India's IT Law Overhaul: Binding Advisories, Safe Harbor Erosion, and New Cybersecurity Mandates

India Proposes Fundamental Rewrite of Digital Liability, Placing Government Advisories at the Core of Platform Compliance

New Delhi is poised to enact one of the most significant digital governance overhauls in recent years. Draft amendments to India's Information Technology Rules, 2021, currently under consultation by the Ministry of Electronics and Information Technology (MeitY), signal a dramatic shift in the relationship between the state and technology intermediaries. The proposed changes, which analysts suggest could be formalized as the "IT Rules 2026," would fundamentally alter platform liability, cybersecurity obligations, and content moderation mandates for global tech giants operating in the world's most populous nation.

From Guidance to Mandate: The Legally Binding Advisory

The most consequential proposal is the elevation of government-issued "advisories" to a legally enforceable status. Currently, advisories from MeitY or other agencies are typically recommendations. Under the draft amendments, these advisories would become binding directives that "Significant Social Media Intermediaries" (SSMIs)—platforms with over 5 million registered users in India—must "act upon" and "comply with." This mechanism would allow the government to mandate proactive content moderation against broad categories of "unlawful" material without needing to pass specific legislation or issue individual takedown orders for each piece of content. For cybersecurity and trust & safety teams, this translates into a requirement to develop systems capable of interpreting and implementing often broad governmental directives at scale and in near real-time.

The Erosion of Safe Harbor: A New Liability Frontier

The proposed rules directly challenge the foundational legal shield for digital platforms: the safe harbor provision under Section 79 of the IT Act, 2000. This provision has historically protected intermediaries from liability for user-generated content, provided they adhere to due diligence requirements and expeditiously remove unlawful content upon receiving actual knowledge via a court or government order.

The draft amendments introduce a critical condition: platforms would retain safe harbor protection only if they ensure their services are not used to publish content prohibited by any law and, crucially, if they comply with these new binding government advisories. Failure to act on an advisory could be construed as a failure to exercise due diligence, thereby stripping the platform of its liability shield. This creates a powerful enforcement tool, effectively making compliance with advisories a prerequisite for legal immunity. Legal experts warn this blurs the line between proactive monitoring—which could threaten end-to-end encryption—and reactive takedowns, forcing platforms into a de facto censorship partnership with the state.

The 72-Hour Countdown: Accelerated Compliance Timelines

Adding operational pressure, the amendments propose slashing the compliance timeline for content takedown notices. The current rules grant intermediaries a "reasonable" period to act. The draft specifies a strict 72-hour window from the receipt of a grievance or government order to disable access to the flagged content. For cybersecurity and content moderation operations centers, this imposes a stringent Service Level Agreement (SLA) with the Indian government, requiring 24/7 monitoring, rapid legal assessment, and technical execution capabilities. Non-compliance would not only risk liability but also attract potential penalties under other statutes.

Expanding the Regulatory Net: Influencers and Content Creators

The regulatory scope expands beyond large platforms. The amendments explicitly aim to bring digital content creators, including influencers and live-streamers, under a more formal compliance framework. While details are still emerging, this likely involves clearer labeling of paid or promotional content, adherence to prescribed "code of ethics," and accountability for the content they publish. This move recognizes the growing influence of creator economies and seeks to mitigate risks like financial fraud, misinformation, and non-consensual content spread via these channels.

Cybersecurity Implications and Global Precedent

The cybersecurity ramifications are extensive:

The Road Ahead and Industry Stance

The draft is currently open for stakeholder consultation. Major technology industry associations and global giants are expected to lobby vigorously, particularly against the safe harbor linkage and the vagueness surrounding "advisories." They will likely argue that such measures undermine innovation, freedom of expression, and cybersecurity by forcing the creation of surveillance infrastructure.

The Indian government's stance is framed around national security, public order, and sovereign control over the digital ecosystem. The final rules will be closely watched as a bellwether for the future of digital sovereignty, platform liability, and the balance between state authority and open internet principles in the Global South. For CISOs and legal teams at every multinational tech firm, India's rulebook rewrite demands immediate strategic review, as it sets a new high-stakes benchmark for regulatory risk in a critical market.