A quarter century ago, India’s Parliament passed the Information Technology Act, 2000—its first digital-era statute. Twenty-five years later, the same law that legalized e-commerce and email signatures now underwrites data privacy, cybercrime probes, and algorithmic accountability. The arc from floppy disks to generative AI shows how the IT Act both empowered India’s online revolution and strained to keep up with it.
July 25, 1998 — The Blueprint
The Prime Minister’s IT Task Force issued 108 recommendations, including drafting a National Policy on Information Security, Privacy and Data Protection—the seed of what became the IT Act.
December 16, 1999 — IT Bill Introduced
Then-IT Minister Pramod Mahajan introduced the Information Technology Bill, 1999, which was later refined through committee review before being tabled for passage.
May 17, 2000 — Parliament Passes the Act
The Bill cleared both Houses of Parliament, creating India’s first legal framework for electronic governance, digital contracts, and electronic signatures.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
June 9 and October 17, 2000 — Assent and Enforcement
The President gave assent on June 9, and the IT Act came into force on October 17, 2000, officially establishing India’s digital legal architecture.
February 2002 — First Digital Signature
Safescrypt became the first certifying authority under the Act. Then-IT Minister Pramod Mahajan received India’s first legally recognized digital signature, marking the dawn of verified online identity.
February 2003 — Blocking Procedures Notified
Procedures for blocking websites were notified, designating CERT-In as the nodal agency to handle content takedowns—years before it became a statutory body.
December 2004 — Bazee.com Arrest and Liability Debate
The Avnish Bajaj case, in which the CEO of Bazee.com (now eBay India) was arrested over an obscene video listing, sparked global debate over intermediary liability and the responsibilities of online platforms.
January 2005 — Expert Committee to Review the Act
The government appointed a committee chaired by Brijesh Kumar to modernize the IT Act and address emerging threats such as phishing and data theft.
December 2006 — Amendment Bill Introduced
Dayanidhi Maran, then Minister of Communications & IT, introduced the Information Technology (Amendment) Bill, 2006, which was later expanded by the Parliamentary Standing Committee chaired by Nikhil Kumar.
December 2008 — IT (Amendment) Bill Passed
Parliament passed the amendment introducing provisions on cyberterrorism, data protection, and electronic evidence, and controversially adding Section 66A on offensive communication.
October 2009 — Amendment Enforced
Rules for interception, monitoring, and decryption came into effect, establishing India’s first comprehensive framework for digital surveillance and online monitoring.
July 2010 — First ‘Protected System’ Declared
The TETRA Communication Network was declared a “Protected System” under the Act, introducing formal recognition of critical information infrastructure.
April 2011 — Data and Intermediary Rules
Rules were notified defining sensitive personal data, establishing intermediary responsibilities, regulating cyber cafés, and setting standards for electronic service delivery.
January 2014 — NCIIPC and CERT-In Notified
The National Critical Information Infrastructure Protection Centre (NCIIPC) was designated as the nodal agency for national cyber defense. CERT-In received statutory authority under Section 70B of the IT Act.
March 2015 — Section 66A Struck Down
In the landmark case Shreya Singhal v. Union of India, the Supreme Court struck down Section 66A as unconstitutional, marking a defining moment for digital free speech in India.
June 2020 — App Bans and Platform Governance
Amid rising geopolitical tensions, India banned over 260 mobile applications citing national security grounds, expanding the scope of the IT Act’s enforcement in the digital domain.
February 2021 — New IT Rules
The government notified the Intermediary Guidelines and Digital Media Ethics Code Rules, 2021, tightening regulation of social media platforms, OTT services, and digital publishers.
April 2022 — Six-Hour Incident Reporting Mandate
CERT-In’s directions under Section 70B mandated reporting of defined cyber incidents within six hours of detection—among the fastest response windows in the world.
August 2023 — Digital Personal Data Protection Act, 2023
After 25 years of debate on privacy and data governance, India enacted its first dedicated data protection law, building upon the foundational principles of the IT Act.
September 2023 — AI and Robotics Policy Consultations
The government released drafts of the National Strategy on Robotics and the IndiaAI Expert Group Report, signaling the transition of digital policy into the artificial intelligence era.
2024 — RBI Master Directions on Cyber Resilience
The Reserve Bank of India issued its Master Directions on Cyber Resilience and Digital Payment Security Controls for Non-Bank Payment System Operators, setting a uniform framework for fintech and payment systems.
2025 — CERT-In Comprehensive Cyber Security Audit Policy
CERT-In issued the Comprehensive Cyber Security Audit Policy Guidelines on July 25, 2025, mandating annual evidence-based audits across sectors, including AI, IoT, and cloud infrastructure.
2025 — 15 Elemental Cyber Defense Controls for MSMEs
CERT-In released a framework in September 2025 outlining 15 baseline cyber defense controls and 45 recommendations to strengthen cybersecurity among micro, small, and medium enterprises.
2025 — AI Deepfake and Quantum Crime Concerns
Policy experts and parliamentary committees warned of new-age threats including deepfakes, AI-driven fraud, and quantum computing vulnerabilities, calling for urgent legal reform.
“India’s cyber threat landscape has entered a transformative phase,” says Prof. Triveni Singh, cybercrime expert and Chief Mentor at the Future Crime Research Foundation. “We urgently need legislative clarity on quantum computing, AI-enabled financial fraud, and emerging risks that directly threaten corporate integrity and government security systems. The next decade will determine whether our digital resilience can match the sophistication of new-age cybercrime.”
From e-Commerce to Quantum Governance
Twenty-five years after its inception, the IT Act remains the cornerstone of India’s digital transformation—from legitimizing electronic contracts to regulating artificial intelligence. Yet, as technology continues to evolve, the law faces growing pressure to adapt. The upcoming Digital India Act and the long-awaited National Cyber Security Strategy will determine whether the next quarter-century of digital governance will be guided by foresight—or by catch-up.
