HomeAnalyticsAlertsDigital Services Regulation in India: New Requirements for Technology Companies

Digital Services Regulation in India: New Requirements for Technology Companies

India's digital services environment has shifted decisively. The Ministry of Electronics and Information Technology has advanced a consolidated regulatory regime targeting online platforms, AI-enabled services, and intermediaries operating within – or directing services into – Indian territory. For international technology companies, the window to align operations with these new requirements is narrowing fast.

India's updated digital services regulation introduces mandatory registration, algorithmic accountability obligations, and software liability standards for qualifying technology companies. Businesses with a significant user base in India or those offering digital services to Indian consumers must comply by the deadlines set out under the new regime. Failure to register or meet content governance requirements before the prescribed deadline exposes companies to service suspension and financial penalties under Indian technology legislation.

This alert identifies the regulatory change, defines which business categories fall within scope, and sets out five immediate actions international companies should take now.

What has changed – the regulatory development and effective date

India's technology legislation has been substantially amended to address three converging pressures: the rapid growth of AI-driven platforms. Demands for algorithmic accountability from national regulators. Additionally, the desire to harmonise domestic rules with emerging global standards such as AI Act compliance benchmarks.

The principal change is the introduction of a tiered classification system for digital services. Platforms are now divided into ordinary intermediaries, significant social media intermediaries, and a new category of Systemically Important Digital Intermediaries (SIDIs). Each tier carries distinct obligations around grievance redressal, content moderation, data localisation, and software liability.

In parallel, amendments to rules issued under Indian technology legislation now impose explicit algorithmic accountability duties. Platforms that use automated decision-making to rank, filter, or recommend content must maintain auditable records of those systems. Regulators may require disclosure of ranking criteria on request.

The amended rules entered the gazette in early 2025. The compliance deadline for existing operators is 90 days from the gazette notification date. New entrants crossing a threshold after that date must comply within 30 days of crossing it. Companies that fail to act within these windows face the prospect of losing their intermediary liability protection under Indian technology legislation – a consequence with serious implications for software liability exposure.

Who is affected – threshold criteria and business categories

Scope is determined by two independent triggers: user volume and revenue derived from Indian-resident users.

The user-volume trigger applies to any platform – regardless of where it is incorporated – that has a registered or active user base in India exceeding the threshold prescribed under the new rules. Platforms providing digital services, cloud infrastructure, marketplace services, or AI-enabled tools are all within scope. The revenue trigger captures companies that, while operating below the user threshold, derive a material share of their India-sourced income from digital services.

The following business categories face the highest compliance burden:

  • Social media platforms and content aggregators with Indian user bases above the prescribed threshold
  • E-commerce marketplaces and payment aggregators supervised by the Reserve Bank of India (RBI)
  • Fintech platforms subject to oversight by the Securities and Exchange Board of India (SEBI)
  • AI-enabled SaaS providers offering algorithmic recommendation, scoring, or decision-support tools
  • Cloud and infrastructure providers whose services underpin any of the above categories

Foreign companies without a physical presence in India are not exempt. The territorial reach of Indian technology legislation is broad: services directed at Indian users are treated as operating within the jurisdiction. This mirrors the extraterritorial logic seen in comparable regimes elsewhere. International companies relying on technology licensing arrangements to supply Indian-resident customers should audit those arrangements promptly.

Regulated entities under Companies Act 2013 corporate governance rules that also operate digital platforms must ensure their board-level compliance structures address the new technology obligations. Disputes arising from non-compliance may be referred to the National Company Law Tribunal (NCLT) where the digital service operator is a company incorporated under Indian corporate legislation. Cross-border enforcement matters involving foreign companies may engage the Arbitration and Conciliation Act framework where contractual disputes arise alongside regulatory proceedings.

For a detailed view of how these rules interact with intellectual property obligations for technology companies in India, see our analysis of intellectual property law in India.

To receive an expert assessment of your company's exposure under India's updated digital services rules, contact us at info@ferrazwhitmore.com.

What to do now – immediate actions and compliance timeline

International companies should treat the 90-day window as the outer boundary, not a planning horizon. Regulators have indicated that enforcement action will begin promptly after the deadline. The following five actions should be initiated without delay.

First, conduct a threshold assessment. Map your Indian user base and India-sourced revenue against the applicable thresholds. Engage your data and finance teams to produce a documented analysis. This assessment establishes whether SIDI or ordinary intermediary obligations apply and determines the compliance deadline for your entity.

Second, appoint mandatory officers. Indian technology legislation requires qualifying platforms to designate a resident Grievance Officer, a Chief Compliance Officer, and a Nodal Contact Person – all based in India. These appointments must be publicly disclosed on the platform. For companies without an Indian entity, establishing a local presence or agency arrangement is a prerequisite.

Third, review algorithmic accountability obligations. Platforms using automated systems for content ranking, recommendation, or decision-making must document those systems now. Prepare an inventory of all algorithmic tools, their training data sources, and their governance controls. This documentation will form the basis of any regulatory audit and is central to demonstrating software liability diligence.

Fourth, update your grievance redressal mechanism. The amended rules prescribe response timelines for user complaints that are shorter than those previously required. Review your existing process, update it to meet the prescribed timelines, and ensure the mechanism is accessible to Indian-resident users in the required languages.

Fifth, assess data localisation exposure. The new regime intersects with India's data protection legislation. Financial and sensitive personal data processed by RBI-regulated or SEBI-regulated platforms may be subject to mandatory localisation. Cross-border data transfers should be mapped and assessed against current localisation requirements before the compliance deadline.

Companies operating across multiple Asian markets should note that comparable regulatory developments are under way in neighbouring jurisdictions. Our alert on digital services regulation in the UAE covers parallel requirements in that market.

Our full advisory service for technology companies operating in India is set out at AI and technology law in India.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our AI and technology law practice supports technology companies, platform operators, and institutional investors navigating digital services regulation, algorithmic accountability requirements, and software liability exposure in India and across Asia-Pacific markets. Our team combines Portuguese civil law expertise with English common law tradition – giving clients a dual-perspective advisory approach suited to complex cross-border technology mandates. The firm's Asia-Pacific and Middle East practice has advised on technology licensing arrangements, regulatory entry strategies, and dispute resolution matters before arbitral bodies operating under the Arbitration and Conciliation Act framework. As an international law firm in India-facing matters, we work alongside local counsel to deliver complete, jurisdiction-specific guidance. Engaging a lawyer in India with cross-border technology experience is critical when regulatory timelines are short and enforcement consequences are severe. To discuss your company's compliance position under India's updated digital services regime, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.