Barely eight months after the government insisted a standalone AI law was unnecessary, IT Secretary S. Krishnan has signalled that a dedicated statute may now be under active consideration, even as India simultaneously moves against apps used to disable e-rickshaws and presses Meta over Instagram ads allegedly linked to child sexual abuse material.

Govt Considers Separate AI Law as Deepfakes, Cyber Threats and VPN Misuse Raise Concerns

The420 Web Correspondent
8 Min Read

The Indian government is actively considering the introduction of a dedicated law for artificial intelligence as concerns grow over deepfakes, cyber threats and the misuse of digital platforms, Information Technology Secretary S. Krishnan said on Friday at a cybersecurity event in Delhi. Krishnan said that while the existing legal framework has been effective in addressing early-stage challenges posed by AI, the rapid evolution of the technology is creating new risks that may require a more comprehensive regulatory structure in the future.

He noted that the government has so far dealt with issues such as deepfakes and related misuse through rules framed under existing laws, but that with AI systems becoming more advanced and widely deployed, a separate legislation or expanded regulatory framework may become necessary. “The conversation has already begun,” Krishnan said, adding that both the ministry and senior officials are examining the need for stronger oversight, though he did not specify a timeline for the proposed law. The remarks mark a meaningful shift in tone from Krishnan’s own position at the launch of the India AI Governance Guidelines in November 2025, where he stated plainly that India has consciously chosen not to lead with regulation but to encourage innovation while studying global approaches, and that the government would rely on existing laws and frameworks rather than rush into new legislation.

The Framework Already in Place, and Its Limits

India’s current approach to AI governance rests on a deliberately “light-touch” architecture built around existing statutes rather than a dedicated AI statute. The India AI Governance Guidelines, released by the Ministry of Electronics and Information Technology in November 2025, established seven core principles and proposed institutional bodies including an AI Governance Group, a Technology and Policy Expert Committee, and an AI Safety Institute, while explicitly avoiding a standalone regulatory statute in favour of applying existing laws through a risk-based lens.

The most concrete legal intervention to date has come through the IT Rules rather than a fresh AI law. On February 10, 2026, MeitY notified amendments to the Intermediary Guidelines defining “Synthetically Generated Information,” AI-created or altered content that appears authentic, and imposing binding obligations on platforms including mandatory labelling, provenance metadata, and sharply compressed takedown timelines: three hours for unlawful synthetic content following a government notice, shrinking to two hours for high-risk categories such as non-consensual intimate imagery or impersonation. A private member’s bill, the Artificial Intelligence (Ethics and Accountability) Bill, 2025, introduced in the Lok Sabha in December, has separately proposed a statutory ethics committee, mandatory bias audits, and penalties of up to ₹5 crore, though it remains unenacted. Krishnan’s comments suggest the government may now be weighing whether this patchwork of amendments and guidelines is sufficient, or whether the scale of deepfake and AI-enabled fraud now warrants the dedicated legislative architecture it previously resisted.

VPNs, Compliance Gaps, and a Familiar Enforcement Problem

Krishnan also raised concerns over the misuse of Virtual Private Network services, noting that several providers operate from outside India without registering locally, and said the government is exploring both technological and legal measures to address the issue, since VPNs can be used to bypass restrictions and obscure online activity. This concern echoes a structural challenge that has repeatedly surfaced across India’s digital enforcement efforts, most visibly with Telegram, whose encrypted, cross-border architecture has made it similarly difficult for authorities to enforce compliance even when formal notices are issued.

Three Apps Pulled Over E-Rickshaw Shutdown Concerns

In a separate and more immediate action, the government has directed the removal of three China-linked mobile applications, BAT-BMS, Lossigy, and Epoch-i-ion, from the Google Play Store and Apple App Store. According to officials, the apps were allegedly being misused to remotely disable battery-operated vehicles, including e-rickshaws, following reports and viral videos suggesting remote shutdown capabilities in such systems. The underlying vulnerability, as previously reported, stemmed not from sophisticated hacking but from unsecured, unpassworded Bluetooth-enabled battery management systems in budget e-rickshaws, a configuration failure at the point of sale that these apps were able to exploit. Krishnan said the government would continue to take action against any application found to be involved in similar misuse or posing cybersecurity risks.

Meta Under Renewed Pressure on Two Fronts

The government has also sought clarification from Meta over alleged advertisements on Instagram linked to child sexual abuse material. According to sources in the Ministry of Electronics and Information Technology, the company has been asked to explain reports that such ads were directing users to Telegram channels involved in illegal content distribution, an allegation that, if substantiated, would implicate two major platforms simultaneously in a single exploitation pipeline. Meta representatives have already met ministry officials in connection with earlier regulatory concerns, including issues related to WhatsApp’s proposed username feature, which has raised additional concerns within the government regarding potential misuse for fraud and impersonation, prompting ongoing discussions with the platform.

A Regulatory Posture in Transition

Taken together, Krishnan’s remarks and the day’s parallel actions against apps and Meta suggest a government moving, cautiously but perceptibly, from a guidelines-and-amendments approach toward genuine consideration of dedicated AI legislation, a shift that would bring India’s posture closer to jurisdictions like the European Union, whose AI Act already mandates disclosure requirements for generative AI systems and deepfake labelling under Article 50.

Experts from the Future Crime Research Foundation, commenting on the day’s developments, said the rapid expansion of AI tools, encrypted communication platforms and digital ecosystems is reshaping the nature of cybercrime, emphasising the need for a balanced regulatory approach that encourages technological innovation while ensuring user safety, accountability and strong safeguards against misuse. Whether India’s eventual answer takes the form of a dedicated AI statute, an expanded set of IT Rules amendments, or some hybrid of both, Krishnan’s acknowledgment that “the conversation has already begun” marks the clearest signal yet that the government’s earlier confidence in existing law being sufficient has begun to give way to the scale of what deepfakes, VPN-enabled evasion, and AI-assisted fraud are now producing on the ground.

Stay Connected