DPDP Bill 2023 A Comparative Analysis

On 6 June 2025, the EU Council officially adopted the revised Cybersecurity Blueprint, marking a significant evolution from the 2017 guidance. This framework, formalised through Council Recommendation COM(2025) 66 final, responds to a transformed threat environment and reflects new legal milestones like the NIS2 Directive (Network and Information Security Directive) and the Cyber Solidarity Act.

From Fragmented Response to Cohesive Strategy

‍

Between 2017 and now, EU member states have built various systems to manage cyber incidents. Still, real-world events and exercises highlighted critical gaps - uncoordinated escalation procedures, inconsistent terminology, and siloed information flows. The updated Blueprint addresses these issues by focusing on a harmonised operational architecture for the EU. It defines a clear crisis lifecycle with five stages: Detection, Analysis, Escalation, Response, and Recovery. Each stage is supported by common communication protocols, decision-making processes, and defined roles. Consistency is key; standardised terminology along with a broad scope of application that eases cross-border collaboration and empowers coherent response efforts.

Legal Foundations: NIS2, ENISA & EU‑CyCLONe

‍

Several core pillars of EU cybersecurity directly underpin the Blueprint:

• ENISA – The European Union Agency for Cybersecurity continues to play a central role. It supports CSIRTs' Network operations, leads EU‑CyCLONe ( European cyber crisis liaison organisation network) coordination, conducts simulation exercises, and gives training on incident management
• NIS2 Directive, particularly Article 16, is a follow-up of NIS. NIS2 mandates operators of critical infrastructure and essential services to implement appropriate security measures and report incidents to the relevant authorities. Compared to NIS, NIS2 expands its EU-wide security requirements and scope of covered organisations and sectors to improve the security of supply chains, simplify reporting obligations, and enforce more stringent measures and sanctions throughout Europe. It also formally legitimises the EU‑CyCLONe network, which is the crisis liaison mechanism bridging technical teams from member states.

‍

These modern tools, integrated with legal backing, ensure the Blueprint isn’t just theoretical; it’s operationally enforceable.

‍

What’s Inside the Blueprint?

‍

The 2025 Blueprint enhances several critical areas:

‍

1. Clear Escalation Triggers - It spells out when a national cyber incident merits EU-level attention, especially those affecting critical infrastructure across borders. Civilian Military Exchange. The Blueprint encourages structured information sharing with defence institutions and NATO, recognising that cyber incidents often have geopolitical implications 
2. Recovery & Lessons Learned – A dedicated chapter ensures systematic post-incident reviews and shared learning among member states.

‍

Adaptive & Resilient by Design

‍

Rather than a static document, the Blueprint is engineered to evolve:

• Regular Exercises: Built into the framework are simulation drills that are known as Blueprint Operational Level Exercises—to test leadership response and cross-border coordination via EU‑CyCLONe
• Dynamic Reviews: The system promotes continuous iteration- this includes revising protocols, learning from real incidents, and refining role definitions.
  
  

This iterative, learning-oriented architecture aims to ensure the Blueprint remains robust amid rapidly evolving threats, including AI-boosted hacks and hybrid cyber campaigns.

Global Implications & Lessons for Others

‍

The EU’s Cybersecurity Blueprint sets a global benchmark in cyber resilience and crisis governance:

• Blueprint for Global Coordination: The EU’s method of defined crisis stages, empowered liaison bodies (like EU‑CyCLONe), and continuous exercise can inspire other regional blocs or national governments to build their own crisis mechanisms.
• Public–Private Synergy: The Blueprint’s insistence on cooperation between governments and private-sector operators of essential services (e.g., energy, telecom, health) provides a model for forging robust ecosystems.
• Learning & Sharing at Scale: Its requirement for post-crisis lessons and peer exchange can fuel a worldwide knowledge network, cultivating resilience across jurisdictions.

Conclusion

‍

The 2025 EU Cybersecurity Blueprint is more than an upgrade; it’s a strategic shift toward operational readiness, legal coherence, and collaborative resilience. Anchored in NIS2 and ENISA, and supported by EU‑CyCLONe, it replaces fragmented guidance with a well-defined, adaptive model. Its adoption signals a transformative moment in global cyber governance as for nations building crisis frameworks, the Blueprint offers a tested, comprehensive template: define clear stages, equip liaison networks, mandate drills, integrate lessons, and legislate coordination. In an era where cyber threats transcend borders, this proves to be an important development that can offer guidance and set a precedent.

‍

For India, the EU Cybersecurity Blueprint offers a valuable reference point as we strengthen our own frameworks through initiatives like the DPDP Act, the upcoming Digital India Act and CERT-In’s evolving mandates. It reinforces the importance of coordinated response systems, cross-sector drills, and legal clarity. As cyber threats grow more complex, such global models can complement our national efforts and enhance regional cooperation.

‍

References

• https://industrialcyber.co/expert/the-eus-cybersecurity-blueprint-and-the-future-of-cyber-crisis-management/
• https://www.consilium.europa.eu/en/press/press-releases/2025/06/06/eu-adopts-blueprint-to-better-manage-european-cyber-crises-and-incidents/ 
• https://www.enisa.europa.eu/topics/eu-incident-response-and-cyber-crisis-management 
• https://www.enisa.europa.eu/news/new-cyber-blueprint-to-scale-up-the-eu-cybersecurity-crisis-management 
• https://www.isc2.org/Insights/2025/01/EU-Cyber-Solidarity-Act 
• https://www.enisa.europa.eu/topics/eu-incident-response-and-cyber-crisis-management/eu-cyclone 
• https://nis2directive.eu/what-is-nis2/ 

‍

Introduction

The Ministry of Electronics and Information Technology recently released the IT Intermediary Guidelines 2023 Amendment for social media and online gaming. The notification is crucial when the Digital India Bill’s drafting is underway. There is no denying that this bill, part of a series of bills focused on amendments and adding new provisions, will significantly improve the dynamics of Cyberspace in India in terms of reporting, grievance redressal, accountability and protection of digital rights and duties.

What is the Amendment?

The amendment comes as a key feature of cyberspace as the bill introduces fact-checking, a crucial aspect of relating information on various platforms prevailing in cyberspace. Misformation and disinformation were seen rising significantly during the Covid-19 pandemic, and fact-checking was more important than ever. This has been taken into consideration by the policymakers and hence has been incorporated as part of the Intermediary guidelines. The key features of the guidelines are as follows –

• The phrase “online game,” which is now defined as “a game that is offered on the Internet and is accessible by a user through a computer resource or an intermediary,” has been added.
• A clause has been added that emphasises that if an online game poses a risk of harm to the user, intermediaries and complaint-handling systems must advise the user not to host, display, upload, modify, publish, transmit, store, update, or share any data related to that risky online game.
• A proviso to Rule 3(1)(f) has been added, which states that if an online gaming intermediary has provided users access to any legal online real money game, it must promptly notify its users of the change, within 24 hours.
• Sub-rules have been added to Rule 4 that focus on any legal online real money game and require large social media intermediaries to exercise further due diligence. In certain situations, online gaming intermediaries:

• Are required to display a demonstrable and obvious mark of verification of such online game by an online gaming self-regulatory organisation on such permitted online real money game
• Will not offer to finance themselves or allow financing to be provided by a third party.
• Verification of real money online gaming has been added to Rule 4-A.

• The Ministry may name as many self-regulatory organisations for online gaming as it deems necessary for confirming an online real-money game.
• Each online gaming self-regulatory body will prominently publish on its website/mobile application the procedure for filing complaints and the appropriate contact information.
• After reviewing an application, the self-regulatory authority may declare a real money online game to be a legal game if it is satisfied that:

• There is no wagering on the outcome of the game.
• Complies with the regulations governing the legal age at which a person can engage into a contract.
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 have a new rule 4-B (Applicability of certain obligations after an initial period) that states that the obligations of the rule under rules 3 and 4 will only apply to online games after a three-month period has passed.
• According to Rule 4-C (Obligations in Relation to Online Games Other Than Online Real Money Games), the Central Government may direct the intermediary to make necessary modifications without affecting the main idea if it deems it necessary in the interest of India’s sovereignty and integrity, the security of the State, or friendship with foreign States.
• Intermediaries, such as social media companies or internet service providers, will have to take action against such content identified by this unit or risk losing their “safe harbour” protections under Section 79 of the IT Act, which let intermediaries escape liability for what third parties post on their websites. This is problematic and unacceptable. Additionally, these notified revisions can circumvent the takedown order process described in Section 69A of the IT Act, 2000. They also violated the ruling in Shreya Singhal v. Union of India (2015), which established precise rules for content banning.
• The government cannot decide if any material is “fake” or “false” without a right of appeal or the ability for judicial monitoring since the power to do so could be abused to thwart examination or investigation by media groups. Government takedown orders have been issued for critical remarks or opinions posted on social media sites; most of the platforms have to abide by them, and just a few, like Twitter, have challenged them in court.

Conclusion

The new rules briefly cover the aspects of fact-checking, content takedown by Govt, and the relevance and scope of sections 69A and 79 of the Information Technology Act, 2000. Hence, it is pertinent that the intermediaries maintain compliance with rules to ensure that the regulations are sustainable and efficient for the future. Despite these rules, the responsibility of the netizens cannot be neglected, and hence active civic participation coupled with such efficient regulations will go a long way in safeguarding the Indian cyber ecosystem.

The rapid innovation of technology and its resultant proliferation in India has integrated businesses that market technology-based products with commerce. Consumer habits have now shifted from traditional to technology-based products, with many consumers opting for smart devices, online transactions and online services. This migration has increased potential data breaches, product defects, misleading advertisements and unfair trade practices. 

The need to regulate technology-based commercial industry is seen in the backdrop of various threats that technologies pose, particularly to data. Most devices track consumer behaviour without the authorisation of the consumer. Additionally, products are often defunct or complex to use and the configuration process may prove to be lengthy with a vague warranty. 

It is noted that consumers also face difficulties in the technology service sector, even while attempting to purchase a product. These include vendor lock-ins (whereby a consumer finds it difficult to migrate from one vendor to another), dark patterns (deceptive strategies and design practices that mislead users and violate consumer rights), ethical concerns etc. 

Against this backdrop, consumer laws are now playing catch up to adequately cater to new consumer rights that come with technology. Consumer laws now have to evolve to become complimentary with other laws and legislation that govern and safeguard individual rights. This includes emphasising compliance with data privacy regulations, creating rules for ancillary activities such as advertising standards and setting guidelines for both product and product seller/manufacturer. 

The Legal Framework in India

Currently, Consumer Laws in India while not tech-targeted, are somewhat adequate; The Consumer Protection Act 2019 (“Act”) protects the rights of consumers in India. It places liability on manufacturers, sellers and service providers for any harm caused to a consumer by faulty/defective products. As a result, manufacturers and sellers of ‘Internet & technology-based products’ are brought under the ambit of this Act. The Consumer Protection Act 2019 may also be viewed in light of the Digital Personal Data Protection Act 2023, which mandates the security of the digital personal data of an individual. Envisioned provisions such as those pertaining to mandatory consent, purpose limitation, data minimization, mandatory security measures by organisations, data localisation, accountability and compliance by the DPDP Act can be applied to information generated by and for consumers.

Multiple regulatory authorities and departments have also tasked themselves to issue guidelines that imbibe the principle of caveat venditor. To this effect, the Networks & Technologies (NT) wing of the Department of Telecommunications (DoT) on 2 March 2023, issued the Advisory Guidelines to M2M/IoT stakeholders for securing consumer IoT (“Guidelines”) aiming for M2M/IoT (i.e. Machine to Machine/Internet of things) compliance with the safety and security standards and guidelines in order to protect the users and the networks that connect these devices. The comprehensive Guidelines suggest the removal of universal default passwords and usernames such as “admin” that come preprogrammed with new devices and mandate the password reset process to be done after user authentication. Web services associated with the product are required to use Multi-Factor Authentication and duty is cast on them to not expose any unnecessary user information prior to authentication. Further, M2M/IoT stakeholders are required to provide a public point of contact for reporting vulnerability and security issues. Such stakeholders must also ensure that the software components are updateable in a secure and timely manner. An end-of-life policy is to be published for end-point devices which states the assured duration for which a device will receive software updates.

The involvement of regulatory authorities depends on the nature of technology products; a single product or technical consumer threat may see multiple guidelines. The Advertising Standards Council of India (ASCI) notes that cryptocurrency and related products were considered as the most violative category to commit fraud. In an attempt to protect consumer safety, it introduced guidelines to regulate advertising and promotion of virtual digital assets (VDA) exchange and trading platforms and associated services as a necessary interim measure in February 2022. It mandates that all VDA ads must carry the stipulated disclaimer “Crypto products and NFTs are unregulated and can be highly risky. There may be no regulatory recourse for any loss from such transactions.” must be made in a prominent and unmissable manner.

Further, authorities such as Securities and Exchange Board of India (SEBI) and the Reserve Bank of India (RBI) also issue cautionary notes to consumers and investors against crypto trading and ancillary activities. Even bodies like Bureau of Indian Standards (BIS) act as a complimenting authority, since product quality, including electronic products, is emphasised by mandating compliance to prescribed standards. 

It is worth noting that ASCI has proactively responded to new-age technology-induced threats to consumers by attempting to tackle “dark patterns” through its existing Code on Misleading Ads (“Code”), since it is applicable across media to include online advertising on websites and social media handles. It was noted by ASCI that 29% of advertisements were disguised ads by influencers, which is a form of dark pattern. Although the existing Code addressed some issues, a need was felt to encompass other dark patterns.

Perhaps in response, the Central Consumer Protection Authority in November 2023 released guidelines addressing “dark patterns” under the Consumer Protection Act 2019 (“Guidelines”). The Guidelines define dark patterns as deceptive strategies and design practices that mislead users and violate consumer rights. These may include creating false urgency, scarcity or popularity of a product, basket sneaking (whereby additional services are added automatically on purchase of a product or service), confirm shaming (it refers to statements such as “I will stay unsecured” when opting out of travel insurance on booking of transportation tickets), etc. The Guidelines also cater to several data privacy considerations; for example, they stipulate a bar on encouraging consumers from divulging more personal information while making purchases due to difficult language and complex settings of their privacy policies, thereby ensuring compliance of technology product sellers and e-commerce platforms/vendors with data privacy laws in India. It is to be noted that the Guidelines are applicable on all platforms that systematically offer goods and services in India, advertisers and sellers.

Conclusion

Consumer laws for technology-based products in India play a pivotal role in safeguarding the rights and interests of individuals in an era marked by rapid technological advancements. These legislative frameworks, spanning facets such as data protection, electronic transactions, and product liability, assume a pivotal role in establishing a regulatory equilibrium that addresses the nuanced challenges of the digital age. The dynamic evolution of the digital landscape necessitates an adaptive legal infrastructure that ensures ongoing consumer safeguarding amidst technological innovations. As the digital landscape evolves, it is imperative for regulatory frameworks to adapt, ensuring that consumers are protected from potential risks associated with emerging technologies. Striking a balance between innovation and consumer safety requires ongoing collaboration between policymakers, businesses, and consumers. By staying attuned to the evolving needs of the digital age, Indian consumer laws can provide a robust foundation for security and equitable relationships between consumers and technology-based products.

References:

• https://dot.gov.in/circulars/advisory-guidelines-m2miot-stakeholders-securing-consumer-iot
• https://www.mondaq.com/india/advertising-marketing--branding/1169236/asci-releases-guidelines-to-govern-ads-for-cryptocurrency
• https://www.ascionline.in/the-asci-code/#:~:text=Chapter%20I%20(4)%20of%20the,nor%20deceived%20by%20means%20of
• https://www.ascionline.in/wp-content/uploads/2022/11/dark-patterns.pdf