AI Regulation in India: A Quick Guide

Summary

On November 5, 2025, India released its AI Governance Guidelines under the IndiaAI Mission, taking a unique approach that leverages existing legal frameworks rather than creating new AI-specific legislation.

• India uses seven foundational principles to guide AI governance across all sectors
• Existing laws like the IT Act, DPDPA, and Consumer Protection Act already address many AI-related risks
• Sector-specific regulators manage domain-specific AI risks rather than a single blanket regulatory body

Why No New AI Law?

India has deliberately chosen not to create separate AI-specific legislation. The Ministry of Electronics and Information Technology (MeitY) released guidelines stating that existing statutes can adequately address AI-related risks if enforced consistently. This reflects confidence in India's current regulatory architecture, supplemented by targeted amendments where necessary.

The guidelines address AI-related harms such as deepfakes, algorithmic bias, and national security threats while establishing accountability mechanisms. This model adapts current laws and sectoral regulations, allowing for flexibility as AI technology evolves, rather than locking in rigid compliance requirements.

The Legal Landscape: What Already Applies?

Several key statutes already govern AI systems in India.

The Information Technology Act (IT), 2000 addresses AI-generated impersonations and deepfakes while placing due diligence obligations on platforms for monitoring unlawful content.

The Bharatiya Nyaya Sanhita, 2023 tackles cybercrimes perpetrated through AI, including identity theft and forgery.

The Digital Personal Data Protection Act (DPDPA), 2023 mandates consent for personal data processing and empowers authorities to investigate AI-driven profiling harms.

The Consumer Protection Act, 2019 protects against misleading AI-related claims, with authorities empowered to order corrective measures. Various sector-specific laws also apply to AI in specialized contexts.

Businesses often rely on Al Lawyers in India to navigate these overlapping frameworks and ensure they meet all compliance responsibilities across sectors.

Sectoral Oversight: Who Regulates What?

Rather than creating a single AI regulatory body, India uses specialised regulators to manage domain-specific risks.

MeitY provides national policy direction, while sector-specific regulators issue binding compliance mandates.

In financial services, the Reserve Bank of India (RBI) oversees fintech AI systems through its Cybersecurity Framework, while the Securities and Exchange Board of India (SEBI) manages AI-driven trading algorithms.

The Insurance Regulatory and Development Authority of India (IRDAI) mandates compliance with cyber security guidelines affecting AI in insurance. The Indian Council of Medical Research (ICMR) has issued ethical guidelines requiring bias audits and ethics reviews for AI in healthcare.

This approach recognizes that AI applications face different risks across domains, allowing specialized regulators to manage risks within their expertise.

Targeted Updates on the Horizon

While existing laws provide substantial coverage, the Guidelines acknowledge the need for specific updates.

The IT Act requires modernization regarding how AI systems that generate or modify content autonomously are classified and what obligations apply to them.

Clearer liability frameworks are needed to define the roles of developers, deployers, and users with proportionate responsibility based on function, risk, and due diligence.

A committee is examining copyright issues around AI training and AI-generated works, considering a Text and Data Mining exception.

The DPDPA requires examination regarding exemptions for AI training and compatibility of data principles with AI operations.

Practical Steps for Businesses

Organisations working with AI in India should review operations against the IT Act, Bharatiya Nyaya Sanhita, DPDPA, and Consumer Protection Act. Engage with sectoral regulators relevant to your domain, whether RBI, SEBI, IRDAI, or ICMR.

Monitor proposed amendments to IT Act classifications, liability frameworks, copyright law, and DPDPA implementation rules. Consider implementing industry codes of practice and self-certification mechanisms. Develop internal systems to assess and classify AI-related risks, particularly for high-risk applications.

Given the complexity of navigating multiple existing laws, sectoral regulations, and evolving compliance requirements, consulting legal specialists with expertise in AI governance can help businesses understand their obligations and implement effective compliance strategies.

A technology law firm in India can play a pivotal role in helping organisations adapt to India’s evolving AI governance landscape and meet compliance expectations effectively.