India: Critical Infrastructure (Resilience, Protection and Accountability) Bill, 2026 including cybersecurity regulation was introduced to Council of States

On 6 January 2026, the Critical Infrastructure (Resilience, Protection and Accountability) Bill, 2026 was introduced to the Council of States of the Parliament of India. The Bill would establish a framework for the identification, designation, protection, governance, and resilience of critical infrastructure of strategic importance. It would apply to public and private sector parties involved across the infrastructure lifecycle, including contractors, concessionaires, special purpose vehicles, vendors, technology providers, company officers, and relevant public servants, particularly where projects exceed INR 1'000 crore in value, serve more than one million daily users, or affect national security, defence, or sovereignty. The Bill would define a digital twin as a dynamic virtual representation of a physical critical infrastructure that uses real-time data to understand and manage the infrastructure’s lifecycle. It would empower the Central Government to notify and classify critical infrastructure, maintain a National Critical Infrastructure Registry, mandate compliance with a Critical Infrastructure Safety Protocol, and integrate technological resilience tools such as digital twins and real-time monitoring. The Bill would establish Critical Infrastructure Oversight Committees in each Nodal Ministry to monitor resilience and security, review compliance, and initiate enforcement actions. It would also introduce liability provisions, including a 25-year defect liability period that would survive mergers and acquisitions, criminal liability for corporate manslaughter where gross breaches cause loss of life, penalties for negligent service disruptions, personal liability for responsible company officers subject to due diligence safeguards, and criminal liability for negligent public servants without prior sanction.