AI Laws and Regulations in India as of 2026: A Comprehensive Overview for Practitioners, Businesses, and Policymakers

As over two decades navigating the intersections of technology, cybersecurity, and the law, I've witnessed India's digital journey from the early days of the IT Act to today's AI-driven ambitions. In February 2026, artificial intelligence is no longer a futuristic buzzword it's embedded in governance, finance, healthcare, and daily consumer experiences. Yet, the regulatory landscape remains a deliberate mix of existing statutes, soft guidelines, and forward-looking proposals. India has chosen a pro-innovation, techno-legal approach rather than rushing into a heavy-handed standalone AI law like the EU's AI Act.

This blog breaks down the current framework as of early 2026, key statutes that govern AI (directly or indirectly), emerging risks like deepfakes and synthetic media, and what lies ahead with initiatives like the Digital India Act and the AI (Ethics and Accountability) Bill.

1. The Foundation: India AI Governance Guidelines (MeitY, November 2025)

In November 2025, MeitY released the India AI Governance Guidelines under the IndiaAI Mission. These are not enforceable law but serve as a foundational reference for responsible AI adoption. They emphasize a "light-touch" model that prioritizes innovation while mitigating harms through existing laws and voluntary measures.

The guidelines rest on seven core principles (often called "sutras"):

• Trust as the foundation

• People-first (human-centric) approach

• Responsible innovation (innovation over restraint)

• Fairness, equity, and non-discrimination

• Accountability

• Transparency and understandability by design

• Safety, security, and sustainability

They propose institutional mechanisms such as an AI Governance Group (inter-ministerial), a Technology & Policy Expert Committee, and the IndiaAI Safety Institute for monitoring and capacity building. A January 2026 white paper from the Office of the Principal Scientific Adviser further advances a "techno-legal" framework, advocating embedding compliance (legal safeguards + technical controls like watermarking and bias detection) directly into AI system design.

Practical takeaway: Organizations should align internal Responsible AI policies with these principles and map them to existing legal obligations. Self-certification, industry codes, and standards (e.g., ISO/IEC 42001 adopted by BIS) are encouraged.

2. Existing Laws Shaping AI Governance in India

India regulates AI primarily through a mosaic of legacy and recent statutes, applied technology-neutrally.

a) Information Technology Act, 2000 (IT Act) & Intermediary Rules

The IT Act remains the backbone for digital governance. Key provisions include:

• Section 79 — Safe harbour for intermediaries (with due diligence).

• Cybercrime sections (e.g., 66 for hacking, 67 for obscene material) that apply to AI misuse.

on 20th Feb 2026, MeitY notified The IT (Intermediary Guidelines and Digital Media Ethics Code) Amedment Rules, 2026 specifically targeting "synthetically generated information" (SGI) -   content created or altered by AI/algorithms that appears authentic. The rules define SGI broadly and mandates:

• Prominent labelling or metadata embedding (visible for at least 10% of content duration/area).

• Due diligence by platforms enabling SGI creation/modification.

• Traceability and consent verification, especially for Significant Social Media Intermediaries (SSMIs).

- Clear legal definition of “Synthetically Generated Information” that looks indistinguishably real

- Mandatory prominent labelling of AI-generated content

- Significant social media intermediaries must require user declarations + deploy tech tools to verify & label synthetic media

- Platforms must use automated systems to block harmful synthetic content (CSAM, non-consensual deepfakes, fake events, explosive-related material, etc.)

- Stricter timelines for takedowns and grievance redressal

- Safe harbour protection clarified for platforms that comply in good faith

This is one of the most proactive regulatory moves globally to fight misinformation, digital fraud, and AI-enabled harm while encouraging responsible innovation. India is leading here and the World may follow us ..

b) Digital Personal Data Protection Act, 2023 (DPDPA) & Rules 2025

The DPDPA, with its Rules notified in 2025 (phased rollout until 2027), is highly relevant for AI systems processing personal data. Key implications:

• Consent-centric regime → Explicit, informed consent is required for most processing, posing challenges for large-scale AI training on personal data (though exemptions exist for publicly available data and certain research).

• Data Fiduciary obligations → Purpose limitation, data minimization, security safeguards, and breach notification apply to AI developers/deployers.

• Significant Data Fiduciaries may face additional requirements (e.g., impact assessments, audits).

• Rights of Data Principals → Access, correction, erasure, and grievance redressal can intersect with AI decision-making (e.g., explainability in automated decisions).

AI training on scraped or inferred data must be carefully evaluated for compliance. The Act's risk-based approach complements the Governance Guidelines.

c) Consumer Protection Act, 2019 (CPA)

The CPA covers AI-driven products and services through:

• Unfair trade practices and misleading advertisements - E.g., overhyping AI capabilities or opaque recommendation algorithms in e-commerce/finance.

• Product liability provisions (Chapter VI) - Manufacturers, service providers, and sellers can be held liable for harm caused by defective AI products (including software/AI systems viewed as products).

• Deficiency in service - Wrong medical diagnosis by AI tools or biased lending algorithms causing consumer harm.

The Central Consumer Protection Authority (CCPA) can investigate and penalize misleading AI claims. Courts are increasingly applying CPA to algorithmic harms.

d) Bharatiya Nyaya Sanhita (BNS), 2023

The BNS (replacing the IPC) provides criminal recourse for AI misuse:

• Cheating/fraud (Section 318/316 equivalents) - Deepfake scams, impersonation for financial gain.

• Defamation (Section 356) and misinformation causing public mischief (Section 353).

• Obscene material (Section 294) - Non-consensual deepfake pornography or explicit synthetic content.

• Forgery and personation (Sections 336, etc.)  - AI-generated fake documents or identities.

• Organized cybercrimes (Section 111) for large-scale deepfake operations.

Deepfakes are prosecuted under these technology-neutral provisions, often combined with IT Act charges. Evidentiary challenges persist under the Bharatiya Sakshya Adhiniyam (new Evidence Act), as hash values and digital signatures may not fully counter sophisticated manipulations.

e) Law of Torts (Common Law Principles)

India relies on common law torts for civil liability where statutes are silent:

• Negligence - Developers/deployers owe a duty of care; breach (e.g., inadequate testing for bias or safety) leading to foreseeable harm can result in damages. Algorithmic opacity complicates proving causation and breach.

• Product liability/strict liability - Limited application (primarily statutory via CPA); courts may impose where AI is deemed inherently dangerous.

• Vicarious liability - Employers liable for employee misuse of AI tools; platform liability for user-generated synthetic content (subject to safe harbor).

Key challenge: Attribution in autonomous AI systems. No specific AI tort regime yet, so cases turn on facts, foreseeability, and control over the system.

f) Other Relevant Laws

• Copyright Act → Ongoing consultations on AI training data; potential mandatory licensing or royalties for using copyrighted works (DPIIT proposals).

• Sectoral regulations → RBI guidelines for AI in finance (responsible AI, bias mitigation); SEBI for markets; ICMR for health AI; etc.

• Intellectual Property and competition laws — For AI-generated outputs, market dominance by AI platforms.

3. What’s Coming Ahead

India is evolving toward more structured oversight without stifling growth:

• Digital India Act (DIA): Expected to be a comprehensive overhaul/replacement of the IT Act. It is likely to introduce risk-based classifications for digital platforms and services, enhanced intermediary obligations, content accountability, and specific provisions for AI and emerging tech (including deepfake regulations and algorithmic transparency). Draft discussions have been ongoing; watch for public consultation in 2026.

• Artificial Intelligence (Ethics and Accountability) Bill, 2025: A Private Member’s Bill introduced in December 2025 in the Lok Sabha. It proposes a statutory Ethics Committee for AI, mandatory ethical reviews (especially for surveillance and high-risk systems), bias audits, developer obligations, restrictions on certain AI uses in law enforcement/employment, grievance mechanisms, and penalties up to ₹5 crore. While not yet enacted, it signals growing parliamentary interest in binding accountability and could influence future policy or be incorporated into broader legislation.

Additional developments may include amendments for data portability, techno-legal tools (e.g., mandatory watermarking), and the operationalization of the IndiaAI Safety Institute.

4. Challenges and My Recommendations as a Practitioner

Challenges:

• Enforcement gaps and judicial capacity for technical evidence.

• Balancing innovation with rights (e.g., consent vs. AI scaling).

• Cross-border issues (data flows, jurisdictional conflicts).

• Deepfake proliferation during elections and against individuals (especially women and public figures).

Recommendations:

• Conduct AI risk assessments mapping to DPDPA, CPA, IT Rules, and BNS.

• Implement technical safeguards (labeling, audit logs, bias testing) now—align with Governance Guidelines.

• For intermediaries: Prepare for synthetic media rules; invest in detection tools and user reporting mechanisms.

• Businesses: Update contracts, privacy policies, and terms to address AI liabilities.

• Engage in policy consultations your inputs shape the Digital India Act and beyond.

• Train teams on ethical AI and document decision-making for defensibility.

India's approach is pragmatic: leverage existing tools, embed governance by design, and scale responsibly. As we move toward Viksit Bharat, clear, predictable rules will build trust and attract investment.

If you're dealing with AI compliance, deepfake incidents, or regulatory queries, feel free to reach out. Stay vigilant, innovate ethically, and let's shape a trusted AI ecosystem together.

Adv. (Dr.) Prashant Mali, Cyber Law Expert | Author | Speaker

February 2026

(Disclaimer: This is an overview based on publicly available information as of February 2026. Laws evolve rapidly consult a qualified legal professional for specific advice.)