Published On: December 5th 2025
Authored By: Akzamol K Ani
Kristu Jayanti College of Law
Abstract
The digital transformation in India has brought significant benefits across commerce, governance, and social interaction. However, it has also led to a surge in cybercrimes, posing unique legal and enforcement challenges. This article analyses the statutory and institutional framework governing cybercrime in India, examines key judicial pronouncements, and highlights the practical difficulties in enforcing cyber laws. It also discusses global best practices and suggests reforms to strengthen enforcement while safeguarding fundamental rights
1. Introduction
With rapid digitisation, India has witnessed exponential growth in internet users, online banking, e-commerce, and social media engagement. While digital technologies facilitate convenience and economic growth, they have also created new vulnerabilities, enabling cyber-enabled offences such as hacking, online fraud, identity theft, cyberstalking, and attacks on critical infrastructure. Official statistics reflect a consistent increase in reported cyber incidents. According to the National Crime Records Bureau, in 2022, over 64,000 cybercrime cases were registered in India, representing a substantial rise over the previous decade.¹
The growth of cybercrime necessitates a robust legal and institutional framework. India has responded through statutory measures like the Information Technology Act, 2000 (IT Act), its amendments in 2008, and the Digital Personal Data Protection Act, 2023 (DPDP Act), alongside IPC provisions and sectoral regulations. Despite these efforts, enforcement faces significant challenges arising from jurisdictional, technical, and procedural constraints
2. Types of Cybercrime in India
Cybercrimes in India encompass a wide range of offences, which can be broadly categorised as follows:
2.1 Computer-enabled financial crimes
These include online banking fraud, payment card fraud, phishing, and SIM-swap fraud. Criminals exploit digital payment systems and banking infrastructure to misappropriate funds.
2.2 Network intrusions and hacking
Unauthorised access to systems, ransomware attacks, and distributed denial-of-service (DDoS) attacks threaten individual and institutional digital security.
2.3 Identity-related offences
Identity theft, social media impersonation, and misuse of personal data are increasingly prevalent, often facilitating other crimes such as fraud or harassment
2.4 Content-related offences
Cyberstalking, online harassment, hate speech, and dissemination of unlawful content fall under this category. Prior to 2015, Section 66A of the IT Act criminalised sending “offensive messages,” but this provision was struck down for vagueness.²
2.5 Child sexual exploitation
Grooming, distribution of child sexual abuse material (CSAM), and non-consensual intimate imagery represent significant threats requiring specialised enforcement mechanisms.
2.6 Cyber terrorism and attacks on critical infrastructure
Cyberattacks on power grids, financial systems, or government databases pose serious national security risks
3. Legal Framework Governing Cybercrime
3.1 Information Technology Act, 2000 and Amendment 2008
The IT Act, 2000, is the cornerstone of India’s cyber law framework.³ The Act criminalises unauthorised access (Section 66), data tampering (Section 66C), identity theft (Section 66C), and cyber fraud. The 2008 amendment strengthened the law by introducing provisions for intermediaries (Sections 79 and 80), defining electronic contracts and signatures, and
establishing the Indian Computer Emergency Response Team (CERT-In) as the national noda agency for cybersecurity.
3.2 Indian Penal Code (IPC) provisions
Traditional IPC provisions remain relevant for cyber-enabled crimes, including:
- Cheating (Section 420)
- Criminal intimidation (Section 503)
- Defamation (Sections 499-500)
- Sexual offences (Sections 375-376)
Courts often apply these provisions alongside IT Act offences when the crime is facilitated by digital means
3.3 Digital Personal Data Protection Act, 2023
The DPDP Act introduces statutory obligations for data fiduciaries, rights for data principals, and rules for breach notification and cross-border data transfers.⁴ The Act strengthens personal data protection, complements cybersecurity enforcement, and provides penalties for non-compliance.
3.4 Sectoral rules and CERT-In guidelines
Sectoral regulators such as RBI, SEBI, and TRAI issue guidelines for mandatory reporting, cybersecurity audits, and incident management. CERT-In issues operational directions for mandatory incident reporting and coordinated response, though these timelines often pose challenges for organisations.⁵
4. Institutional Mechanisms for Enforcement
4.1 Cybercrime Cells and Specialised Units
State police forces and central agencies maintain cybercrime cells to investigate offences under IT Act and IPC provisions. These units combine digital forensics, evidence preservation, and coordination with banks, ISPs, and social media platforms.
4.2 CERT-In
CERT-In serves as the nodal agency for incident response, threat advisories, and vulnerability assessment. It coordinates among government, private sector, and law enforcement agencies for national cybersecurity.⁶
4.3 International Cooperation
Transnational cybercrimes necessitate Mutual Legal Assistance Treaties (MLATs), Interpol liaison, and bilateral arrangements. Domestic coordination across agencies, including regulators, is also critical but often procedurally complex.
5. Landmark Judicial Pronouncements
5.1 Shreya Singhal v Union of India (2015)
In this landmark case, the Supreme Court struck down Section 66A of the IT Act, holding it unconstitutional for violating Article 19(1)(a) of the Constitution. The Court emphasised precision in restricting speech and underscored the need for balance between free expression and cyber regulation.⁷
5.2 Other cases
Courts have addressed intermediary liability, data protection obligations, and cyber harassment cases, shaping judicial interpretation of the IT Act and related regulations.⁸
6. Challenges in Enforcement
6.1 Jurisdictional and cross-border issues
Cybercrime often transcends territorial boundaries, complicating investigation, evidence collection, and prosecution. International cooperation under MLATs is slow and often procedural.
6.2 Technical capacity and human resources
State police and district authorities frequently lack adequate forensic tools and trained personnel to investigate sophisticated cybercrimes.
6.3 Digital evidence issues
Digital evidence is fragile and requires prompt preservation. Gaps in chain-of-custody procedures and technical documentation often undermine admissibility in courts.
6.4 Intermediary cooperation
Global service providers may be slow to respond to law enforcement requests due to privacy laws and differing legal regimes, delaying investigations.
6.5 Rapid technological change
Emerging technologies such as AI, blockchain, and encrypted messaging create enforcement gaps, while laws often lag behind technological developments.
6.6 Privacy vs surveillance tension
Incident reporting and data preservation obligations must be balanced against individual privacy rights. Courts have repeatedly emphasised the need for proportionality and oversight.⁹
6.7 Under-reporting
Many victims, particularly individuals and small businesses, do not report cyber incidents, undermining enforcement and awareness efforts.
7. Comparative Perspective
- Countries like the USA, EU member states, and Singapore have established:
- Specialised cybercrime units and courts
- Rapid cross-border data preservation and MLAT procedures
- Mandatory breach notifications
- Public-private partnerships for threat intelligence sharing
- India can adopt similar approaches, adapted to domestic legal and technological contexts.
8. Recommendations
- Technical capacity building: Establish forensic hubs, train investigators, and provide specialised tools.
- Streamlined evidence preservation: Implement statutory fast-preservation orders with judicial oversight.
- Enhanced international cooperation: Modernise MLATs and create bilateral technical assistance frameworks.
- Clarify intermediary obligations: Standardise disclosure processes with privacy safeguards.
- Data breach reporting alignment: Harmonise CERT-In timelines with DPDP Act requirements.
- Specialised cyber courts and prosecutors: Ensure domain expertise and expedite trials.
- Privacy safeguards and oversight: Judicial authorisation and transparency in data access measures.
- Public awareness campaigns: Promote victim reporting and digital literacy.
9. Conclusion
India’s cybercrime framework, anchored in the IT Act, DPDP Act, IPC provisions, and sectoral regulations, provides a legal foundation to tackle cyber offences. However, enforcement is constrained by jurisdictional issues, capacity deficits, digital evidence challenges, and privacy-surveillance tensions. Effective enforcement requires legislative clarity, institutional strengthening, procedural agility, and international collaboration while safeguarding fundamental rights.
References
A.Cases
- Shreya Singhal v Union of India [2015] 5 SCC 1
B. Legislation
- Information Technology Act 2000 (India)
- Information Technology (Amendment) Act 2008 (India)
- Digital Personal Data Protection Act 2023 (India)
- Indian Penal Code 1860 (India)
C. Secondary Sources
- National Crime Records Bureau, Crime in India 2022 (Ministry of Home Affairs, Government of India, 2023)
- Indian Computer Emergency Response Team (CERT-In), Annual Report 2022-23
- PRS Legislative Research, Digital Personal Data Protection Act, 2023 – Brief
¹ NCRB, Crime in India 2022 (Ministry of Home Affairs, Government of India, 2023) Table 9.
² Shreya Singhal v Union of India [2015] 5 SCC 1.
³ Information Technology Act 2000 (India), ss 43, 66, 66C.
⁴ Digital Personal Data Protection Act 2023 (India), ss 11-15.
⁵ CERT-In, Guidelines for Cyber Incident Reporting (2022).
⁶ CERT-In, ibid.
⁷ Shreya Singhal v Union of India [2015] 5 SCC 1.
⁸ See, e.g., Avnish Bajaj v State, Delhi High Court, 2009 (intermediary liability case).
⁹ Justice K.S. Puttaswamy v Union of India [2017] 10 SCC 1 (privacy case).
