India: Digital Personal Data Protection (Amendment) Bill, 2025 (No. 38 of 2025), including cybersecurity regulation was introduced to Council of States

On 5 December 2025, the Digital Personal Data Protection (Amendment) Bill, 2025 (No. 38 of 2025) was introduced to the Council of States of the Parliament of India. The Bill seeks to address gaps in the Digital Personal Data Protection Act, 2023, including strengthening privacy, ensuring independence of the Data Protection Board, and enhancing provisions on consent, security standards, and children’s data protection. The amendment recommends additional reasonable security safeguards through rules to be prescribed. The amendment applies to data fiduciaries and data processors engaged in personal data processing. The amendments introduce requirements for additional security safeguards to be prescribed through rules. The Bill applies to data fiduciaries and data processors engaged in personal data processing. It requires organisations to implement structured and documented information security management systems in line with the statutory definition of reasonable security safeguards and existing rules under the Information Technology Act. Compliance may be demonstrated through adherence to the ISO/IEC 27001 standard or industry codes approved by the Data Protection Board, subject to regular independent audits. ISO/IEC 27001 sets requirements for managing information security risks across people, processes, and technology, enabling organisations to identify, assess, and mitigate data security risks and to continuously improve cyber resilience.