According to Section 84A of the Information Technology Act, the Government may, for secure use of the electronic medium and for the promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. However, no rules have been introduced under this section.

It is reported that authorities in India rely on the Telecommunications Act, 2023 and the Telecommunications (Temporary Suspension of Services) Rules, 2024 to impose internet shutdowns. Under Section 20 of the Act, government authorities are empowered to halt the transmission of messages or classes of messages during a public emergency or in the interest of public safety. Additionally, the 2024 Suspension Rules, issued under Sections 20 and 56 of the same Act, permit only the Union Home Secretary or the Secretary to the State Government in charge of the Home Department to order temporary suspensions of telecom services. Such orders may only be issued as a last resort, after it is determined that the intended objectives—such as safeguarding public order or national security—cannot reasonably be achieved through any other means. Each suspension order must be in writing and must clearly specify the reasons, the geographic area affected, and the type of telecommunication service being restricted.
Internet shutdowns have reportedly been a common practice in India since 2010. Officials often justify them as necessary to maintain law and order, prevent violence or communal tensions, suppress protests, combat disinformation, or deter cheating during examinations. In 2024, India reportedly recorded 84 internet shutdowns, making it the country with the second-highest number of shutdowns globally. These were primarily imposed in response to protests (41 instances), communal violence (23 instances), and government job placement examinations (5 instances). The northeastern state of Manipur experienced the most shutdowns (21), followed by Haryana and Jammu & Kashmir, each with 12. Notably, in November 2024, authorities enforced a 24-hour internet shutdown in Sambhal district, Uttar Pradesh, following violence during a mosque survey.
The indicator "7.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 2 in India for the year 2025. This corresponds to "The government shut down domestic access to the Internet numerous times this year."

According to Notification No. 107/(RE-2013)/2009-2014, GSM mobile handsets’ with duplicate International Mobile Equipment Identity Number (IMEI) or fake IMEI & ‘CDMA mobile handsets’ with duplicate Electronic Serial Number (ESN)/ mobile equipment identifier (MEID) or fake ESN/MEID are added to the list of ‘Prohibited’ items for import. The Government has taken over from a private agency to issue and manage IMEI allocation for mobile phones in India.

Exporters have raised concerns regarding India’s application of customs valuation criteria to import transactions. Reports indicate that Indian customs officials occasionally reject the declared transaction value of imports, particularly for products with established benchmark prices in India. This practice can potentially increase export costs beyond the expected levels based on India's applied tariff rates. Companies have also reported extensive searches and seizures of imports, which do not seem to be risk-based. Additionally, India's customs authority typically demands extensive clearance documentation, resulting in prolonged processing delays.

According to the Import Export Classification, Indian Trade Classification – Harmonized System (ITC-HS) Code, and Import Policy 2012, certain goods require special permission or licensing in order to be imported. Selected consumer goods, including radio and TV broadcast transmitters and communication jamming equipment, are qualified as licensed/restricted items that can only be imported after obtaining an import license from India’s Directorate General of Foreign Trade (DGFT). However, it has been reported that India is increasingly using import licenses at the discretion of the authorities to limit imports of sensitive products. In addition, it is reported that the licensing system is not automatic as it involves delays, and authorised quantities can be lower than requested. Licenses are granted to actual users.

As per the Foreign Trade Policy, 2015-2020, India has distinguished between goods that are new and those that are second-hand, remanufactured, refurbished or reconditioned. The country allows the import of second-hand capital goods by end-users without an import license, provided the goods have a residual life of five years. In addition, users are required to present the certificate of an Indian chartered engineer attesting that such spare parts have at least 80% residual life of the original spare part, while second-hand domestic capital goods are not subject to this requirement. Problems reported by industry representatives include excessive details required in the license application, quantity limitations set at specific part numbers, and long delays between application and license issuance. According to a 2018 amendment (DGFT Notification No. 58/2015-2020), second-hand goods imported for repair, refurbishment, reconditioning or re-engineering purposes can be exported back under the customs notification provided that the waste generated during the repair or refurbishment of the imported items is treated in accordance with national environmental laws/regulations/rules/regulations/standards.

On 30 July 2020, the Indian Directorate General of Foreign Trade, through Notification No. 22/2015-2020, amended the import policy of colour television sets from "Free" to "Restricted". According to the notification, a license shall be required for imports of these TV sets, including smart TVs.

According to the Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order of 2021, and subsequent notifications, 76 ICT products must undergo registration and labelling prior to being launched in the market. In addition, no person shall manufacture or store for sale, import, sell, or distribute goods that do not conform to the Indian standard specified in the order and do not bear the Standard Mark with a unique registration number obtained from the Bureau of Indian Standards (BIS). BIS grants a license to the manufacturers to use or apply Standard Mark with a unique R-number through registration based on self-declaration of conformity for goods and articles as per Indian Standards. Examples of products subject to the scheme include set-top boxes, amplifiers, laptops/notebooks/tablets, scanners, printers, and mobile phones. It is reported that India has been tightening quality clearances for electronic products from China, which has ended up holding up products such as mobile phones from Chinese companies. While applications to the BIS are typically processed within 15 days, they now take more than two months.

According to Notification No. 5 (2015-2020), the import of goods (new as well as second-hand, whether or not refurbished, repaired, or reconditioned) notified under the Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order of 2021 is prohibited unless they are registered with the Bureau of Indian Standards and comply with its labelling requirements, or on a specific exemption letter from the Ministry of Electronics and Information Technology (MEITY) for a particular consignment.

According to the Consolidated Foreign Direct Investment (FDI) Policy Circular 2020, for any single-brand retail, including e-commerce entities with physical stores in India, foreign investment exceeding 51% is only allowed when 30% of the value of goods purchased is done from India. This requirement was established by the Consolidated Foreign Direct Investment (FDI) Policy Circular 2013. It is reported that India has modified the requirements in recent years, including by allowing firms to offset the local sourcing requirement by sourcing products from India for global supply chains. In addition, despite these modifications, it is reported that the local content requirements remain prohibitive for certain retailers with highly specialised supply chains.

According to the Foreign Trade (Development and Regulation) Act, the export of dual-use items and technologies is either prohibited or permitted under a license. The list of dual-use items also includes electronics, computers, and information technology, including information security.

In September 2017, India’s Ministry of Communications introduced the Telegraph (Amendment) Rules, requiring testing and certification for all telegraph equipment. This formed the basis for the implementation of the Mandatory Testing and Certification of Telecom Equipment (MTCTE) procedures in 2019, which mandate local security testing for telecom products. In September 2021, the MTCTE programme was expanded to include 175 products, prompting concerns from stakeholders about the burden of in-country testing requirements.
Additionally, the 2021 Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order requires manufacturers and importers to register and certify their products with laboratories accredited by the Bureau of Indian Standards, even if those products are already certified internationally. Expanded to cover 63 product categories, this order has drawn criticism due to limited government testing capacity, a complex registration process, and high compliance costs—including factory- and component-level testing.
In response, the Department of Telecommunications (DoT) has released the draft Telecommunications (Standards, Conformity Assessment and Certification) Rules, 2025. These Draft Rules, notified under Section 19 of the Telecommunications Act, 2023 (which repealed the Telegraph Act of 1885), aim to revise and streamline the framework for standardisation and certification of telecom equipment in India. Once finalised, the Draft Rules will supersede and replace the earlier Telegraph (Amendment) Rules.

The rules on security clearance for telecom equipment have required that telecom service providers (TSPs) use network elements that have been tested as per contemporary Indian or international security standards. Since April 2013, no certification of network equipment has been undertaken by authorised and certified agencies/labs in India.
Only resident-trained Indian nationals can be employed as executives responsible for certain security checks. There is also a possibility of extensive inspections of hardware, software, design, development and manufacturing facilities, as well as supply chains that might jeopardise intellectual property rights. High fines are imposed in case of non-compliance.
Additionally, since September 2017, India's Telegraph (Amendment) Rules require onerous in-country security testing on all telecom network equipment and products. Previously, such products could be tested and certified in laboratories globally or at manufacturers' in-house laboratories (self-certification). Mandatory testing and certification by Indian laboratories trigger additional costs and unnecessary delays for companies, especially given that the availability of suitable laboratories in India remains unclear. Furthermore, there are concerns about India's compulsory security certification scheme (CRS).
The Department of Telecommunications (DoT) has released the draft Telecommunications (Standards, Conformity Assessment and Certification) Rules, 2025 (Draft Rules), revising and streamlining the framework for the standardisation and certification of the telecom equipment in India. The Telegraph (Amendment) Rules, 2017, continue to be operative under the transitional provisions of the Telecommunications Act, 2023, until they are formally repealed or replaced by new regulations.

The Digital Personal Data Protection Act establishes a comprehensive regime for safeguarding digital personal data in India, extending its reach extraterritorially where processing relates to the provision of goods or services to individuals in India. It imposes statutory duties on data fiduciaries, confers defined rights upon data principals, and generally permits the outward transfer of personal data. The Act introduces the novel institution of independent consent managers, entrusted with administering individuals’ consent and operating separately from data fiduciaries and data processors. It further provides for significant penalties for non‑compliance, including a maximum fine of INR 2.5 billion (approx. USD 31 million), and designates the Data Protection Board of India as the regulatory authority. The Act is implemented in phases, with certain provisions commencing on 13 November 2025, further provisions taking effect one year thereafter, with the remaining substantive provisions entering into force in May 2027.

It is reported that several instances of the blocking of commercial web content occurred in India in 2025, as detailed below:
- 23 social media and messaging platforms were blocked in Jamui District, Bihar, from 23:30 on 16 February 2025 until 23:30 on 18 February 2025.
- 23 social media and messaging platforms were blocked in Katihar District, Bihar, from 20:00 on 6 July 2025 until 20:00 on 7 July 2025.
- 23 social media and messaging platforms were blocked in the Hathwa sub‑division of Gopalganj District, Bihar, from 12:00 on 30 September 2025 until 12:00 on 2 October 2025.
- At least four platforms were shut down for several days in October 2025 across three areas of Cuttack city, Cuttack District, Odisha, namely the Cuttack Municipal Corporation (CMC) area, the Cuttack Development Authority (CDA) area, and the 42 Mauza region.
- At least four platforms were shut down for several days in December 2025 in Malkangiri District, Odisha.