India AI governance in 2026, DPDP Act and beyond
India's AI governance framework is maturing rapidly. The Digital Personal Data Protection Act 2023 (DPDP Act) and DPDP Rules 2025 (notified 13 November 2025) create enforceable data protection obligations directly applicable to AI systems processing personal data. India doesn't yet have a standalone AI law, but the DPDP framework, sector-specific regulation, and the government's AI development agenda together form a substantive governance landscape.
DPDP Act and Rules, what applies to AI
The DPDP Act applies to all processing of digital personal data in India, including AI systems. Key provisions: consent requirements for data processing with specific notice obligations (Section 6); purpose limitation, data collected for one purpose cannot be used for AI training without separate consent or legal basis; data principal rights including access, correction, erasure, and grievance redressal (Section 11-14); significant data fiduciaries (large-scale processors) face enhanced obligations including appointing a Data Protection Officer and independent data auditor, and conducting Data Protection Impact Assessments.
DPDP Rules 2025 implement these obligations in three phases, giving organisations lead time but requiring compliance planning now. Penalties reach ₹250 crores (approximately US$30 million) per contravention. The Data Protection Board of India, operational from 13 November 2025, handles complaints and enforcement.
Sector-specific AI regulation
Financial services. RBI's FREE-AI Framework (Framework for Responsible and Ethical Enablement of AI) addresses AI in banking and financial services. IRDAI has issued guidance on AI in insurance. SEBI has addressed algorithmic trading regulation.
Healthcare. ICMR (Indian Council of Medical Research) ethical guidelines for biomedical and health research apply to AI in healthcare research. CDSCO regulates medical devices including AI-enabled devices.
IT and digital services. The IT Act 2000 and IT Rules continue to apply. MeitY (Ministry of Electronics and Information Technology) oversees digital governance policy including AI.
India's AI development agenda
India is simultaneously pursuing aggressive AI development: the IndiaAI Mission (March 2024) with ₹10,372 crore investment covering compute infrastructure, innovation centres, datasets, application development, and skilling. India chaired the Global Partnership on AI (GPAI) in 2024. India co-chaired the 2025 Paris AI Action Summit. The tension between development ambition and governance obligation is a live policy question.
What companies operating in India should do
Map AI systems processing personal data against DPDP Act requirements. Implement consent mechanisms and purpose limitation for AI data use. Prepare for Data Protection Impact Assessments for significant AI deployments. Monitor the Data Protection Board's enforcement posture. For financial services, align with RBI FREE-AI. For healthcare AI, comply with CDSCO medical device requirements.
Primary sources: MeitY, Data Protection Framework · Reserve Bank of India
Related reading
- Enterprise AI Compliance in India: DPDP Act, RBI, SEBI, IRDAI, and the Governance Framework
- AI Governance for Indian Businesses: DPDP Act, IT Act, and What SMEs Need to Do Now
- AI and Your Rights in India: DPDP Act, Consumer Protection, and What You Can Do When AI Affects You
- India's DPDP Act and AI: What Organisations Need to Know About the Digital Personal Data Protection Act 2023