The Big Day: India’s AI Framework & DPDP Rules Arrive. Now What?
Later today, the Indian government is expected to roll out two long-awaited pieces of policy infrastructure that could reshape how we interact with digital services:
1. An official AI governance framework — laying down safety boundaries, accountability guardrails, and “rules of the road” for AI in India.
2. Finalized rules under the Digital Personal Data Protection (DPDP) Act — the long-delayed operational machinery that turns statutory ideals into enforceable practices.
Taken together, these moves signal that the age of “wild west” AI and data practices in India is coming to an end. But the devil, as always, lies in the execution.
What We Know So Far: The AI Framework
Why this matters
India has been building up to this moment. The government has repeatedly promised that a governance framework will help define “safety boundaries”, prevent harmful AI applications, and align India’s AI regime with global norms.
The idea is not to micromanage all AI use, but to set principles, guardrails, and escalation paths so that high-risk deployments don’t run amok.
What to expect (and what’s already public)
The framework is being billed as non-prescriptive — meaning it won’t dictate every technical detail, but will provide structure and principles.
Over time, parts of the framework may be “converted into law” for particularly risky AI use-cases.
Reports suggest that instead of a heavyweight, standalone AI regulator, India may rely on a technical secretariat to coordinate across ministries, shape guidelines, and act as a nodal AI body.
The AI Governance Framework for India 2025–26, reportedly crafted by the National Cyber and AI Center (NCAIC), is supposed to be ready and already shows a risk-based approach, layered controls, and alignment to global norms like NIST or ISO.
That said, parts of the final version are expected to be more skeletal; enforcement mechanisms, specific thresholds, and audit requirements may come later.
The trade-offs & pitfalls
1. Flexibility vs. certainty — Non-prescriptive rules allow for innovation and iteration, but also open wiggle room for ambiguity.
2. Enforcement clarity — Without strong teeth (audit powers, fines, third-party checks), this could end up as a “guideline handbook” rather than a regulation that binds actors.
3. Coordination challenges — AI impacts cut across finance, health, telecom, defense, etc. A secretariat approach may struggle to pull in all stakeholders effectively.
4. Global alignment vs. domestic interests — There will be pressure to align with EU, US, OECD norms. But India will need carve-outs for its socio-economic and linguistic diversity.
DPDP Act & Rules: Bringing Data Protection to Life
Background in brief
The Digital Personal Data Protection (DPDP) Act, 2023 was passed in August 2023 and received presidential assent. But a law is only as powerful as its rules — the operational guidelines, procedural norms, and enforcement machinery that make it real.
Earlier in 2025, the Ministry of Electronics & IT (MeitY) released a draft DPDP Rules, 2025 for public comment, inviting feedback on issues such as consent, breach notifications, standards for data handling, and the role of the enforcement board.
The current moment: rules are ready
IT Minister Ashwini Vaishnaw has publicly stated that the DPDP rules are finalized and will be published by September 28.
Once notified, certain parts of the DPDP scheme — most notably the Data Protection Board (DPB) — are expected to come into immediate effect.
The rules will flesh out:
Consent management, withdrawal, and notice obligations
Data breach notification timelines and severity thresholds
Data retention, deletion, and anonymization norms
Cross-border data transfer rules
Penalty shades, adjudication process, appeals
Until the rules are notified, the Act itself cannot be fully enforced.
Key risks & red flags
Overlap and conflict: India already has legacy data protection rules under the IT Act. Harmonizing or superseding them may create gray zones.
Right to Information (RTI) concerns: Some have flagged that interplay between data secrecy and public interest (via RTI) may clash.
Enforcement capacity: The DPB will need staffing, digital systems, and reach across states. How fast it can scale remains uncertain.
Delayed compliance deadlines: Entities may lobby for longer grace periods, especially smaller organizations.
Why This Is a Big Deal — And What to Watch Closely
1. From theory to enforcement
Until now, India’s AI and data policy discourse had remained largely aspirational. Today may mark the turning point from “what should be” to “what must be.”
2. Trust and legitimacy
For citizens, this is about trust: Can AI providers, platforms, and governments be held accountable when something goes wrong? The frameworks must inspire confidence.
3. Balance between control and innovation
Overregulation could stifle startups. Underregulation could unleash harms. India’s regime must thread that needle.
4. Modular rollout
Not everything has to be perfect on day one. The government may adopt a phased approach — stricter oversight in domains like health, finance or law enforcement, more permissiveness in benign use-cases.
5. Judicial & civil society pushback
Expect petitions, challenges, and normative debates, especially about algorithmic transparency, appeal rights, and interpretation of “harm.”