India has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

The Consumer Protection (E-Commerce) Rules, 2020 provides a comprehensive framework for consumer protection that also applies to online transactions. The Rules introduced in 2020 established several requirements such as displaying requirements for the name and details of sellers, details of returns, refunds, exchange, warranty, and guarantee. In addition, requires sellers on the platform to provide an undertaking affirming the accuracy of descriptions, images, and other content of the goods or services on the platform, including that they correspond directly with the appearance, nature, quality, and purpose.

India has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

According to Art. 2 of the Processing and Settlement of Export-related receipts facilitated by Online Payment Gateways from 2011, the Reserve Bank of India restricts export-related payments for goods and services through online payment gateways. It is reported that PayPal had to limit payments for export-related payments above 500 USD. From July 2013, this limit has been increased to USD 10,000.

In addition, according to Section 2 of the Storage of Payment System Data Directive, all payment data held by payment companies should be held in local facilities. Furthermore, according to section 5 of the directive, data must be stored only in India after processing and should be deleted from systems abroad and brought back to India no later than 24 hours after processing. Any subsequent activity such as settlement processing after payment processing done outside India, must be undertaken on a real-time basis pursuant to which the data must be stored only in India. However, The RBI has clarified that banks, especially foreign banks, can continue to store banking data abroad but in respect to domestic payment transactions, the data must be stored only in India.

Following a negative response from international payment companies such as MasterCard, Visa, and American Express, the RBI has proposed (in "Frequently Asked Questions" of its website) to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. The RBI has further clarified that for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may be stored abroad if required.

It is reported that the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 4, below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

According to Section 2 of the Companies Act of 2013, foreign companies relating to B2B, B2C e-commerce, data interchange and other digital supply transactions, web-based marketing, database services, online services such as telemarketing, telecommuting, telemedicine, education and information research and all related data communication services, even when not incorporated in India, should register in India when they are engaged in business in the country.

According to the Consolidated FDI Policy Circular of 2016 and 2017, India permits up to 100 percent Foreign Direct Investment (FDI) in business-to-business (“marketplace-based”) electronic commerce, i.e. "providing an information technology platform by an e-commerce entity on a digital & electronic network to act as a facilitator between buyer and seller." However, India prohibits foreign investment in business-to-consumer (or “inventory-based”) electronic commerce, also defined as "e-commerce activity where the inventory of goods and services is owned by e-commerce entity and is sold to the consumers directly".
When a marketplace e-commerce entity exercises ownership or control over the inventory, the business is categorized into the inventory-based model. Additionally, India implemented regulations that expressly prohibit subsidiaries of foreign-owned marketplace-based electronic commerce sites from selling products on their parent companies’ sites. The rules also prohibit exclusivity arrangements by which electronic commerce retailers can offer a product on an exclusive basis.
The only exceptions for FDI in inventory-based electronic commerce are for food-product retailing and single-brand retailers that meet certain conditions, including the operation of physical stores in India. According to the Consolidated FDI Policy Circular of 2020, retail trading through e-commerce can also be undertaken before opening physical stores, subject to the entity opening physical stores within two years from the start of online retail. Overall, it is reported that these narrow exceptions limit the ability of many electronic commerce service suppliers to serve the Indian market.

According to Section 84A of the Information Technology Act, the Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. However, no rules have been introduced under this section.

India’s encryption regulations require firms to use a 40-bit or lower standard encryption to secure digitally transmitted information, while most firms use much stronger standards, ranging from 128-bit to 256-bit. To use more sophisticated (and therefore more secure) cryptography, firms must procure a license. Firms also report that encryption standards differ from one regulatory agency to another.

Since 2011, the rules on security clearance for telecom equipment require that Telecom Service Providers (TSP) must use network elements which have been tested as per contemporary Indian or international security standards. From April 2013, any certification of network equipment must only be undertaken from authorized and certified agencies/labs in India.
Only resident trained Indian nationals can be employed as executives responsible for certain security checks. There is also a possibility of extensive inspections of hardware, software, design, development and manufacturing facilities as well as supply chains that might jeopardize intellectual property rights. High fines are imposed in case of non-compliance.
Additionally, since April 2018, India's Telegraph (Amendment) Rules require onerous in-country security testing on all telecom network equipment and products. Previously, such products could be tested and certified in laboratories globally, or at in-house laboratories of the manufacturers (self-certification). Mandatory testing and certification by Indian laboratories triggers additional cost and unnecessary delays for companies, especially given that the availability of suitable laboratories in India remains unclear. Furthermore, there are concerns on India's compulsory security certification scheme (CRS).

The Indian government used to block purchases of telecoms equipment from Chinese vendors on national security grounds. The Department of Telecommunications had amended its license conditions for mobile service providers, and required them to submit all plans for procurement of telecoms equipment from foreign vendors for screening and “security clearance” purposes. Although the amendment did not single out China, it is reported that, in practice, security agencies had been blocking applications involving Chinese vendors.
The aforesaid process is soon to be replaced with a new Directive, which will enter into force in mid-2021. The Department of Telecommunications will declare a list of trusted sources and products for installations in India's telecom network. The methodology to designate trusted products will be devised by the designated authority (National Cyber Security Coordinator). As per the directive, telecom service providers will be required to connect new devices from the list of trusted products. The list of trusted sources and products will be decided based on the approval of a committee headed by the deputy national security advisor. When announcing the directive, the Telecom and IT Minister said that measures will be taken to increase the use of equipment from trusted Indian sources.

India's Compulsory Registration Scheme mandates that 76 ICT products must undergo registration and labelling prior to being launched in the market. No person shall manufacture or store for sale, import, sell or distribute goods which do not conform to the Indian standard specified in the order and do not bear the Standard Mark with unique registration number obtained from the Bureau of Indian Standards (BIS). BIS grants licence to the manufacturers to use or apply Standard Mark with unique R-number, through registration based on self-declaration of conformity for goods and articles as per Indian Standards. Examples of products subject to the scheme include set top boxes, amplifiers, laptops/notebooks/tablets, scanners, printers and mobile phones.
It has been noted that India has been tightening quality clearances for electronic products from China which has ended up in holding up products such as mobile phones from Chinese companies. While applications to the BIS, typically processed within 15 days, but are now taking more than two months.

According to the Foreign Trade (Development and Regulation) Act, the export of dual-use items and technologies is either prohibited or is permitted under a license. The list of dual-use items also includes electronics, computers, and information technology, including information security.

According to the Consolidated Foreign Direct Investment (FDI) Policy Circular, for any single-brand retail, including e-commerce entities with physical stores in India, foreign investment exceeding 51% is only allowed when 30% of the value of goods purchased is done from India. This requirement was established by the Consolidated Foreign Direct Investment (FDI) Policy Circular 2015. It is reported that India has modified the requirements in recent years, including by allowing firms to offset the local sourcing requirement by sourcing products from India for global supply chains. In addition, despite these modifications, it is reported that the local content requirements remain prohibitive for certain retailers with highly specialized supply chains.

According to the Electronics and Information Technology Goods (Requirement for Compulsory Registration) Order, 2012, and subsequent notifications, 76 ICT products must undergo registration and labelling prior to being launched in the market. In addition, no person shall manufacture or store for sale, import, sell, or distribute goods that do not conform to the Indian standard specified in the order and do not bear the Standard Mark with a unique registration number obtained from the Bureau of Indian Standards (BIS). BIS grants license to the manufacturers to use or apply Standard Mark with a unique R-number, through registration based on self-declaration of conformity for goods and articles as per Indian Standards. Examples of products subject to the scheme include set-top boxes, amplifiers, laptops/notebooks/tablets, scanners, printers, and mobile phones. It is reported that India has been tightening quality clearances for electronic products from China which has ended up in holding up products such as mobile phones from Chinese companies. While applications to the BIS, are typically processed within 15 days but are now taking more than two months.