The Indian
Code.
Architecting the Global South's most robust statutory barrier between Algorithmic Innovation and Civil Liberty.
Statutory
Domains.
India's AI strategy is partitioned into five critical domains, each governed by specific ex-ante mandates and post-market oversight bodies.
Data Privacy & Sovereignty
Encompasses the control of personal data by the Data Principal, localized storage mandates, and the prevention of digital colonialism through strict compute borders.
Algorithmic Transparency
Mandates for the explicit disclosure of synthetic content, watermarking of deepfakes, and ensuring users are aware of neural interaction points.
Liability & Accountability
Defines the legal attribution of harm generated by autonomous agents and establishes the vicarious liability of Significant Data Fiduciaries.
Systemic Safety & Robustness
Ex-ante vetting for critical-risk neural systems, mandatory red-teaming for frontier models, and infrastructure-level security protocols.
Bias & Demographic Fairness
Requires the auditing of training sets to ensure linguistic and demographic representation, preventing algorithmic exclusion in public and private sectors.
Sectoral
Benchmarks.
Access jurisdictional deep-dives for industry-specific AI compliance and regulatory oversight.
Healthcare
Regulated by CDSCO. Focus on diagnostic AI liability and the Unified Health Interface (UHI).
Fintech
RBI & SEBI oversight on algorithmic credit and trading.
Public Sector
MeitY & NITI Aayog oversight on Government-as-a-Platform (GaaP) AI services.
Retail & E-commerce
CCPA & MeitY oversight on dark patterns and algorithmic price fixing.
The 2025
Bill.
A horizontal mandate establishing the National AI Authority and strict ex-ante vetting for 'Critical-Risk' neural systems.
Risk Classification
A 4-tier risk model adapted for Indian vernacular training sets and demographic diversity.
National AI Authority
Dedicated statutory body for model registration, safety audits, and cross-border alignment.
Sovereign Sandbox
Regulatory relief for domestic startups to ensure innovation is not stifled by compliance.
Algorithmic Sovereignty.
The DPDP Act (Section 10) mandates that AI algorithms are architected with native privacy protocols. SDFs must ensure training sets do not bleed PII.
Neural Vetting
Independent audits are required to verify that model weights do not unintentionally reconstruct sensitive personal data points.
Consent Managers
Integration with the DEPA framework ensures that every bit of data in the model's training pipeline has a revocable statutory artifact.
Technical
Dossier.
This comprehensive legal and technical dossier presents an authoritative analysis of India's AI regulatory architecture. It is designed for compliance officers, general counsel, regulatory affairs teams, and policy architects navigating the intersection of artificial intelligence and Indian law.
Statutory Instruments
Regulatory Bodies
Risk Tiers
Maximum Penalty
Dossier Contents
Regulatory Architecture & Institutional Framework
India's approach to AI governance reflects a distinctive philosophy that blends sovereign control with innovation facilitation. Unlike jurisdictions that have opted for horizontal AI-specific legislation from the outset, India has constructed its regulatory architecture through a layered approach. The foundation comprises existing statutes (IT Act 2000, DPDP Act 2023), upon which sector-specific guidelines and the proposed AI Ethics Bill 2025 are progressively layered.
This architecture is not accidental. It reflects a deliberate policy choice to allow regulatory learning while maintaining the flexibility to respond to technological developments. The tripartite structure that has emerged distributes authority across policy formulation, operational oversight, and sectoral enforcement, creating a system of checks that prevents regulatory capture while ensuring domain expertise informs implementation.
Ministry of Electronics & IT
MeitY occupies the apex position in India's AI governance hierarchy. Its mandate encompasses policy formulation, international treaty negotiations, and oversight of the IndiaAI Mission. Critically, MeitY retains the power to issue binding advisories that create immediate compliance obligations for intermediaries and AI deployers.
National AI Authority
The proposed National AI Authority under the AI Ethics Bill 2025 will serve as the operational arm of AI governance. Unlike MeitY's policy role, NAA will handle day-to-day regulatory functions including model registration, safety audits, and sandbox administration. Its composition will include technical experts alongside legal and policy professionals.
Sectoral Regulators
Domain-specific regulators retain their enforcement powers for AI deployed within their jurisdictions. This creates a matrix of overlapping authority where an AI credit scoring model, for instance, must satisfy both horizontal AI requirements and RBI-specific algorithmic lending guidelines. This layered compliance creates complexity but ensures domain expertise.
Institutional Hierarchy
Risk Classification System
The AI Ethics Bill 2025 introduces a four-tier risk classification framework that draws inspiration from, but meaningfully departs from, the European Union's AI Act. The Indian framework incorporates factors unique to the Indian context: linguistic diversity across 22 scheduled languages, demographic heterogeneity, infrastructural constraints in rural deployment, and the constitutional imperative of substantive equality under Article 14.
Classification is not static. The Bill empowers the National AI Authority to reclassify systems based on deployment context, scale of impact, and emerging evidence of harm. An AI system classified as "Medium Risk" in urban deployment may attract "High Risk" classification when deployed in underserved communities where algorithmic failure has disproportionate consequences.
Critical Risk
PROHIBITED / RESTRICTEDSystems capable of causing irreversible harm to individuals, communities, or national security. Deployment requires explicit governmental authorisation and ongoing oversight. Certain applications are prohibited outright.
Included Systems
Pre-deployment governmental approval, continuous monitoring, annual recertification, designated safety officer, criminal liability for violations
High Risk
MANDATORY REGISTRATIONSystems that significantly impact fundamental rights, economic opportunity, or physical safety. Subject to mandatory registration, conformity assessment, and ongoing monitoring requirements.
Included Systems
Registration with NAA, conformity assessment, technical documentation, bias audit, human oversight mechanisms, incident reporting
Medium Risk
TRANSPARENCY OBLIGATIONSSystems that interact with users or influence decisions but do not directly impact fundamental rights. Subject to transparency and disclosure requirements.
Included Systems
User disclosure of AI interaction, opt-out mechanisms where feasible, content labeling, basic documentation
Minimal Risk
NO SPECIFIC OBLIGATIONSSystems with negligible impact on rights or safety. No AI-specific obligations, though general consumer protection and IT Act provisions continue to apply.
Included Systems
No AI-specific requirements; general IT Act and consumer protection laws apply
DPDP Act 2023: AI Provisions
The Digital Personal Data Protection Act 2023 represents India's first comprehensive data protection legislation and creates significant obligations for AI systems that process personal data. While not AI-specific, its provisions on automated decision-making, Privacy-by-Design mandates, and enhanced obligations for Significant Data Fiduciaries directly shape the operating environment for AI in India.
A Data Principal has the right to "obtain information about the logic involved in a significant decision" that is based substantially or wholly on the automated processing of their personal data. This creates a qualified right to algorithmic explanation, though the statute does not prescribe the form or depth of explanation required.
Practitioner Implications
- ▸"Significant decision" is undefined and will require regulatory clarification or judicial interpretation
- ▸The qualifier "substantially" creates ambiguity for hybrid human-AI decision processes
- ▸Explainability infrastructure should be built into AI systems from inception
- ▸Trade secret protections may limit disclosure but cannot entirely negate the right
Data Fiduciaries must implement "reasonable security safeguards" to prevent personal data breaches. For AI systems, this extends to technical measures ensuring that training data cannot be reconstructed from model weights, that inference does not leak PII, and that adversarial attacks cannot extract training data.
Practitioner Implications
- ▸Differential privacy and federated learning may become de facto compliance requirements
- ▸Model inversion attack testing should form part of security assessments
- ▸Training data lineage documentation is essential for breach notification
- ▸"Reasonable" standard will evolve with technological capability
Significant Data Fiduciaries (SDFs) face enhanced obligations including mandatory Data Protection Impact Assessments (DPIAs), appointment of a Data Protection Officer, and periodic audits. For AI deployments, this translates to algorithmic impact assessments that evaluate bias, fairness, and discriminatory outcomes.
SDF Criteria (Likely)
- Processing data of 1 Cr+ Data Principals
- Processing children's personal data at scale
- Risk of significant harm from processing
- Government-notified entities
SDF AI Obligations
- Algorithmic Impact Assessment
- Bias audit and remediation
- Third-party verification for high-risk AI
- Annual compliance reporting
AI Ethics Bill 2025: Core Provisions
The AI Ethics Bill 2025 represents India's first horizontal AI-specific legislation. Currently progressing through parliamentary consultation, the Bill establishes the National AI Authority, mandates risk-based classification, and creates a sovereign sandbox regime. Importantly, it introduces criminal liability for certain categories of AI-related harm, departing from the purely civil enforcement model of the DPDP Act.
Risk Classification
Establishes the four-tier risk classification framework. Empowers NAA to issue binding classification guidance and reclassify systems based on deployment context.
Model Registration
Mandates registration of High-Risk and Critical-Risk AI systems with the NAA prior to deployment. Registration includes technical documentation, risk assessment, and designated responsible officer.
National AI Authority
Establishes NAA as an autonomous body with operational independence. Defines composition (7 members including technical experts), tenure, and powers.
Human Oversight
Requires High-Risk AI systems to maintain meaningful human oversight capability. Defines circumstances where human override must be available.
Algorithmic Audit
Mandates annual algorithmic audits for High-Risk AI deployed by SDFs. Audits must assess bias, accuracy, and demographic fairness.
Sovereign AI Sandbox
Creates regulatory sandbox for domestic AI startups. Provides time-limited compliance relief with enhanced monitoring.
Synthetic Content
Requires labeling and watermarking of AI-generated content. Creates intermediary liability for platforms hosting unlabeled synthetic media.
Criminal Liability
Introduces criminal penalties for deploying Critical-Risk AI without authorisation or causing serious harm through negligent AI deployment.
MeitY Advisories & Guidelines
MeitY has issued a series of advisories under Section 79 of the IT Act 2000 that create immediate compliance obligations for AI deployers. These advisories, while termed "advisory," carry binding force for intermediaries and can trigger loss of safe harbour protections for non-compliance. The March 2024 AI Advisory is particularly significant.
Key Requirements
- ▸Permission from Government of India before deploying "under-tested" or "unreliable" AI models affecting Indian users
- ▸Mandatory labeling of AI-generated content including deepfakes and synthetic media
- ▸Explicit disclosure when users interact with AI systems
- ▸Prohibition on AI-generated content that violates IT Rules 2021
Compliance Implications
- ▸Loss of safe harbour under Section 79 for non-compliance
- ▸Potential criminal liability under IT Act provisions
- ▸Reputational risk from government enforcement actions
- ▸Uncertainty around "under-tested" standard interpretation
Following industry feedback, MeitY issued a clarification limiting the governmental permission requirement to AI platforms "that are significant in scale or potential impact." This narrows the scope but introduces ambiguity around threshold determination. The advisory now also explicitly encourages voluntary labeling commitments.
Sectoral Regulatory Framework
Financial Services
The RBI has issued comprehensive guidelines on algorithmic lending, credit scoring, and automated underwriting. SEBI regulates algorithmic trading and robo-advisory services. IRDAI oversees AI in insurance underwriting and claims.
Fair lending practices, model explainability, appeal mechanisms for credit denials
Algo trading registration, risk management, audit trails, kill switches
Non-discrimination in underwriting, transparency in premium calculation
Healthcare
Healthcare AI faces overlapping regulation from the National Medical Commission, CDSCO (medical devices), and the proposed Digital Health Authority under the Digital Health Mission.
AI-assisted diagnosis must be validated by registered medical practitioners
Software as Medical Device (SaMD) classification and approval pathways
Health data interoperability, consent framework integration
Telecommunications
TRAI regulates AI deployment in network management, customer service automation, and fraud detection. The Telecommunications Act 2023 introduces new provisions relevant to AI-powered network security.
Transparency in AI-driven network management decisions affecting service quality
AI systems for spam and fraud identification must provide appeal mechanisms
Critical Infrastructure
NCIIPC (National Critical Information Infrastructure Protection Centre) oversees AI deployment in critical infrastructure including power grids, transportation, and government systems.
Security clearance for AI systems in critical infrastructure, mandatory vulnerability testing
6-hour reporting window for AI-related security incidents in CII
Penalty & Enforcement Matrix
| Violation Category | Statutory Basis | Maximum Penalty | Enforcement Body |
|---|---|---|---|
| DPDP Act Non-Compliance (General) | DPDP Act 2023, Section 33 | ₹250 Crore | Data Protection Board |
| Data Breach (SDF) | DPDP Act 2023, Section 33(b) | ₹200 Crore | Data Protection Board |
| Children's Data Violation | DPDP Act 2023, Section 33(c) | ₹200 Crore | Data Protection Board |
| Failure to Register High-Risk AI | AI Ethics Bill 2025, Section 12 | ₹50 Crore | National AI Authority |
| Deploying Critical-Risk AI Without Authorisation | AI Ethics Bill 2025, Section 45 | Criminal: 3 Years | Criminal Courts |
| AI-Caused Serious Harm (Negligence) | AI Ethics Bill 2025, Section 45 | Criminal: 5 Years | Criminal Courts |
| Deepfake Distribution (Non-Consensual) | IT Act 2000, Section 66D/66E | 3 Years + ₹2 Lakh | Cyber Crime Police |
| Loss of Safe Harbour (Intermediary) | IT Act 2000, Section 79 | Full Liability | Civil/Criminal Courts |
| Algorithmic Lending Violation | RBI Master Directions | License Revocation | Reserve Bank of India |
| Medical AI Deployment Without Approval | Drugs & Medical Devices Rules | ₹1 Crore + Prosecution | CDSCO |
Compliance Imperatives
Model Registration
High-risk and critical-risk AI systems must be registered with the National AI Authority prior to deployment. Registration documentation includes technical specifications, risk assessments, training data provenance, and identification of a designated responsible officer with authority to halt deployment.
Algorithmic Audit
Significant Data Fiduciaries deploying AI must conduct annual algorithmic audits. Audits assess bias across protected categories, accuracy metrics, and demographic fairness. Third-party verification is mandatory for public sector deployments and recommended for high-risk commercial applications.
Synthetic Content Labeling
All AI-generated content must bear watermarks or metadata identifiers as per MeitY Advisory (March 2024). Explicit labeling of deepfakes and synthetic media is mandatory. Platforms face intermediary liability for hosting unlabeled synthetic content under IT Rules 2021.
Human Oversight
High-risk AI systems must maintain meaningful human oversight capability. This includes clear escalation pathways, override mechanisms, and defined circumstances where human intervention is mandatory. Fully autonomous operation is restricted for critical decisions.
Data Principal Rights
DPDP Act Section 8(8) creates qualified rights to explanation for significant automated decisions. AI deployers must implement infrastructure for responding to explanation requests within statutory timelines. Documentation of decision logic is essential.
Privacy-by-Design
Section 10 of DPDP Act mandates that data protection be built into AI systems from inception. This includes differential privacy for training, secure inference, and technical measures preventing PII reconstruction from model weights. Annual privacy audits are recommended.
Cross Border Data Flows
Data Localisation Landscape
While the DPDP Act 2023 permits cross-border transfers to jurisdictions notified by the Central Government, sectoral regulations create a complex overlay. The RBI's Payment Data Localisation Directive (2018) remains fully operative, requiring payment data to be stored exclusively in India. Healthcare data under the proposed Digital Health Data Management Policy faces similar constraints.
Extraterritorial Application
The AI Ethics Bill 2025 extends its reach to foreign entities in two circumstances: (a) offering AI services to Indian users, and (b) processing Indian data for AI training or inference. This creates compliance obligations for global AI providers and mirrors the extraterritorial scope of GDPR.
Practical Implications
- • Global AI SaaS providers serving India must comply
- • Local representative appointment may be required
- • Jurisdictional complexity for enforcement
- • Data processing agreements must reflect Indian law
Synthetic Content & Deepfake Regulations
India has moved aggressively to regulate synthetic media. The MeitY Advisory (March 2024) mandates labeling of AI-generated content, while the IT Rules 2021 (as amended) create takedown obligations for platforms hosting harmful deepfakes. Criminal liability under IT Act Sections 66D and 66E can attach for non-consensual intimate imagery and identity fraud.
Labeling Requirements
- ▸Visible watermarking for AI-generated images and videos
- ▸Metadata tagging for synthetic audio
- ▸Disclosure when users interact with AI chatbots
- ▸Platform-level content authentication systems
Criminal Liability
- ▸IT Act 66D: Cheating by personation using AI
- ▸IT Act 66E: Non-consensual intimate imagery
- ▸IPC 499/500: Defamation via deepfakes
- ▸IPC 153A: Promoting enmity via synthetic content
Platform Obligations
- ▸24-hour takedown for notified deepfakes
- ▸Content authentication infrastructure
- ▸Grievance redressal for synthetic content
- ▸Compliance reporting to MeitY
IndiaAI Mission & Infrastructure
The IndiaAI Mission represents the government's flagship initiative to position India as a global AI power. Its seven pillars encompass compute infrastructure, data platforms, application development, and crucially, a "safe and trusted AI" programme that will shape the regulatory environment.
GPU Target
Mission Pillars
Language Models
Partner Institutions
Compute Infrastructure
Public-private partnership to build 10,000+ GPU compute capacity accessible to startups and researchers
IndiaAI Data Platform
Unified datasets for AI training including anonymised government data and multilingual corpora
Application Development
Funding for AI applications in agriculture, healthcare, education, and governance
FutureSkills Prime
AI skilling initiative targeting 500,000 professionals by 2029
Safe & Trusted AI
Development of AI safety standards, testing infrastructure, and regulatory sandboxes
Startup Ecosystem
Grant funding and regulatory support for AI startups through sovereign sandbox regime
Practitioner Guidance
“India's AI regulatory architecture is not merely a compliance exercise. It represents a fundamental reimagining of the relationship between algorithmic power and constitutional values. Practitioners who understand this philosophy will navigate the framework more effectively than those who approach it as a checklist.”
Anandaday Misshra
Founder & Managing Partner, AMLEGALS
Immediate Action Items
Conduct AI inventory across all business functions to identify systems requiring registration
Assess DPDP Act SDF classification status and implement algorithmic audit protocols
Review synthetic content generation capabilities and implement labeling infrastructure
Establish human oversight mechanisms for high-risk AI decision systems
Document training data provenance and implement consent verification
Engage with sectoral regulators to understand domain-specific requirements
Strategic Considerations
Position AI governance as a board-level concern, not merely a compliance function
Build explainability infrastructure into AI systems from inception rather than retrofitting
Engage proactively with the sovereign sandbox regime for regulatory learning
Monitor sectoral regulatory developments across RBI, SEBI, IRDAI, and NMC
Develop cross-functional AI governance teams combining legal, technical, and business expertise
Establish relationships with the emerging AI regulatory community including NAA
AMLEGALS Technical Dossier Series
Reference: IND/AI/2026/001 | Last Updated: February 2026
Guideline Record
AI Ethics & Regulation Bill, 2025 (Proposed)
The definitive horizontal statute for AI. Establishes the National AI Authority and a 4-tier risk classification system, mandating ex-ante vetting for critical-risk neural architectures.
Mandatory Registration of Frontier Models with the National AI Authority.
Algorithmic Impact Assessments for High-Risk Systems.
Establishment of the AI Regulatory Sandbox for MSMEs.
MeitY AI Advisory (Labeling & Safety)
Mandates that 'under-testing' or unreliable AI models must be explicitly labeled. Imposes strict provenance markers for synthetic content (Deepfakes) to ensure election integrity.
Consent Popup requirement for under-tested AI models.
Metadata labeling for synthetic content.
DPDP Act, 2023: Algorithmic PbD
Bypasses general privacy for 'Privacy-by-Design' (PbD) in AI. Section 10 mandates Significant Data Fiduciaries (SDF) to undergo independent audits of neural training sets.
Data Quality and Accuracy in Training Sets.
Independent Data Auditor for SDF Algorithmic Verification.