According to Notification No. 5 (2015-2020), the import of goods (new as well as second-hand, whether or not refurbished, repaired, or reconditioned) notified under the Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order of 2021 is prohibited unless they are registered with the Bureau of Indian Standards and comply with its labelling requirements, or on a specific exemption letter from the Ministry of Electronics and Information Technology (MEITY) for a particular consignment.

According to the Consolidated Foreign Direct Investment (FDI) Policy Circular 2020, for any single-brand retail, including e-commerce entities with physical stores in India, foreign investment exceeding 51% is only allowed when 30% of the value of goods purchased is done from India. This requirement was established by the Consolidated Foreign Direct Investment (FDI) Policy Circular 2013. It is reported that India has modified the requirements in recent years, including by allowing firms to offset the local sourcing requirement by sourcing products from India for global supply chains. In addition, despite these modifications, it is reported that the local content requirements remain prohibitive for certain retailers with highly specialised supply chains.

According to the Foreign Trade (Development and Regulation) Act, the export of dual-use items and technologies is either prohibited or permitted under a license. The list of dual-use items also includes electronics, computers, and information technology, including information security.

In September 2017, India's Ministry of Communications introduced the Telegraph (Amendment) Rules, requiring testing and certification for all telegraph equipment. This led to the implementation of the Mandatory Testing and Certification for Telecom Equipment (MTCTE) procedures in 2019, which mandate local security testing for telecom products. In September 2021, the MTCTE program was expanded to include 175 products, prompting concerns from stakeholders regarding these in-country testing requirements.
Furthermore, the 2021 Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order mandates that manufacturers and importers register and certify their products with Bureau of Indian Standards-accredited laboratories, even if they have already been certified internationally. Expanded to cover 63 product categories, this order has faced criticism for insufficient government testing capacity, a complex registration process, and high compliance costs, including factory-level and component-level testing.

The rules on security clearance for telecom equipment have required that telecom service providers (TSPs) use network elements that have been tested as per contemporary Indian or international security standards. Since April 2013, no certification of network equipment has been undertaken by authorised and certified agencies/labs in India.
Only resident-trained Indian nationals can be employed as executives responsible for certain security checks. There is also a possibility of extensive inspections of hardware, software, design, development and manufacturing facilities, as well as supply chains that might jeopardise intellectual property rights. High fines are imposed in case of non-compliance.
Additionally, since September 2017, India's Telegraph (Amendment) Rules require onerous in-country security testing on all telecom network equipment and products. Previously, such products could be tested and certified in laboratories globally or at manufacturers' in-house laboratories (self-certification). Mandatory testing and certification by Indian laboratories trigger additional costs and unnecessary delays for companies, especially given that the availability of suitable laboratories in India remains unclear. Furthermore, there are concerns about India's compulsory security certification scheme (CRS).

The Indian government used to block purchases of telecom equipment from Chinese vendors on national security grounds. The Department of Telecommunications amended its license conditions for mobile service providers and required them to submit all plans for the procurement of telecom equipment from foreign vendors for screening and “security clearance” purposes. Although the amendment did not single out China, it is reported that, in practice, security agencies had been blocking applications involving Chinese vendors.
The aforesaid process is soon to be replaced with a new Directive, which will enter into force in mid-2021. The Department of Telecommunications will declare a list of trusted sources and products for installations in India's telecom network. The methodology to designate trusted products will be devised by the designated authority (National Cyber Security Coordinator). As per the directive, telecom service providers will be required to connect new devices from the list of trusted products. The list of trusted sources and products will be decided based on the approval of a committee headed by the deputy national security advisor. When announcing the directive, the Telecom and IT Minister said that measures will be taken to increase the use of equipment from trusted Indian sources.

According to Notification No. 107/(RE-2013)/2009-2014, GSM mobile handsets’ with duplicate International Mobile Equipment Identity Number (IMEI) or fake IMEI & ‘CDMA mobile handsets’ with duplicate Electronic Serial Number (ESN)/ mobile equipment identifier (MEID) or fake ESN/MEID are added to the list of ‘Prohibited’ items for import. The Government has taken over from a private agency to issue and manage IMEI allocation for mobile phones in India.

It is reported that during the course of 2020, the Ministry of Information and Technology, based on the provisions of Section 69A of the Information Technology Act and relevant provisions of the Information Technology (Procedure and Safeguards for Blocking Access to Information by the Public) Rules, 2009, banned 267 apps in view of the emerging nature of security threats posed by these apps and the detrimental nature of these apps to sovereignty, defence and law and order in India. The Ministry has reportedly pointed out that these apps raise data security and privacy concerns. On June 29, 2020, 59 apps were banned; on September 2, 2020, 118; and on November 24, 2020, 43.

Exporters have raised concerns regarding India’s application of customs valuation criteria to import transactions. Reports indicate that Indian customs officials occasionally reject the declared transaction value of imports, particularly for products with established benchmark prices in India. This practice can potentially increase export costs beyond the expected levels based on India's applied tariff rates. Companies have also reported extensive searches and seizures of imports, which do not seem to be risk-based. Additionally, India's customs authority typically demands extensive clearance documentation, resulting in prolonged processing delays.

Under Rule 4 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021, a "significant" social media intermediary (defined as a social media intermediary having number of registered users in India above 5,000,000) must appoint a Chief Compliance Officer who must ensure compliance with the Rules and will be liable in any proceedings relating to any relevant third-party information, data or communication link made available or hosted by that intermediary where he/she fails to ensure that such intermediary observes due diligence while discharging its duties under the Rules.

Under Section 69 of the Information Technology Act, both central and state governments are empowered to instruct any government agency to intercept, monitor, or decrypt electronic information. This authority can be exercised on the following grounds: in the interest of India's sovereignty or integrity; for the security of the State; to maintain friendly relations with foreign states; for public order; or to prevent or investigate the commission of an offence. Additionally, under Section 69B, the government is authorised to permit any agency to monitor and collect traffic data or information exchanged through a computer resource.
The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules of 2009, both promulgated under the Information Technology Act, provide procedural guidelines for carrying out such interception and monitoring. For example, Rule 3 of the latter Rules permits the collection and/or monitoring of traffic data or information via a computer resource for several purposes, including: forecasting imminent cyber incidents; monitoring network applications; identifying and determining viruses or computer contaminants; tracking cybersecurity breaches or incidents; identifying individuals who have breached or are suspected of breaching cybersecurity measures; conducting forensic analyses as part of investigations or internal audits of information security practices; accessing stored data for the enforcement of cybersecurity law; or addressing any other cybersecurity-related issues.

Pursuant to Section 5 of the Telegraph Act and the Telegraph Rules, the Government has the power to temporarily possess licensed telegraphs and order the interception or disclosure of messages sent through such devices. The definition of a telegraph is fairly wide: it means any appliance, instrument, material, or apparatus used (or that is capable of being used) for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual, or other electromagnetic emissions, radio waves or Hertzian waves, or galvanic, electric, or magnetic means. It is not clear whether a court order is required to access the data.

The Information Technology Act establishes a safe harbour regime for intermediaries for copyright infringements. Section 79 of the Act provides intermediaries with qualified immunity for unlawful content as long as they follow the prescribed due diligence requirements and do not conspire, abet or aid an unlawful act. However, the protection lapses if an intermediary with "actual knowledge" of any content used to commit an unlawful act or, on being notified of such content, fails to remove or restrict access to it.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 establish a safe harbour regime beyond intermediaries for copyright infringement. According to Rule 3.1(d), an intermediary, after receiving 'actual knowledge' through a court order or by being notified by a government agency, must remove information that is prohibited by law in relation to the interest and sovereignty of India, the security of the state, friendly relations with foreign states, public order, decency or morality, contempt of court, defamation, incitement to an offence or information which violates any law which is in force. Such information has to be removed within thirty-six hours from receipt of actual knowledge by the intermediary.
In addition, "significant social media intermediaries", defined as having more than five million registered Indian users, need to observe additional due diligence requirements to claim the immunity/safe harbour available. Rule 6 of the Information Technology Rules provides that even if a social media intermediary does not meet this user threshold, the Central Government may still require an intermediary to meet these additional obligations if it believes that their operations create a material risk of harm to the sovereignty and integrity of India or to the security of the State. This discretion to the Central government may lead to the arbitrary imposition of additional obligations on certain intermediaries. The additional due diligence requirements include appointing certain personnel for compliance, enabling identification of the first originator of the information on its platform under certain conditions, and deploying technology-based measures on a best-effort basis to identify certain types of content.

According to the Regulation on the Use of Aadhaar e-KYC Service of the Unique Identity Authority of India (UIDAI) for Issuing New Mobile Connections and Re-Verification of Existing Subscribers via OTP-Based Authentication, Indian citizens are required to register their SIM card with their Aadhaar Card (a type of national identity card). Foreigners have to provide their passport, a photocopy of their Indian visa/ travel permit, a passport-sized photo and contact details.