September 1, 2025

News

Parliamentary Panel’s Recommendations on Cybercrime

The Department-related Parliamentary Standing Committee on Home Affairs has, in its Two Hundred Fifty Fourth Report, shared observation and recommendations on Cyber Crime – Ramifications, Protection and Prevention, due to its growing relevance and impact on society. Recommendations were made to all concerned organisations ranging from limiting the safe harbour protections available to intermediaries under the IT Act, 2000 to amendment of the Delhi Special Police Establishment Act, 1946 (DSPE Act) to avoid state consent. Here is a brief snapshot of the recommendations:

  • Ministry of Electronics & Information Technology (MeitY):
    • Safe Harbour for Intermediaries
      • Amend the Information Technology Act, 2000, to hold social media intermediaries liable for non-compliance with takedown orders.
      • Impose graded penalties: monetary fines, suspension for persistent violations.
      • Ensure due process and appeal mechanisms to balance regulation & free expression.
    • OTT Platforms
      • Create a Post-Release Review Panel comprising child specialists, educators, legal experts, social scientists, community reps. The panel must review flagged/trending content post-release via standardized grievance system. The panel may also set norms, guidelines, and penalties for violations.
      • Strengthen age verification & parental controls (beyond self-declaration).
      • Mandate content classification and parental guidance in regional languages.
    • AI Content Regulation
      • Strengthen legal framework to cover AI-generated content.
      • Mandate watermarking of photos, videos, and digital media for authenticity.
      • Establish uniform technical standards for media provenance.
      • CERT-In to coordinate monitoring and issue detection alerts.
    • Grievance Redressal
      • Make system more user-friendly and transparent.
      • Standard complaint format with defined timelines for acknowledgment & resolution.
      • Public disclosure of grievance statistics (received, resolved, pending).
      • Integrate with data protection frameworks for holistic regulation.
    • Other Recommendations
      • Enhance coordination between government, regulators, tech platforms, and civil society.
      • Enforce strict data protection & security standards for all apps.
      • Develop an indigenous app store to support Indian startups.
    • Ministry of Information and Broadcasting (MIB): Introduce a strong verification system for offshore advertisers using digital means through a zero-trust framework.
    • Department of Telecommunications (DoT): Sustained multilingual and cross-platform campaigns should be intensified, the Mobile Number Validation Service (MNVS) should be implemented nationwide in collaboration with financial organisations, swift sharing of risk alerts and revocations to minimizing manual delays to better tackle telecom-linked financial fraud.
    • Telecom Regulatory Authority of India (TRAI): Government may consider the creation of new expert verticals within TRAI to address cyber threats, quantum-safe networks and the economic challenges, measures should be taken to enhance real-time detection mechanisms to identify and block UTMs proactively, centralized blacklist database should be maintained and it needs to be shared across all telecom service providers to ensure swift disconnection of offending numbers.
    • Reserve Bank of India:
      • Enhance real-time coordination between financial institutions and law enforcement.
      • Accelerate response times and improve preventive measures.
      • RBI to supervise migration to .bank.in domain to meet the 31st Oct 2025 deadline and also launch public awareness campaigns to educate consumers on genuine domains.
      • For Cybercrime coordination, RBI to ensure API integration with I4C portal for all banks (not just 19), set clear deadline for full integration and provide technical support/central helpdesk for banks facing vendor issues.
      • For Digital Payment Fraud Measures, roll out Digital Payment Intelligence Platform (DPIP) on strict timelines, expand MuleHunter.ai adoption across more banks and fully operationalize Central Payment Fraud Information Registry (CPFIR) as sector-wide repository.
      • For Consumer Grievance Redressal (RB-IOS), RBI must enhance Ombudsman capacity with digital case management tools and streamline complaint workflows while also increasing staffing to reduce delays.
      • To ensure Quantum-Safe Readiness, Regulated Entities to accelerate Cryptographic Bill of Material (CBoM)
      • To mitigate the concerns on Illicit Deposits & Mule Accounts, banks must make recipient approval mandatory before receiving money, enforce stricter accountability on mule account facilitators and adopt behavioral biometrics (typing speed, mouse movements) to detect anomalies.
      • To enhance consumer protection and trust, banks must explore zero liability periods and personalized support for vulnerable groups. Establishment forgiveness program for first-time fraud victims with good security practices is also recommended.
    • Department of Financial Services (DFS) in coordination with relevant regulators including RBI, SEBI, IRDAI and PFRDA, should implement standardized guidelines for user interface design and customer experience across all financial platforms. Also mandate the adoption of standardized APIs and data portability features that enable users to seamlessly transfer data and preferences across platforms. DFS should also create a formal network involving local communities, Panchayats, local groups, NGOs, etc., to watch and report suspicious mule recruitment.
    • Securities and Exchange Board of India (SEBI): SEBI may direct Significant Social Media Intermediaries (SSMIs) to permit only registered financial advisors to provide investment advice or promotions, supported by a “verified tick” system. A robust mechanism should be established to identify and take down unregistered influencers’ content swiftly, with platforms using AI monitoring tools and public reporting channels. Strict enforcement actions must follow against those spreading misleading financial information.
    • National Payments Corporation of India (NPCI): The real-time fraud monitoring system provided free of cost to over 500 banks by NPCI must be extended to more banks, including smaller regional and cooperative banks.
    • Central Bureau of Investigation (CBI): Certain States have withdrawn general consent required under the Delhi Special Police Establishment Act, 1946 (DSPE Act). MHA must engage with states to get consent and explore the amendment of the DSPE Act to empower the CBI to investigate the cybercrime cases in the country, without the consent of the State.
    • National Investigation Agency (NIA): The MHA should establish standardised protocols and monitoring mechanisms for data preservation, mandating State police to initiate preservation requests within 24 hours of a cybercrime report to prevent loss of volatile evidence. SSMIs must also ensure timely data access for NIA, irrespective of data centre location.
    • Indian Cyber Crime Coordination Centre (I4C):
    • Exploring the possibilities of conversion of complaints reported on the National Cybercrime Reporting Portal (NCRP) into e-FIRs thereby resolving legal issues arising during the refunding of the lien amount to the victims on account of non-registration of the FIRs.
    • Establishing State Cybercrime Coordination Centres (S4C) in all States/UTs, on lines similar to Indian Cyber Crime Coordination Centre (I4C), to ensure seamless coordination between I4C and Statelevel units for effective intelligence sharing.
    • National Critical Information Infrastructure Protection Centre (NCIIPC): NCIIPC should consider Sector-specific Computer Security Incident Response Teams(CSIRTs), to be expanded to more critical information infrastructure sectors and a national coordination mechanism should be established to unify sectoral CSIRTs through a central hub.
    • MEA and International Cooperation: instituting a dedicated 24×7 fusion desk or contact point staffed with multilingual, legally trained personnel, as envisioned under Article 42 of the UN Cybercrime Convention (2024).
    • Centre for Development of Advanced Computing (C-DAC): Explore the development of an AI/ML-powered that predicts cyber threats to critical sectors by integrating data from existing tools such as Deepfake Detection, Vishleshak, CDACSIEM and Rakshak DNS, along with external global threat intelligence. Also, a national training platform for cybersecurity that uses virtual reality (VR), thereby offering realistic practice sessions and certification program to build a skilled workforce.
    • Indian Computer Emergency Response Team (CERT-In): Adoption of an AI-driven Cyber Threat Intelligence Platform, build strong partnerships with start-ups and academic institutions and conduct regular, flexible cybersecurity drills in collaboration with sectoral teams.
    • Ministry of Education: Introducing Cybercrime Prevention and cyber hygiene education into the school curriculum.
    • Ministry of Corporate Affairs: Adoption of an AI powered, blockchain-based verification and continuous monitoring system integrated into MCA21.
    • Other recommendations pertaining to the changes in the legal framework include:
    • Mandate data retention and reporting for VPNs with strict safeguards: limited access, judicial oversight, and periodic audits.
    • Promote privacy-preserving technologies to allow lawful access without exposing sensitive data.
    • Revisit Section 79 of the IT Act, 2000 (safe harbour) to ensure accountability of IT intermediaries.
    • Create a mandatory national registration system for all IT intermediaries, requiring local grievance officers, nodal contacts, and regional representatives for quicker law enforcement coordination.
    • Explore establishing an International Cybercrime Liaison Unit with legal and technical experts.
    • Review and amend the IT Act, 2000 to impose harsher penalties on offenders.
    • Amend the IT Act to make intermediaries liable to compensate victims for financial, psychological, or reputational harm caused by inaction despite government alerts.
    • Assign cybercrime investigations only to police officers above the rank of Inspector (per Section 78, IT Act).
    • Require financial institutions to suspend suspicious transactions immediately upon alerts from monitoring systems or authorities.
    • Make a certified cybersecurity foundation course mandatory for entry-level police recruitment.
    • Establish a dedicated, regulated ecosystem for Online Gaming through a consultative process.
    • Consolidate scattered cybercrime provisions into a comprehensive, unified cybercrime law.

Dissent to the recommendations include the following:

  • Review and rebalancing of safe harbour principle must meet the legal standard set by the Supreme Court in Shreya Singhal v. Union of India to avoid pre-emptive censorship of legitimate content. There should be explicit codification of the intermediary’s obligation to take down content only upon receiving formal, legally vetted order from a competent court of law or a duly constituted independent quasi-judicial body.
  • Introduction of graded penalties for non-compliance with takedown orders might silence dissent and independent media. Instead, a system of calibrated and proportionate monetary penalties be introduced for non-compliance with reasoned court orders or orders under Section 69Aand its 2009 Rules.
  • I4C should be given statutory backing instead of the executive order so that it possesses the necessary powers to deal with cybercrimes.
  • The suggestion to amend DPSE Act may impinge upon cooperative federalism.
  • The mandatory national registration system for all IT intermediaries operating in India might deter smaller, innovative startups and provide the government with a tool to deny market access for arbitrary reasons.
  • It is advisable to allow those smaller than a defined size to operate without appointments of such nodal contact persons or local grievance officers and enforce this recommendation for such intermediaries that are in the position to afford the same.
  • As far as the definition of cybercrime is concerned, crimes committed by minors against minors must be differentiated, distinction must also be made with regard to the intensity of the crimes, and organised Cybercrimes by large organisations (corporate and political entities) directing Cyberattacks must also be identified and deterred.

Additional suggestions include:

  • Establish an independent Digital Tribunal, headed by a retired judge of a High Court or the Supreme Court. This Tribunal shall serve as the primary appellate body for all disputes related to content moderation, takedown orders, and penalties imposed under the IT Act and its Rules. This will ensure that decisions impacting the fundamental rights of citizens and the freedom of the press are subject to impartial judicial review, not executive discretion.
  • All data-access, retention, and KYC obligations recommended herein shall comply with the Digital Personal Data Protection Act, 2023 and its Rules at notification—ensuring purpose limitation, storage limitation, audit trails, and security safeguards.
  • SEBI must mandate that financial influencers disclose all conflicts of interest on each video in a standardised, visible manner so as to warn the consumer of any beneficial interest in disseminating financial advice.
  • Safeguards should be provided for social media influencers to express and disseminate their views without oppression by regulatory mechanisms, harassment by agencies and other means of suppression.

While the Committee’s recommendations aim to enhance accountability and address emerging cyber threats, they have sparked debates about the balance between regulation and the protection of digital freedoms. India’s expanded content takedown regime has been a bone of contention for some time now. The Ministry of Home Affairs (MHA) has empowered the Indian Cyber Crime Coordination Centre (I4C) to issue direct takedown notices under Section 79(3)(b) of the Information Technology Act, 2000. This designation allows I4C to notify intermediaries about unlawful content, compelling them to remove or disable access to such material promptly. Failure to comply with these notices can result in intermediaries losing their safe harbour protections under the Act. Additionally, the government has expanded the authority to issue takedown notices to various federal and state agencies, including police forces, under existing legal provisions.

The Sahyog portal launched in 2024, allows state and central agencies to issue takedown requests directly under Section 79(3)(b) of the IT Act, bypassing judicial safeguards under Section 69A. Elon Musk’s platform X challenged the portal in the Karnataka High Court in March 2025, arguing that it undermines the safe harbour principle, compels arbitrary takedowns, and risks silencing journalism, with media outlets like DigiPub and Newslaundry joining the petition.

The government, through the Solicitor General, defended Sahyog as a coordination tool rather than a coercive mechanism, emphasizing that safe harbour protections are conditional and that foreign entities like X cannot claim constitutional free speech rights. The court denied interim relief but allowed the platform to contest any coercive measures. Final arguments concluded in July 2025, and the judgment remains reserved, while the Delhi High Court is also reviewing selective compliance for X in areas such as national security and child trafficking.

The case underscores the tension between state oversight, intermediary liability, and free speech, with significant implications for digital governance in India. Critics argue that the broad delegation of powers to multiple agencies through the Sahyog Portal may lead to arbitrary content removal and potential violations of free speech. The lack of judicial oversight in some instances is also a point of contention, with calls for clearer guidelines and safeguards to prevent misuse.

The committee recommendations, which advocate amending the IT Act and giving statutory backing to I4C will introduce stricter monitoring and mandatory compliance for intermediaries. This may further increase the operational and legal burdens on these platforms, making it more difficult for them to function.

The suggestion for the introduction of a Post Release Review Panel for OTTs seems to have stemmed from PILs filed in the apex court seeking directions to the government to set up an autonomous body to monitor and filter content on OTT and other digital platforms as well as TRAI’s Consultation Paper released in July 2023, proposing a regulatory mechanism for OTT communication services and the selective banning of OTT services.

While the recommendations are not binding, they have persuasive authority and can strongly influence policy and lawmaking. Ministry/departments are required to submit an Action Taken Report (ATR), typically within six months, to Parliament, explaining the extent of acceptance/rejection.

Click to Access the Committee Report

Related News