India is running one of the world's largest AI adoption programmes without a dedicated AI law to sit underneath it. The government's posture, expressed consistently since NITI Aayog's first national strategy paper in 2018, is that innovation should not wait for binding regulation. For operators, that means the compliance floor in India today is set by data protection law and intermediary rules built for other purposes, supplemented by advisories that carry real reputational and platform-access weight even where their legal force is contested.

Key takeaways

  • India has no single AI statute in force. Governance runs through the Digital Personal Data Protection Act 2023 (DPDPA), the IT Act 2000 and IT Rules (including the 2021 Intermediary Guidelines), and MeitY advisories, plus the IndiaAI Mission as a funding and infrastructure programme rather than a regulator.
  • MeitY's March 2024 advisory, later revised, moved from an apparent permission requirement for under-tested generative AI models toward a lighter labelling and disclaimer obligation, layered on top of existing IT Rules due diligence and grievance redressal duties.
  • The DPDPA 2023 is enforced by the Data Protection Board of India. Implementing rules were still being finalised into 2025 and 2026, so enforcement mechanics have lagged the statute. Penalties for serious breach failures reach up to INR 250 crore (approximately EUR 27 million at mid-2026 rates), but the Act has no GDPR Article 22 or EU AI Act Article 26 style automated-decision-making regime.
  • The RBI is the most active sector regulator on AI, working through a Fintech Department AI working group toward a principles-based FREE-AI framework, layered on existing outsourcing and IT risk rules that already reach AI vendors used by banks and NBFCs.
  • India's approach is explicitly principles-led and pro-innovation rather than binding and risk-tiered. There is no Annex-III-style high-risk classification, no mandatory conformity assessment, and no EU AI Act-scale penalty regime. Operators compliant with the EU AI Act will exceed India's current requirements but still need a distinct DPDPA compliance workstream.

The regulatory landscape

India's AI governance environment in 2026 is best understood as four layers stacked on top of each other, none of which was written with AI as its primary subject except the most recent.

The first layer is data protection law. The DPDPA 2023 is India's first comprehensive data protection statute, and it applies to any processing of digital personal data of individuals in India, including processing carried out by AI systems, regardless of where the operator is headquartered.

The second layer is the IT Act 2000 and the rules made under it, principally the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, as amended. These rules were built to govern online intermediaries and digital media, not AI specifically, but MeitY has used them as the vehicle for AI-directed advisories because they already impose due diligence, grievance redressal, and traceability obligations on platforms.

The third layer is the IndiaAI Mission, approved by the Union Cabinet in March 2024 with an outlay of roughly INR 10,372 crore and run by MeitY.[1] The Mission funds compute infrastructure, foundation model development, datasets, safety research, and skilling programmes. It is a government investment and coordination vehicle, not a regulatory body, and it does not itself impose compliance obligations on operators.

The fourth layer is sector-specific guidance, most developed in financial services through the RBI, and philosophical grounding through NITI Aayog's strategy papers, which shape how any future binding AI law is likely to be drafted.

MeitY advisories and the IT Rules

The most direct signal of India's regulatory intent toward generative AI came through MeitY advisories rather than legislation. In March 2024, MeitY issued an advisory directed at significant AI platforms and intermediaries, asking them to label generative AI models that were still under testing or considered unreliable, and, on one reading, to seek government permission before deploying certain models in India.[2]

The advisory drew sustained pushback from industry on the grounds that its language was vague, that a permission requirement for model deployment had no clear statutory basis, and that it risked slowing legitimate product releases without a defined process for seeking or granting permission. MeitY issued a revised advisory later in 2024 that softened the original position.[3] The revised guidance moved away from a permission framing and instead emphasised labelling of under-tested or unreliable models, disclaimers to users about the possible unreliability or fallibility of AI-generated output, and compliance with the due diligence, grievance redressal, and traceability obligations that already exist under the IT Rules 2021.

The practical effect for operators is that MeitY advisories are not binding law in the way an EU AI Act obligation is binding, but they are not safely ignored either. Advisories signal MeitY's enforcement priorities under the IT Rules, and intermediaries that fail to align with published advisory expectations risk being treated as having failed the due diligence standard that does carry binding consequences, including the safe harbour protections available to intermediaries under Section 79 of the IT Act. An operator that ignores a published advisory and later faces a grievance or takedown dispute will find it harder to argue it exercised the due diligence the IT Rules require.

The DPDPA: the closest thing to a binding AI-relevant statute

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law and, in the absence of a dedicated AI statute, functions as the most directly enforceable constraint on AI systems that process personal data.[4]

The Act requires a lawful basis for processing personal data, generally consent, given freely, specifically, and with the ability to withdraw it as easily as it was given, or one of a defined set of "legitimate uses" that do not require consent. It gives data principals a right to correction of inaccurate or misleading personal data and a right to erasure once the purpose of processing has been served. It imposes a breach notification obligation on data fiduciaries, requiring notification to the Data Protection Board of India and to affected data principals.

Enforcement sits with the Data Protection Board of India, a body created under the Act. Its implementing rules, covering consent management detail, breach notification timelines, and cross-border data transfer conditions, were still being finalised into 2025 and 2026, so practical enforcement mechanics have lagged behind the statute's passage in August 2023.[4] Operators should not read this lag as an absence of exposure: the substantive obligations already apply in principle, and the Board's eventual operational rules are expected to reach conduct occurring after the Act's provisions were notified.

Financial penalties under Schedule 1 of the DPDPA are significant. The most serious category, covering failure to take reasonable security safeguards to prevent a personal data breach, carries a penalty of up to INR 250 crore, approximately EUR 27 million at mid-2026 exchange rates.[4] Other categories, including failure to notify a breach and failure to fulfil obligations related to children's data, carry lower but still material penalty ceilings.

What the DPDPA does not contain is an AI-specific automated-decision-making right. Unlike GDPR Article 22 or EU AI Act Article 26, there is no standalone statutory right for a data principal to demand human review of a decision made solely by automated means. Operators relying on automated decisions about Indian data subjects, credit scoring, hiring screens, insurance pricing, therefore face a lighter statutory constraint on the automation itself than they would in the EU, even though the underlying data processing is regulated.

Sector-specific AI governance: the RBI's FREE-AI work

Financial services is the most active sector for AI-specific governance development in India, driven by the Reserve Bank of India. The RBI established an internal Fintech Department AI working group, and through 2024 and 2025 that group has been developing a principles-based approach referred to as FREE-AI, the Framework for Responsible and Ethical Enablement of AI, intended to guide AI adoption across the financial sector without imposing a rigid, prescriptive rulebook.[5]

Separately from the FREE-AI work, the RBI's existing guidelines on outsourcing arrangements and IT risk management already apply to AI systems used by regulated banks and non-banking financial companies (NBFCs). These guidelines require regulated entities to conduct due diligence on technology vendors, maintain business continuity and data security standards for outsourced functions, and retain ultimate accountability for outsourced or vendor-supplied systems, including AI models used for credit decisioning, fraud detection, or customer-facing advice.

The practical consequence for an international AI vendor is the same pattern seen in other emerging-market financial regulators: the vendor is not itself directly regulated by the RBI, but the bank or NBFC that uses the vendor's AI system is, and that regulated entity must pass down governance requirements, documentation, and audit rights to its AI suppliers as a condition of using them at all.

NITI Aayog: the philosophical foundation

India's principles-led, pro-innovation regulatory posture did not emerge in 2024; it has been consistent government policy since NITI Aayog, India's public policy think tank, published its National Strategy for Artificial Intelligence in 2018.[6] That strategy framed AI adoption as a national economic priority and set out a "AI for All" ambition focused on inclusive growth rather than restrictive control.

NITI Aayog followed with a two-part Responsible AI for All approach paper in 2021, addressing principles for responsible AI and an operationalising approach to implementing them.[7] These documents remain the clearest statement of the values any future binding Indian AI law is likely to embed: safety, equality, inclusivity, non-discrimination, privacy and security, transparency, accountability, and the protection of positive human values. Operators building AI governance documentation for the Indian market should treat these principles as the substantive test a future regulator is likely to apply, even though they carry no binding force today.

India has also engaged with international AI governance coordination, participating in the Global Partnership on AI (GPAI) and hosting AI Impact Summit conversations, but as of 2026 it has not signed or acceded to the Council of Europe Framework Convention on AI (2024), which is open to non-member states. Accession would raise the binding floor materially, introducing obligations such as human rights impact assessments for significant AI systems, but no such move has been announced.

Comparison with the EU AI Act

The distance between India's current framework and the EU AI Act (Regulation 2024/1689) is substantial and deliberate. The EU AI Act is a binding, risk-tiered regime: it classifies systems by risk level, imposes Annex III high-risk categories with mandatory conformity assessment, and backs the regime with penalties of up to 7% of global annual turnover or EUR 35 million, whichever is higher. India has none of this. There is no statutory risk classification system, no conformity assessment requirement, and no AI-specific penalty regime approaching that scale.

The DPDPA's penalty ceiling of INR 250 crore, while significant in absolute terms, is a data-privacy penalty tied to specific breach and security failures, not a general AI-safety enforcement tool. It does not reach conduct such as deploying a high-risk AI system without adequate testing, absent a separate personal data failure attached to that deployment.

For operators already compliant with the EU AI Act's Articles 9 through 17, technical documentation, risk management systems, data governance, logging, transparency, human oversight, and accuracy and robustness testing, the practical position in India is that this documentation exceeds what Indian law currently requires. That is a genuine advantage: an operator with EU AI Act-grade documentation can generally demonstrate to an Indian counterparty, regulator, or the Data Protection Board that its AI governance is more than adequate.

The gap operators should not paper over is the assumption that GDPR-equivalent documentation automatically satisfies the DPDPA. The DPDPA has its own consent architecture, its own definitions of legitimate use, and its own cross-border data transfer provisions that do not map onto GDPR's adequacy and standard contractual clause mechanisms. A compliance programme built around EU GDPR and EU AI Act obligations still needs a discrete DPDPA workstream addressing Indian-specific consent notices, data principal rights processes, and breach notification procedures to the Data Protection Board.

Enforcement landscape

Enforcement in India in 2026 is uneven across the four layers described above. The Data Protection Board of India is the newest enforcement body and, with implementing rules still being finalised, has not yet built the track record seen from more established data protection authorities. Operators should expect enforcement activity to accelerate once the Board's procedural framework, including its ability to receive complaints, conduct inquiries, and impose penalties, is fully operational.

MeitY enforcement, by contrast, operates through the existing IT Rules mechanism, including the ability to require intermediaries to remove content, respond to grievances within defined timelines, and, in serious cases, lose the safe harbour protection under Section 79 of the IT Act if due diligence obligations are not met. This gives MeitY's advisories real teeth even without dedicated AI legislation, since failure to follow published advisory expectations can be used as evidence of inadequate due diligence in a subsequent dispute.

RBI enforcement against regulated financial entities is well established and can include monetary penalties, restrictions on business activities, and directions to rectify deficient risk management practices, all of which can be triggered by inadequate AI governance within a regulated entity's outsourcing or model risk framework.

What operators should do

Operators deploying AI agents in or into India should build a compliance programme around five practical steps.

First, complete a DPDPA scope assessment identifying which AI systems process personal data of individuals in India, on what lawful basis, and whether that basis is consent or a defined legitimate use. Build a discrete DPDPA workstream rather than assuming GDPR documentation transfers automatically.

Second, review your AI product against the current MeitY advisory expectations: label models that are still under testing or carry meaningful unreliability risk, provide clear user-facing disclaimers about AI-generated content, and confirm your due diligence, grievance redressal, and traceability processes meet IT Rules 2021 standards.

Third, if operating in or selling AI systems into Indian financial services, engage directly with your customer's RBI-driven governance requirements. Expect model documentation, validation evidence, and audit rights to be passed down contractually from the regulated bank or NBFC, and track the RBI's FREE-AI framework as it develops.

Fourth, align internal AI governance documentation with the NITI Aayog Responsible AI for All principles: safety, non-discrimination, transparency, accountability, and human values. This is likely to be the substantive template for any future binding Indian AI statute, and early alignment reduces the retrofitting burden later.

Fifth, prepare for the Data Protection Board of India to become an active enforcer as implementing rules are finalised. Have a breach notification procedure, a data principal rights process for correction and erasure requests, and clear internal ownership of DPDPA compliance decisions in place now, rather than after the Board's enforcement capacity matures.

For how India's principles-first posture compares to another major non-EU jurisdiction working through a similar problem from a different starting point, see the South Africa AI regulation guide and the Australia AI regulation guide. For the EU AI Act deployer obligations that form the highest-current-stringency benchmark referenced throughout this guide, see the Article 26 deployer obligations guide on agentliability.eu. Operators assembling documentation across jurisdictions may also find agentcertified.eu useful as a reference point for cross-border AI governance certification approaches.


Frequently asked questions

Does India have a dedicated AI law in 2026?

No. India has no single cross-sectoral AI statute in force as of 2026. AI governance instead runs through the Digital Personal Data Protection Act 2023 (DPDPA), the IT Act 2000 together with the IT Rules including the 2021 Intermediary Guidelines and Digital Media Ethics Code, and advisories issued by the Ministry of Electronics and Information Technology (MeitY). The IndiaAI Mission, approved by the Union Cabinet in March 2024, funds infrastructure and safety work but is a programme, not a regulatory statute.

What did the MeitY AI advisories actually require?

MeitY issued an advisory in March 2024 asking significant AI platforms to label under-testing or unreliable generative AI models and, in some readings, to seek government permission before deploying certain models. The advisory drew sustained industry pushback for its vagueness and its apparent permission requirement. MeitY issued a revised advisory later in 2024 that softened this position, dropping the permission framing in favour of labelling, disclaimers, and reliance on the due diligence, grievance redressal, and traceability obligations that already exist under the IT Rules.

What obligations does the DPDPA impose on AI operators processing Indian personal data?

The DPDPA 2023 requires a lawful, consent-based (or otherwise permitted) basis for processing personal data, gives data principals a right to correction and erasure, and imposes breach notification duties on data fiduciaries. It is enforced by the Data Protection Board of India, though implementing rules were still being finalised into 2025 and 2026, which has delayed practical enforcement mechanics. Financial penalties for the most serious breach failures reach up to INR 250 crore (approximately EUR 27 million at mid-2026 rates) under Schedule 1 of the Act. The DPDPA does not contain an AI-specific automated-decision-making right comparable to GDPR Article 22 or EU AI Act Article 26.

How does India's AI framework compare to the EU AI Act?

India's approach is explicitly principles-based and innovation-first, in line with NITI Aayog's National Strategy for AI (2018) and Responsible AI for All approach papers (2021), rather than binding and risk-tiered. There is no Annex-III-style high-risk classification, no mandatory conformity assessment, and no EU AI Act-style penalty regime of up to 7% of global turnover or EUR 35 million. Operators who meet EU AI Act Articles 9 to 17 documentation standards will exceed what Indian law currently requires, but should not assume DPDPA compliance follows automatically from GDPR-equivalent documentation, since the DPDPA has its own distinct consent and cross-border data transfer provisions.

Do RBI AI guidelines apply to international AI vendors serving Indian banks?

The Reserve Bank of India regulates banks and non-banking financial companies (NBFCs) directly, not their technology vendors. However, RBI's existing outsourcing and IT risk guidelines require regulated entities to manage third-party AI risk within their own governance frameworks, and the RBI's Fintech Department AI working group has been developing a principles-based FREE-AI framework (Framework for Responsible and Ethical Enablement of AI) for the financial sector. An international AI vendor to an Indian bank will face contractual AI governance requirements that flow down from the bank's RBI obligations, even without being directly regulated itself.


References

  1. Union Cabinet, Government of India. Approval of the IndiaAI Mission, March 2024. Outlay of approximately INR 10,372 crore. Implemented by the Ministry of Electronics and Information Technology (MeitY). Available at indiaai.gov.in.
  2. Ministry of Electronics and Information Technology (MeitY). Advisory on due diligence and labelling for under-tested or unreliable AI models, March 2024. Available at meity.gov.in.
  3. Ministry of Electronics and Information Technology (MeitY). Revised advisory on generative AI platforms, 2024, clarifying labelling and disclaimer expectations under the existing IT Rules framework. Available at meity.gov.in.
  4. Digital Personal Data Protection Act 2023. Assented to August 2023. Enforced by the Data Protection Board of India. Schedule 1 sets penalty ceilings, including up to INR 250 crore for failure to implement reasonable security safeguards. Implementing rules under finalisation into 2025 and 2026. Available at meity.gov.in.
  5. Reserve Bank of India. Fintech Department AI working group discussions on the Framework for Responsible and Ethical Enablement of AI (FREE-AI), 2024 to 2025. RBI guidelines on outsourcing of financial services and IT risk management continue to apply to AI vendors used by regulated banks and NBFCs. Available at rbi.org.in.
  6. NITI Aayog. National Strategy for Artificial Intelligence, 2018. Available at niti.gov.in.
  7. NITI Aayog. Responsible AI for All: Approach Paper (Part 1, Principles for Responsible AI, and Part 2, Operationalising Principles for Responsible AI), 2021. Available at niti.gov.in.
  8. Information Technology Act 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, as amended. Available at meity.gov.in.