As of May 2026, India has no single statute dedicated to artificial intelligence. AI deployments in India are governed by a stack of laws and advisories: the Digital Personal Data Protection Act 2023 (DPDP), the Information Technology Act 2000 (with the 2021 Intermediary Rules), the draft Digital India Act, sectoral regulations from RBI / SEBI / IRDAI, the MeitY AI advisories of March and December 2024, and the NITI Aayog principles for responsible AI. The closest thing India has to an AI-specific law is the IndiaAI Mission framework and the MeitY advisory regime — both non-binding in themselves but enforceable through Section 79 IT Act safe-harbour.
- The Indian AI legal stack
- A layered regime where AI is regulated indirectly through data protection, intermediary liability, sectoral conduct rules and government advisories — rather than by a single dedicated AI Act as in the EU.
- India has no AI-specific statute. The DPDP Act + IT Act are doing the heavy lifting in 2026.
- The MeitY March 2024 advisory introduced — then walked back — a "permission before deployment" requirement. Watch this space.
- The Digital India Act (DIA) draft is the most likely vehicle for AI-specific provisions. Expected 2026–2027 passage.
- RBI's 2024 framework on AI in lending, and SEBI's 2024 circular on AI in market intermediaries, are already enforceable.
- Global certification (ISO 42001, NIST AI RMF, EU AI Act conformity) is currently the strongest defensible compliance posture for Indian deployments.
The seven instruments that actually apply to your AI in India
1. Digital Personal Data Protection Act 2023 (DPDP)
The single most consequential law for Indian AI in 2026. Anything your model ingests, infers about, or outputs concerning an identifiable Indian person is personal data. Section 8 obligations (purpose limitation, accuracy, security) apply to every training set drawn from Indian users. Cross-border transfer rules under Section 16 will be the operative bottleneck for foundation-model fine-tuning. [MoLJ, DPDP Act 2023, gazetted 11 Aug 2023]
2. Information Technology Act 2000 + Intermediary Rules 2021
Section 79 safe harbour for intermediaries is conditional on due diligence. The 2023 amendment to Rule 3(1)(b) made it explicit that intermediaries must not host content that is "patently false or misleading", including AI-generated content. Failure to act on a takedown request within 36 hours strips safe harbour.
3. MeitY AI advisories — March 2024 and December 2024
The March 2024 advisory briefly required platforms deploying "under-tested or unreliable" AI models to seek government permission and label outputs. After industry pushback (notably from Indian startups), MeitY clarified the permission requirement applies to "significant platforms" only, but the labelling and synthetic-media watermarking requirements stuck.
4. The draft Digital India Act
Replacing the IT Act 2000, the DIA is expected to introduce explicit AI provisions — risk-tiered classification (echoing the EU AI Act), mandatory algorithmic audits for high-impact systems, and a statutory AI ethics regulator. Currently in pre-bill consultation; realistic passage 2026–2027.
5. RBI Framework on Responsible AI in Financial Services (2024)
Binding on regulated entities. Requires explainability for credit-decision models, bias testing on demographically representative samples, and board-level approval for any AI model used in lending decisions above ₹50 lakh.
6. SEBI Circular on AI/ML in market intermediaries
Brokers, AMCs and research analysts deploying AI for recommendations must register the system, maintain audit trails, and report model performance quarterly. Effective from FY 2024–25.
7. NITI Aayog #AIForAll responsible-AI principles
Non-binding but cited in MeitY advisories and most government tenders. Seven principles: safety and reliability, equality, inclusivity and non-discrimination, privacy and security, transparency, accountability, and protection and reinforcement of positive human values.
What this means for your deployment in 2026
| If your AI does this… | The primary instrument is… | Defensible posture |
|---|---|---|
| Processes personal data of Indians | DPDP Act 2023 | DPDP-aligned consent + ISO 27701 |
| Generates user-facing content | IT Act §79 + Intermediary Rules | Synthetic-media labelling, takedown SLA |
| Makes credit/lending decisions | RBI Responsible AI Framework 2024 | Explainability + board approval |
| Gives investment recommendations | SEBI AI/ML circular 2024 | System registration + audit trail |
| Sells into EU/UK/US | EU AI Act + UK ICO + state laws | ISO 42001 certification |
| Used in public-sector tender | MeitY advisories + NITI principles | Self-declaration + responsible-AI report |
The 90-day defensible-posture build
For an Indian firm shipping AI today and wanting a posture that survives both a DPDP enquiry and an enterprise procurement questionnaire, the working sequence is:
- Week 1–2: AI inventory. Every model, every data source, every output channel. (Use our free risk scan.)
- Week 3–4: DPDP alignment — consent flows, purpose binding, retention schedule.
- Week 5–8: ISO 42001 gap assessment + AIMS skeleton.
- Week 9–12: Impact assessments for high-risk systems, model cards for production models, signed responsible-AI policy.
Where this is heading
India's strategic direction (visible in the IndiaAI Mission documents and the Digital India Act discussion papers) is towards a risk-tiered, sector-lightregime — closer to the UK's pro-innovation white paper than to the EU AI Act. Expect: high-risk classification for healthcare/finance/employment AI; mandatory audits for systems serving above a threshold of Indians; a statutory regulator either inside MeitY or as a spin-out. Realistic timeline: draft DIA in 2026, notification by 2027–2028.
Frequently asked
- Is there an AI law in India?
- Not as a single statute. AI is governed by a stack — DPDP Act 2023, IT Act 2000 with the 2021 Intermediary Rules, MeitY advisories of March and December 2024, the draft Digital India Act, sectoral rules from RBI and SEBI, and the NITI Aayog #AIForAll principles.
- When will India have an AI Act?
- The most likely vehicle is the Digital India Act, currently in pre-bill consultation. Realistic passage 2026–2027, with notification 2027–2028. Expect a risk-tiered, sector-light regime closer to the UK white paper than the EU AI Act.
- What did the MeitY March 2024 AI advisory actually require?
- It briefly required significant platforms to seek government permission before deploying 'under-tested or unreliable' AI models and to label outputs. After industry pushback, MeitY clarified the permission requirement applies to significant platforms only; labelling and synthetic-media watermarking stuck.
- Are RBI's AI rules binding?
- Yes, on regulated entities. The 2024 Responsible AI in Financial Services framework requires explainability for credit-decision models, bias testing on representative samples, and board-level approval for AI used in lending decisions above ₹50 lakh.
- What is the strongest compliance posture for Indian AI today?
- Global certification — ISO 42001 (AI management), ISO 27001 (security), ISO 27701 (privacy) — layered on top of DPDP-aligned operational practice. This is the most defensible single posture in 2026.
Map your AI to the Indian legal stack in one audit.
Our automated audit covers DPDP, IT Act §79 posture, MeitY advisory alignment, and ISO 42001 readiness in one report. ₹799 for a single audit.
Bharat NeuroTech offers self-serve AI audits across 12 global and Indian standards from ₹799, with Dr. Sodhi personally signing engagements under ISO/IEC 42001, 27001 and 27701.
— Bharat NeuroTech · /ai-audit