The DPDPA 2023 is now put on track and the Indian Personal Data Eco system is preparing itself to adopt the obligations under the Act.
In the meantime, the issue of “Securing” the Cyber Space which consists of non personal data as well as the production and use of cyber devices, the upcoming technologies such as AI , Quantum Computing, Crypto Currencies etc remain under the ToDo list.
The Digital India Act which was spoken off for some time was intended to address this issue either as an amendment to ITA 2000 or a new act.
With the India -EU trade deal opening up doors of opportunity for Indian software and hardware companies the industry’s attention has been drawn to the EU-Cyber Resilience Act 2024 which is gaining traction through implementation deadlines in 2026 and 2027 and possibly impacting the Indian manufactures of Software and hardware.
In this context, there is a need to take a fresh look at the possibility of our reacting to the EU-CRA with our own IN-CRA or Cyber Resilience Act of India.
We should start thinking about the broad contours of such an Act, its objectives, the scope, obligations, penal provisions, the regulatory authority etc.
“Cyber Resilience” is a layer above “Cyber Security” and the IN-CRA needs to build a National capability to respond to Cyber Security threats.
The EU-CRA focusses on imposing obligations on manufacturers of Cyber Products and imposes a penalty of 2.5% of global turnover or Euro 15 million as a deterrence and includes manufactures outside EU who place their products in EU. Hence compliance of EU CRA becomes mandatory for Indian suppliers of Cyber products to the EU.
IN-CRA should prepare the Indian industry to develop an Indian standard of Cyber Resilience first which can be upgraded to the Eu standards in due course.
While we need to take the cue from the EU-CRA and adopt the security guidelines mentioned there in, we need to also use this as an opportunity to strengthen our Cyber Security Eco System so that there is a perceptible difference created for enhancing the Indian Cyber Security system also.
One of the objectives of the IN-CRA should be to prevent product manufacturers from releasing defective products in the market and using the users as guineapigs. This should increase the Digital Trust for customers using products which are CRA Compliant.
Another objective of IN-CRA should be to improve the operational efficiencies of the existing institutional framework creating a unified command structure.
Yet another objective is to ensure that emerging technologies like AI and Quantum Computing donot become tools of crime before they become tools of progress.
We need to explore this further . Your comments are welcome.
Naavi
