India’s digital economy is scaling faster than ever, driven by fintech, e-commerce, AI startups, and government digitalisation. Along with this growth comes a vital need for cyber resilience and data protection.
Policy moves and audit directives, such as the Digital Personal Data Protection (DPDP) Act and the Comprehensive Cyber Security Audit Policy from the Indian Computer Emergency Response Team (CERT-In), mark a turning point. These represent India’s declaration of digital sovereignty. The message is clear: data protection and cyber resilience have become national imperatives.
India’s cybersecurity landscape
The DPDP Act establishes India’s first comprehensive data protection initiative by mandating explicit consent for data collection, implementing purpose limitation and minimal data retention, and requiring 72-hour breach reporting, among others. It also requires reasonable security safeguards across all data-handling entities, and mandates penalties for non-compliance, which can reach up to ₹250 crore per violation.
These rules are still being refined. The DPDP Act compels enterprises to shift from reactive compliance to proactive data governance.
In 2025, CERT-In released its Comprehensive Cyber Security Audit Policy Guidelines, which require mandatory cybersecurity audits for all entities handling digital infrastructures. The guidelines also make a shift from compliance-based to evidence-based audits, aligning the domestic frameworks ISO, OWASP and other international frameworks. They also lay out a structured framework to conduct rigorous, fair, and transparent cybersecurity audits and continuous monitoring.
These guidelines align India with global norms. It also mirrors the moves in the European Union (the GDPR and NIS2) and Singapore’s Personal Data Protection Act (Amended 2020) but with a stronger focus on operational resilience over documentation.
Why compliance alone isn’t enough
Even with stronger regulations, many organisations still are not fully prepared. A Deloitte APAC survey found that 92% of Indian executives view cybersecurity vulnerabilities as a major barrier to scaling AI adoption. A PwC India study showed “only 42% of organisations say they understand/appreciate that compliance with the act is an opportunity to build and enhance consumer trust”, and fewer than 9% claim to fully understand their obligations. Nearly one million ransomware detections were reported in India in the past year.
Aligning compliance with resilience
Enterprises put compliance into action by establishing clear data ownership and accountability. They achieve this by working with data protection officers and defining their risk appetite. Their protection strategy emphasises defence and detection. This includes deploying AI-powered anomaly detection, endpoint detection and response tools, and automated patching to help organisations proactively identify and mitigate threats.
The AI advantage in cybersecurity
AI has become crucial for organisations to follow for compliance and to be resilient. AI security tools can detect abnormal data access patterns in real time. This helps organisations automate compliance reports and be audit ready. AI can also identify configuration drift, policy violations across cloud environments, and simulate attacks to strengthen proactive defences.
AI can analyse millions of signals across endpoints, networks, and cloud layers far faster than employees can. Yet, this power comes with its own risks. CERT-In has recently issued advisories highlighting AI-specific vulnerabilities, including prompt injection, model poisoning, and data leakage from large language models. This is a reminder that organisations should deploy AI with governance. Organisations should not see compliance as a ceiling but as a strong foundation for long-term resilience. India’s cybersecurity landscape is evolving and it reflects a digital economy that values both innovation and accountability. Regulations like the DPDP Act and CERT-In audits are pushing organisations to move beyond mere compliance.