location tracking on 4G networks, remain a persistent risk; DOT issued remediation advisories to all licensed operators in Q1 2026 with a 90-day compliance deadline.

Government Initiatives and Cybersecurity Best Practices for 2026

India’s cybersecurity India strategy in 2026 is anchored by the National Cyber Security Coordinator (NCSC) office under the Prime Minister’s Office, coordinating across MeitY, DOT, DRDO, and the National Security Council. The government’s flagship Cyber Surakshit Bharat initiative has onboarded over 50,000 government officials in foundational security awareness training since its relaunch in 2026. The Indian Cyber Crime Coordination Centre (I4C) — operational under the Ministry of Home Affairs — processed 1.1 million cybercrime complaints through the National Cyber Crime Reporting Portal (cybercrime.gov.in) in 2026, with 2026 volumes on track to exceed 1.4 million.

For enterprises navigating cybersecurity India requirements in 2026, best practices align with a four-layer defence model. First, implement Zero Trust Architecture (ZTA) — the principle that no user or device is trusted by default, even within corporate networks — which CERT-In now formally recommends in its 2026 advisory guidelines. Second, conduct mandatory quarterly penetration testing and red team exercises for critical information infrastructure (CII) operators. Third, enforce multi-factor authentication (MFA) across all privileged access accounts — a control that blocks over 99.9% of automated credential-stuffing attacks. Fourth, ensure incident response playbooks are CERT-In-aligned, with a dedicated response team capable of executing the 6-hour reporting obligation, including drafting the mandatory incident report to CERT-In’s online portal within the compliance window.

Frequently Asked Questions: cybersecurity India

People Also Ask

  • What is CERT-In’s 6-hour reporting rule in India? CERT-In — India’s national cyber response team under MeitY — requires all companies, government bodies, and service providers to report cybersecurity incidents within 6 hours of detection. This applies to data breaches, ransomware, DDoS attacks, and unauthorised access. Non-compliance risks up to one year’s imprisonment under the IT Act 2000.
  • How does India’s DPDP Act 2026 affect cybersecurity compliance? The Digital Personal Data Protection Act 2026 imposes penalties of up to ₹250 crore per violation on organisations that fail to safeguard Indians’ personal data. It mandates breach notification to the Data Protection Board of India and requires Significant Data Fiduciaries to conduct annual data protection impact assessments from 2026–26 onwards.
  • How does India’s cybersecurity framework compare to the EU’s GDPR? India’s CERT-In mandates incident reporting within 6 hours versus GDPR’s 72-hour window, making India stricter on response timelines. However, GDPR’s penalty ceiling reaches 4% of global annual turnover, while the DPDP Act caps penalties at ₹250 crore — giving the EU framework stronger financial deterrence for large multinationals.
  • What are the biggest cybersecurity threats facing India in 2026? The top threats in India in 2026 are ransomware double-extortion attacks, UPI and digital banking phishing, state-sponsored APTs targeting critical infrastructure, mobile malware on Android devices, and supply-chain compromises in cloud environments. Financial services, healthcare, and telecom sectors face the highest incident volumes according to CERT-In data.
  • Which government body oversees telecom cybersecurity in India? Telecom cybersecurity India oversight is shared between the Department of Telecommunications (DOT), which enforces the Telecom Cybersecurity Rules 2026, and TRAI, which issues security recommendations for licensed operators. CERT-In handles incident response across all sectors including telecom, while the National Cyber Security Coordinator under the PMO provides strategic oversight.

Sources: CERT-In ↗ | TRAI ↗ | DOT ↗ | MeitY ↗ | GSMA ↗ | DSCI ↗

“`


Share This Article
BySanjay
Editor-In-Chief
Follow:
Sanjay Goyal is the Editor-in-Chief of The Mobile Times, India's leading telecom and technology news publication. Based in Jaipur, Rajasthan, he covers India's telecom industry with a focus on 5G rollout, TRAI regulatory developments, smartphone market trends, and the evolving digital landscape for mobile retailers and industry professionals. With deep expertise in the Indian telecom ecosystem — including Jio, Airtel, BSNL, and Vi — Sanjay brings practical, trade-focused analysis to topics ranging from spectrum policy to enterprise IoT and AI adoption. He founded The Mobile Times to serve India's mobile retail and telecom business community with timely, accurate, and actionable news.
Previous Article TRAI Regulations 2026: India’s Telecom Regulator — Powers, Rules and Latest Orders
Next Article OTT Streaming in India 2026: All Platforms Compared — Price, Content and Subscribers
Leave a Comment

Most Popoular

You Might Also Like

BSNL Revival 2026: Government Plan, 4G Rollout, 5G Timeline and Financial Status

OTT Streaming in India 2026: All Platforms Compared — Price, Content and Subscribers

TRAI Regulations 2026: India’s Telecom Regulator — Powers, Rules and Latest Orders

India Telecom Market 2026: Size, Growth, Operators and Key Trends