India's AI governance approach is often described as "still emerging," which was reasonable through most of 2025 and is no longer accurate in April 2026. Two specific instruments now anchor the operational picture: the India AI Governance Guidelines released by MeitY on 5 November 2025, and the DPDP Rules 2025 notified on 13 November 2025. Neither is a comprehensive AI Act in the EU sense. Together they set the regulatory posture India has chosen, which IT Secretary S. Krishnan summarised at the November launch as using existing legislation wherever possible and intervening with new rules only when necessary to protect citizens.

For businesses building or deploying AI in India, the practical consequence is that AI governance in 2026 does not require waiting for a future statute. The obligations already exist, distributed across the DPDP Act, the IT Act 2000, sectoral regulators (RBI, SEBI, TRAI, IRDAI), and the MeitY Guidelines' recommended institutional architecture. Compliance work is live.

The India AI Governance Guidelines (November 2025)

The Guidelines were drafted by a high-level committee chaired by Prof. Balaraman Ravindran of IIT Madras, including Abhishek Singh (Additional Secretary, MeitY and CEO of IndiaAI Mission), Debjani Ghosh (NITI Aayog), Rahul Matthan (Trilegal), Dr. Kalika Bali (Microsoft Research India), and others. The final document was released after public consultation on a January 2025 draft that drew over 2,500 submissions.

The framework rests on a guiding principle of "Do No Harm" and proposes what officials describe as a "lightweight" and adaptive regulatory approach. It rests on seven sutras (principles), six governance pillars, and an action plan with short, medium, and long-term milestones. The sutras emphasise:

  • Trust as the foundation for innovation and adoption
  • Human-centric design, human oversight, and human empowerment
  • Inclusive development and non-discrimination
  • Clear allocation of responsibility and enforcement of regulations
  • Transparency, innovation over restriction, techno-legal approaches, and a whole-of-government coordination posture

The Guidelines recommend a three-tier governance structure sitting above sectoral regulators:

  • India AI Governance Group (AIGG): an inter-ministerial coordination body for whole-of-government alignment.
  • Technology Policy Expert Committee (TPEC): a technical advisory body supporting the AIGG with domain expertise.
  • AI Safety Institute (AISI): a central body operating on a hub-and-spoke model, tasked with testing AI systems, advising policymakers and industry, coordinating with regulators, representing India in global fora, and continuing the IndiaAI Mission's work on bias mitigation, explainable AI, and privacy-preserving tools. A formal expansion of the AISI was already under way, with a 9 May 2025 expression of interest for expanded participation.
  • Sectoral regulators and ministries: existing regulators (RBI for financial services, SEBI for securities, TRAI for telecom, IRDAI for insurance, and others) are expected to incorporate the Guidelines' principles into their domain-specific regulations rather than a new horizontal AI statute doing that work.

Supporting elements include the planned operationalisation of an AI incident database, sandboxes and sectoral pilots, and monitoring infrastructure.

Rather than draft a comprehensive AI statute, the Guidelines favour amending existing laws where gaps are identified. The most-cited example is the potential update of the definition of "intermediary" under Section 79 of the IT Act 2000, to address how safe-harbour protections should apply to generative AI platforms whose systems generate content from user prompts and continuously refine outputs. MeitY has signalled it will examine such gaps and, where needed, amend existing laws or introduce targeted amendments rather than immediately drafting a general AI Act.

The IndiaAI Mission

The Guidelines sit inside the IndiaAI Mission, an umbrella programme operated by an autonomous business unit under MeitY. The Mission has eight operational pillars:

  • IndiaAI Compute: affordable GPU access. Over 38,000 GPUs have been onboarded as of early 2026.
  • IndiaAI Application Development Initiative: AI applications for healthcare, agriculture, climate, governance, and assistive learning. Approximately 30 applications approved by July 2025.
  • AIKosh (National Dataset Platform): a consolidated dataset repository. As of December 2025 it contained more than 5,500 datasets and 251 AI models across 20 sectors, with more than 385,000 visits and 11,000 registered users.
  • IndiaAI Foundation Models: development of a multimodal model based on Indian data and languages. Twelve startups have been selected across the first two phases, including Sarvam AI, Soket AI, Gnani AI, Gan AI, Avaatar AI, the IIT Bombay-led BharatGen consortium, Zenteiq, Gen Loop, Intellihealth, Shodh AI, Fractal Analytics, and Tech Mahindra Makers Lab.
  • IndiaAI Future Skills: AI education and skilling programmes.
  • IndiaAI Startup Financing: funding support for AI-related startups, including the IndiaAI Startups Global initiative with Station F and HEC Paris.
  • Safe and Trusted AI: 13 projects selected to address machine unlearning, bias mitigation, privacy-preserving machine learning, explainability, auditing, and governance testing.
  • IndiaAI Innovation Centre: supporting broader research and development capacity.

The DPDP Act 2023 and DPDP Rules 2025

The Digital Personal Data Protection Act 2023 (DPDPA) was enacted by Parliament on 11 August 2023. For more than two years it remained unoperational because implementing rules had not been notified. That changed on 13 November 2025 when MeitY notified the DPDP Rules 2025, published in the Gazette on 14 November 2025.

The Act follows what MeitY describes as the "SARAL" approach (Simple, Accessible, Rational, Actionable) and rests on seven principles familiar from other data protection regimes: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. It applies extraterritorially to foreign entities offering goods or services to individuals in India.

The three-phase commencement

Implementation is staggered across three phases:

  • Phase 1 (from 14 November 2025): Procedural provisions including effective dates, definitions, establishment of the four-member Data Protection Board of India (DPBI), administrative provisions, and the bar on civil court jurisdiction over DPDP matters.
  • Phase 2 (from November 2026, one year after the Enforcement Notification): Consent Manager registration and operations, and DPBI powers to inquire into breaches of registration conditions.
  • Phase 3 (18 months from the Enforcement Notification, so around mid-May 2027): The substantive provisions including grounds for processing, notice and consent mechanics, data fiduciary obligations, rights of data principals, and the DPBI's full powers to adjudicate and impose penalties.

The 18-month window is not a grace period, it is a transition period. Data fiduciaries are expected to begin readiness work immediately.

Core DPDP obligations for AI deployers

For any AI system that processes digital personal data about individuals in India, the DPDP framework imposes several operational duties once Phase 3 commences:

  • Standalone consent notices in clear, plain language identifying the specific purpose of processing, with a withdrawal link as easy to use as the consent mechanism.
  • Purpose limitation and data minimisation across the AI pipeline, including training data selection, inference inputs, and stored outputs.
  • Verifiable parental consent for processing the personal data of children, with narrow exemptions for essential services (healthcare, education, real-time safety).
  • Breach notification to affected individuals in plain language explaining the nature of the breach, potential consequences, steps taken, and contact for assistance.
  • Data principal rights including access, correction, erasure, and nomination. Data fiduciaries must respond within 90 days.
  • Consent Managers: entities that must be Indian companies and are registered with the DPBI. Consent Managers cannot read the contents of personal data shared through them and must retain records of consents, notices, and data-sharing activities for at least seven years.

Significant Data Fiduciaries

Entities classified as Significant Data Fiduciaries (SDFs) face elevated duties: appointment of a Data Protection Officer based in India; independent data auditors; annual Data Protection Impact Assessments; periodic compliance audits; and ongoing algorithmic risk assessments. SDF classification is determined by the government based on factors including volume and sensitivity of data processed, risk to rights of data principals, potential impact on sovereignty and integrity of India, and risk to electoral democracy. Many large-scale AI deployments in India, particularly those using personal data at scale for inference or training, are likely candidates for SDF treatment.

Penalties

The DPDPA sets penalties under Schedule I, including fines of up to INR 250 crore (around 30 million USD) for failure to prevent a personal data breach, INR 200 crore for failure to notify the Board or affected principals of a breach, INR 50 crore for violations of children's data obligations, and lower-tier penalties for various operational failures. The Data Protection Board of India, not civil courts, adjudicates these matters, with appeals to the TDSAT. There is no statutory right for individuals to claim damages under the DPDPA, though the Rules allow mediation mechanisms that may serve as an indirect settlement route.

Sectoral frameworks that already apply

The "existing law first" posture means several sectoral regimes are doing real AI governance work today, independent of the MeitY Guidelines:

  • RBI FREE-AI Committee report (August 2025): the Reserve Bank of India's Framework for Responsible and Ethical Enablement of AI (FREE-AI) sets out principles and recommendations for regulated financial entities using AI, including model governance, transparency, fairness, and risk management expectations.
  • SEBI has issued guidance on the use of AI and machine learning in securities markets, requiring disclosure of AI use by intermediaries.
  • TRAI has considered AI regulation in the telecom sector, particularly in the context of spam and unsolicited commercial communications.
  • IRDAI has supervisory expectations for insurer use of AI in pricing, underwriting, and claims.
  • IT Act 2000 and Rules continue to apply to AI systems as intermediaries or as source of algorithmic content, with the Section 79 safe-harbour analysis likely to be clarified via amendment.

MeitY has also issued advisories on generative AI, most notably in March 2024 (subsequently revised after industry feedback). The advisories signalled expectations around labelling synthetically generated content, preventing unlawful content generation, and disclosure where model outputs may be unreliable. These advisories are not statutes, but they establish a regulatory posture that MeitY can and does enforce through existing IT Act provisions.

A practitioner's compliance plan for India

Step 1: Inventory AI systems and map data flows

Catalogue every AI system that ingests, processes, or produces digital personal data of individuals in India. For each, document purpose, data inputs, training data sources, model outputs, deployment geography, and the sectoral regulator likely to have authority. This single exercise supports DPDP compliance, MeitY Guidelines alignment, and any sectoral reporting obligation simultaneously.

Design standalone consent notices, withdrawal mechanisms as easy to use as the consent flow, and a clear grievance officer point of contact. Plan for Consent Manager integration during Phase 2 (from November 2026). Update retention policies to match purpose limitation rather than legacy "keep everything" defaults. For AI training, audit historical datasets against DPDP requirements and budget for retroactive consent where continued use is intended.

Step 3: Align with the MeitY Guidelines' governance architecture

Adopt a risk-tiered internal governance model that mirrors the Guidelines' approach: internal AI policy sign-off at senior level, AI ethics or review committees for higher-risk deployments, documented risk assessments, bias testing on Indian data where relevant, human oversight points in consequential decisions, and audit trails that can support an AISI or sectoral regulator review. Organisations with global operations benefit from anchoring the programme on NIST AI RMF or ISO/IEC 42001, which translate across India, EU, US state, and other regimes.

Step 4: Check sectoral regulator expectations

If you operate in financial services, confirm alignment with the RBI FREE-AI principles. In securities markets, check SEBI's AI/ML disclosure requirements for intermediaries. In insurance, assess IRDAI's expectations for algorithmic pricing and underwriting. In health-tech, check the emerging expectations under the National Digital Health Mission and the state-level medical data protection rules. The MeitY Guidelines expect sectoral regulators to do this work, not a horizontal AI statute.

Step 5: Plan for SDF classification and breach readiness

If your scale of personal data processing, or your use of AI in sensitive domains, makes Significant Data Fiduciary classification likely, begin DPO appointment planning, set a DPIA cadence, and build an independent audit capability now rather than during Phase 3 onboarding. Build a breach response protocol matched to the DPDP Rules' prompt notification duty in plain language.

What this means for businesses

Several practical observations from the current posture are worth naming directly:

  • India has chosen not to copy the EU AI Act. There is no horizontal risk-classification statute, no conformity assessment, no CE-marking equivalent, and no EU-style fine band. Compliance frameworks built for the EU do not map one-to-one onto India.
  • The DPDPA is the primary legally binding instrument; the MeitY Guidelines are policy guidance. The Guidelines carry weight because sectoral regulators and MeitY itself will apply them, but they are not statute.
  • The "techno-legal" philosophy means compliance often runs through product design, not only policy documents. Consent flows, audit logs, provenance metadata, and explainability features embedded in the product are the primary compliance surface.
  • For Indian startups and MSMEs, the DPDPA contemplates relief from some obligations (DPO appointment, audits) but not from consent, security, and grievance mechanisms. Smaller organisations cannot wait for enforcement to arrive before building these.
  • For multinationals, the extraterritorial reach of the DPDPA (similar in scope to GDPR for services offered to individuals in India) means India-specific data handling is required even where the operating entity is offshore.

Compliance FAQ

Is there a standalone Indian AI Act?

No. As of April 2026, India has chosen a layered approach: the DPDP Act 2023 for personal data, sectoral regulators for domain-specific AI risks, targeted amendments to existing laws where gaps are identified, and the MeitY India AI Governance Guidelines as policy guidance. The Guidelines explicitly do not propose a horizontal AI statute.

When do the DPDPA obligations become fully binding?

In phases. Phase 1 took effect on 14 November 2025. Phase 2 (Consent Managers) begins in November 2026. Phase 3 (the substantive obligations and DPBI penalty powers) is expected around mid-May 2027, 18 months from the Enforcement Notification. Do not wait until Phase 3 to begin implementation.

What is a Significant Data Fiduciary and how do I know if I am one?

An SDF is a class of data fiduciary designated by the government based on volume and sensitivity of data, risk to rights of data principals, risk to sovereignty and integrity of India, risk to electoral democracy, and impact on state security and public order. Large-scale consumer AI platforms, major e-commerce, and data-heavy financial services operations are likely candidates. SDF duties include DPO-in-India, independent audits, DPIAs, and ongoing algorithmic risk assessments. Check for a government notification listing SDF classes.

What does the MeitY Guidelines expect me to do differently from the DPDPA?

The Guidelines are principally governance and architectural guidance, not operational rules. They recommend internal risk assessments, fairness testing, explainability measures for higher-risk decisions, human oversight, and alignment with the recommended AIGG/TPEC/AISI architecture as it stands up. Treat the Guidelines as the framework your sectoral regulator and MeitY will reference when assessing your conduct, and the DPDPA as the binding operational statute.

How does Indian AI governance interact with EU or US regimes?

Indian obligations apply when data or services touch individuals in India. EU AI Act obligations apply when outputs are used in the EU. US state laws apply based on residency of affected consumers. A single AI governance programme anchored on NIST AI RMF or ISO/IEC 42001 can satisfy the foundational expectations of all three, with jurisdiction-specific annexes for the distinctive requirements (consent manager integration for India, conformity assessment for the EU, impact assessments for Colorado, ADMT opt-out for California, and so on).

What should small businesses and startups do first?

Start with a data inventory, a simple consent notice template that meets the DPDP Rules, and a clear grievance contact. Apply purpose limitation honestly to AI training data. Document your decisions. When the MSME relief notifications are issued (the Rules indicate these are expected around 13 May 2027), adjust accordingly. Until then, the core consent, security, and grievance obligations apply regardless of size.

The bottom line

India's AI governance in April 2026 is not speculative or future-tense. MeitY has published the Guidelines, the DPDP Rules are notified and in phased commencement, the Data Protection Board is being constituted, and sectoral regulators are already operating AI-relevant supervisory frameworks. The compliance work for most Indian businesses is therefore immediate: inventory, consent, purpose limitation, grievance response, and an internal governance posture that reflects the MeitY framework. The statutes and rules will keep evolving. Organisations that begin serious implementation now rather than wait for Phase 3 will face a materially smaller scramble when the binding substantive provisions take full effect.

Last updated: April 2026. This article is educational content and is not legal advice. DPDPA obligations depend on organisational classification, scale of processing, and sectoral context. MeitY Guidelines are policy guidance rather than statute. Consult qualified counsel before making compliance decisions.