AI Governance in India: DPDP Act, SEBI, RBI, and the Emerging Regulatory Landscape

India's Digital Personal Data Protection Act (DPDP) 2023 is now being implemented, with rules expected in 2026. India's financial regulators — RBI and SEBI — have issued AI guidance. This is the complete guide for organisations operating in India.

Key Takeaways

The Digital Personal Data Protection Act 2023 creates India's first comprehensive data protection framework — its implementation rules (expected 2026) will significantly affect how AI systems processing personal data of Indian residents must be governed.
The DPDP Act's concept of 'consent managers' and the rights of 'data principals' (individuals) create specific obligations for AI systems that use personal data — including rights to withdraw consent and obligations around automated processing.
The Reserve Bank of India has issued guidance on the use of AI and ML in financial services — including expectations for model risk management, explainability, and fairness testing that apply to banks, NBFCs, and fintech companies.
SEBI has published circulars on AI use by market intermediaries, requiring specific disclosures and risk management frameworks for AI used in trading, investment advice, and compliance functions.
India's AI governance landscape is developing rapidly — the Ministry of Electronics and Information Technology (MeitY) published the India AI Mission in March 2024, and sector-specific AI guidance from IRDAI, TRAI, and other regulators is expected through 2026.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

India AI governance in 2026 — DPDP Act and beyond

India's AI governance framework is maturing rapidly. The Digital Personal Data Protection Act 2023 (DPDP Act) and DPDP Rules 2025 (notified 13 November 2025) create enforceable data protection obligations directly applicable to AI systems processing personal data. India doesn't yet have a standalone AI law, but the DPDP framework, sector-specific regulation, and the government's AI development agenda together form a substantive governance landscape.

DPDP Act and Rules — what applies to AI

The DPDP Act applies to all processing of digital personal data in India, including AI systems. Key provisions: consent requirements for data processing with specific notice obligations (Section 6); purpose limitation — data collected for one purpose cannot be used for AI training without separate consent or legal basis; data principal rights including access, correction, erasure, and grievance redressal (Section 11-14); significant data fiduciaries (large-scale processors) face enhanced obligations including appointing a Data Protection Officer and independent data auditor, and conducting Data Protection Impact Assessments.

DPDP Rules 2025 implement these obligations in three phases, giving organisations lead time but requiring compliance planning now. Penalties reach ₹250 crores (approximately US$30 million) per contravention. The Data Protection Board of India, operational from 13 November 2025, handles complaints and enforcement.

Sector-specific AI regulation

Financial services. RBI's FREE-AI Framework (Framework for Responsible and Ethical Enablement of AI) addresses AI in banking and financial services. IRDAI has issued guidance on AI in insurance. SEBI has addressed algorithmic trading regulation.

Healthcare. ICMR (Indian Council of Medical Research) ethical guidelines for biomedical and health research apply to AI in healthcare research. CDSCO regulates medical devices including AI-enabled devices.

IT and digital services. The IT Act 2000 and IT Rules continue to apply. MeitY (Ministry of Electronics and Information Technology) oversees digital governance policy including AI.

India's AI development agenda

India is simultaneously pursuing aggressive AI development: the IndiaAI Mission (March 2024) with ₹10,372 crore investment covering compute infrastructure, innovation centres, datasets, application development, and skilling. India chaired the Global Partnership on AI (GPAI) in 2024. India co-chaired the 2025 Paris AI Action Summit. The tension between development ambition and governance obligation is a live policy question.

What companies operating in India should do

Map AI systems processing personal data against DPDP Act requirements. Implement consent mechanisms and purpose limitation for AI data use. Prepare for Data Protection Impact Assessments for significant AI deployments. Monitor the Data Protection Board's enforcement posture. For financial services, align with RBI FREE-AI. For healthcare AI, comply with CDSCO medical device requirements.