The rules on security clearance for telecom equipment have required that telecom service providers (TSPs) use network elements that have been tested as per contemporary Indian or international security standards. Since April 2013, no certification of network equipment has been undertaken by authorised and certified agencies/labs in India.
Only resident-trained Indian nationals can be employed as executives responsible for certain security checks. There is also a possibility of extensive inspections of hardware, software, design, development and manufacturing facilities, as well as supply chains that might jeopardise intellectual property rights. High fines are imposed in case of non-compliance.
Additionally, since September 2017, India's Telegraph (Amendment) Rules require onerous in-country security testing on all telecom network equipment and products. Previously, such products could be tested and certified in laboratories globally or at manufacturers' in-house laboratories (self-certification). Mandatory testing and certification by Indian laboratories trigger additional costs and unnecessary delays for companies, especially given that the availability of suitable laboratories in India remains unclear. Furthermore, there are concerns about India's compulsory security certification scheme (CRS).

The Indian government used to block purchases of telecom equipment from Chinese vendors on national security grounds. The Department of Telecommunications amended its license conditions for mobile service providers and required them to submit all plans for the procurement of telecom equipment from foreign vendors for screening and “security clearance” purposes. Although the amendment did not single out China, it is reported that, in practice, security agencies had been blocking applications involving Chinese vendors.
The aforesaid process is soon to be replaced with a new Directive, which will enter into force in mid-2021. The Department of Telecommunications will declare a list of trusted sources and products for installations in India's telecom network. The methodology to designate trusted products will be devised by the designated authority (National Cyber Security Coordinator). As per the directive, telecom service providers will be required to connect new devices from the list of trusted products. The list of trusted sources and products will be decided based on the approval of a committee headed by the deputy national security advisor. When announcing the directive, the Telecom and IT Minister said that measures will be taken to increase the use of equipment from trusted Indian sources.

According to Notification No. 107/(RE-2013)/2009-2014, GSM mobile handsets’ with duplicate International Mobile Equipment Identity Number (IMEI) or fake IMEI & ‘CDMA mobile handsets’ with duplicate Electronic Serial Number (ESN)/ mobile equipment identifier (MEID) or fake ESN/MEID are added to the list of ‘Prohibited’ items for import. The Government has taken over from a private agency to issue and manage IMEI allocation for mobile phones in India.

It is reported that during the course of 2020, the Ministry of Information and Technology, based on the provisions of Section 69A of the Information Technology Act and relevant provisions of the Information Technology (Procedure and Safeguards for Blocking Access to Information by the Public) Rules, 2009, banned 267 apps in view of the emerging nature of security threats posed by these apps and the detrimental nature of these apps to sovereignty, defence and law and order in India. The Ministry has reportedly pointed out that these apps raise data security and privacy concerns. On June 29, 2020, 59 apps were banned; on September 2, 2020, 118; and on November 24, 2020, 43.

Exporters have raised concerns regarding India’s application of customs valuation criteria to import transactions. Reports indicate that Indian customs officials occasionally reject the declared transaction value of imports, particularly for products with established benchmark prices in India. This practice can potentially increase export costs beyond the expected levels based on India's applied tariff rates. Companies have also reported extensive searches and seizures of imports, which do not seem to be risk-based. Additionally, India's customs authority typically demands extensive clearance documentation, resulting in prolonged processing delays.

According to the Import Export Classification, Indian Trade Classification – Harmonized System (ITC-HS) Code, and Import Policy 2012, certain goods require special permission or licensing in order to be imported. Selected consumer goods, including radio and TV broadcast transmitters and communication jamming equipment, are qualified as licensed/restricted items that can only be imported after obtaining an import license from India’s Directorate General of Foreign Trade (DGFT). However, it has been reported that India is increasingly using import licenses at the discretion of the authorities to limit imports of sensitive products. In addition, it is reported that the licensing system is not automatic as it involves delays, and authorised quantities can be lower than requested. Licenses are granted to actual users.

As per the Foreign Trade Policy, 2015-2020, India has distinguished between goods that are new and those that are second-hand, remanufactured, refurbished or reconditioned. The country allows the import of second-hand capital goods by end-users without an import license, provided the goods have a residual life of five years. In addition, users are required to present the certificate of an Indian chartered engineer attesting that such spare parts have at least 80% residual life of the original spare part, while second-hand domestic capital goods are not subject to this requirement. Problems reported by industry representatives include excessive details required in the license application, quantity limitations set at specific part numbers, and long delays between application and license issuance. According to a 2018 amendment (DGFT Notification No. 58/2015-2020), second-hand goods imported for repair, refurbishment, reconditioning or re-engineering purposes can be exported back under the customs notification provided that the waste generated during the repair or refurbishment of the imported items is treated in accordance with national environmental laws/regulations/rules/regulations/standards.

On 30 July 2020, the Indian Directorate General of Foreign Trade, through Notification No. 22/2015-2020, amended the import policy of colour television sets from "Free" to "Restricted". According to the notification, a license shall be required for imports of these TV sets, including smart TVs.

According to the Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order of 2021, and subsequent notifications, 76 ICT products must undergo registration and labelling prior to being launched in the market. In addition, no person shall manufacture or store for sale, import, sell, or distribute goods that do not conform to the Indian standard specified in the order and do not bear the Standard Mark with a unique registration number obtained from the Bureau of Indian Standards (BIS). BIS grants a license to the manufacturers to use or apply Standard Mark with a unique R-number through registration based on self-declaration of conformity for goods and articles as per Indian Standards. Examples of products subject to the scheme include set-top boxes, amplifiers, laptops/notebooks/tablets, scanners, printers, and mobile phones. It is reported that India has been tightening quality clearances for electronic products from China, which has ended up holding up products such as mobile phones from Chinese companies. While applications to the BIS are typically processed within 15 days, they now take more than two months.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 establish a safe harbour regime beyond intermediaries for copyright infringement. According to Rule 3.1(d), an intermediary, after receiving 'actual knowledge' through a court order or by being notified by a government agency, must remove information that is prohibited by law in relation to the interest and sovereignty of India, the security of the state, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence or information which violates any law which is in force. Such information has to be removed within thirty-six hours from receipt of actual knowledge by the intermediary.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.

According to the Regulation on the Use of Aadhaar e-KYC Service of the Unique Identity Authority of India (UIDAI) for Issuing New Mobile Connections and Re-Verification of Existing Subscribers via OTP-Based Authentication, Indian citizens are required to register their SIM card with their Aadhaar Card (a type of national identity card). Foreigners have to provide their passport, a photocopy of their Indian visa/ travel permit, a passport-sized photo and contact details.

According to Art. 3.3 of the Information Technology Intermediaries Guidelines Rules, intermediaries are required to deploy technology-based automated tools or appropriate mechanisms with appropriate controls for proactively identifying and removing or disabling public access to unlawful information or content.

Section 69 of the Indian Information Technology Act (IITA) requires intermediaries to extend all facilities and technical assistance to intercept, monitor or decrypt information as well as to provide information stored in a computer or provide access to a computer resource when called upon to do so by certain agencies. This extends to online intermediaries, which are required to designate an officer to facilitate the execution of such orders. Intermediaries that fail to meet these obligations may be punished with imprisonment of up to seven years.

According to Art. 4.2 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021, a significant social media intermediary (defined as a social media intermediary having a number of registered users in India above five million) providing messaging services must enable identification of the first originator of the information on its computer resource as may be required by a judicial order or an order passed by a competent authority. In complying with an order for the identification of the first originator, a significant social media intermediary will not be required to disclose the contents of the electronic message related to the first originator or other users. No order must be passed in cases where there are less intrusive means of identifying the originator of the information.

According to Art. 8 of the The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules of 2009, an officer so designated by the Central Government under the Rules (known as 'Designated Officer') can on the receipt of a request from any nodal officer of a government organisation or a competent court or by an order of any agency of the government can block access by the public to any information transmitted, received, stored or hosted in any computer resource. The request will be examined by a committee consisting of the designated officer, its chairperson, and representatives, who shall determine if the information must be blocked.