🏛️ Polity & GovernanceMAINS · GS3.18 · GS2.15

MeitY drafts cyber-security framework for States

A national consultative workshop sets four non-negotiable cyber requirements for every State and Union Territory.

What happened

The Ministry of Electronics and Information Technology (MeitY) convened a National Consultative Workshop on strengthening cyber-security frameworks for State data, held at The Ashok Hotel, New Delhi on 11 May 2026.
It was chaired by the Secretary, MeitY, and drew Principal Secretaries and senior officers from the States and Union Territories, alongside CERT-In, the National Informatics Centre (NIC) and the National e-Governance Division (NeGD).
The workshop is Stage II of a four-stage departmental summit, launched on the Prime Minister's directions at the 5th National Conference of Chief Secretaries, to build a single national cyber-security policy framework for State governments through consultation with all 36 States and UTs.
The Secretary set out four foundational requirements every State and UT must meet: a formally notified Cyber Security Policy; an appointed and empowered Chief Information Security Officer (CISO); an operational State Security Operations Centre (SOC) integrated with the Government SOC at NIC; and a Cyber Crisis Management Plan (CCMP).
The exercise is explicitly framed against the Digital Personal Data Protection (DPDP) Act, 2023, which becomes fully enforceable from 13 May 2027 — making cyber-security preparedness a legal obligation rather than a discretionary upgrade.
State-Level Workshops (Stage III) are to be completed by 30 June 2026; the National Departmental Summit (Stage IV) is scheduled for August 2026, after which the consolidated framework is to be submitted to the Cabinet Secretariat.

Background & context

India's cyber-security governance is layered across the Union and the States, and the gap this framework addresses sits squarely at the State level. The Information Technology Act, 2000 created the statutory base; under Section 70B of that Act, the Indian Computer Emergency Response Team (CERT-In) is the designated national nodal agency for incident response, operating under MeitY. CERT-In's 2022 directions already require all government and service-provider entities to report cyber incidents within six hours and to retain logs. What had been missing was a uniform, enforceable standard for how each State protects the citizen data it holds — the land records, health records, ration and welfare databases, transport and police data that increasingly live in State Data Centres (SDCs) and travel over State Wide Area Networks (SWAN).

This initiative grows out of the Whole-of-Government digital push and was set in motion at the 5th National Conference of Chief Secretaries. Rather than issue a top-down circular, MeitY chose a four-stage consultative route — a national framing workshop (Stage I), this national consultative workshop (Stage II), State-level workshops to ground the model in each State's realities (Stage III), and a concluding national summit that hands a finished framework to the Cabinet Secretariat (Stage IV). NeGD, the body that runs the Digital India delivery machinery, is MeitY's partner in convening the process. The framework does not stand alone: it is being knitted together with the DPDP Act, 2023 on the data-protection side and with the Ministry of Home Affairs' National Information Security Policy and Guidelines (NISPG) on the security-classification side, so that a State that complies with one is moving toward compliance with all.

It also sits within a wider family of instruments an aspirant should be able to place side by side. At the Union level, the IT Act, 2000 and its Section 70B mandate for CERT-In form the statutory spine; the National Cyber Security Policy, 2013 was the first attempt at an overarching national posture; the National Critical Information Infrastructure Protection Centre (NCIIPC), set up under Section 70A of the IT Act, protects designated critical sectors such as power, banking and telecom. On the data side, the DPDP Act, 2023 replaced the data-protection provisions that the earlier Personal Data Protection Bill had tried and failed to enact, and it follows the recommendations that flowed from the Supreme Court's recognition of privacy as a fundamental right in K. S. Puttaswamy v. Union of India (2017). The State framework now under draft is the missing layer between these Union-level instruments and the ground reality of State data estates — its closest peer in spirit is the Union government's own internal security baseline, which the State requirements consciously mirror so that the CISO, SOC and crisis-plan model used by central departments is replicated in every State.

For Prelims

Initiative: National Consultative Workshop on Strengthening Cyber Security Frameworks for State Data — Stage II of a four-stage departmental summit led by MeitY in partnership with NeGD.
Nodal ministry: Ministry of Electronics and Information Technology (MeitY); the administering chain runs MeitY → CERT-In (incident response, the IT Act Section 70B agency) → NIC (which runs the Government SOC, or GSOC) → NeGD (capacity and delivery).
Coverage: all 36 States and Union Territories.
The four mandatory State requirements (the core "set"): (1) a notified Cyber Security Policy; (2) an appointed, empowered CISO; (3) an operational State SOC integrated with the GSOC at NIC; (4) a Cyber Crisis Management Plan (CCMP).
Six national thematic areas deliberated: risk-based assessments; securing State Data Centres (SDCs) and State Wide Area Networks (SWAN); incident detection and response via SOCs and State CSIRTs under CERT-In; legacy modernisation with Secure-by-Design and Zero Trust Architecture; data classification and DPDP Act 2023 compliance aligned to MHA's NISPG; and CISO appointment, capacity building and citizen awareness.
Design principles invoked: Secure-by-Design and Zero Trust Architecture (the assumption that no user or device is trusted by default, inside or outside the network).
Statutory anchor: Digital Personal Data Protection (DPDP) Act, 2023 — enacted in 2023, to be fully enforceable from 13 May 2027; it creates the Data Protection Board of India and obligations on data fiduciaries.
Bodies named: CERT-In (national nodal incident-response agency under MeitY, IT Act Section 70B); NIC (operator of the Government SOC); NeGD (the Digital India delivery arm); plus State CSIRTs (Computer Security Incident Response Teams) to function under CERT-In.
Training pathways named: NeGD programmes, the Information Security Education and Awareness (ISEA) project, and the iGOT Karmayogi platform.
Timeline: Stage III State-Level Workshops by 30 June 2026 → Stage IV National Departmental Summit in August 2026 → final framework to the Cabinet Secretariat.

What it is NOT: This is a draft policy framework emerging from consultation, not a notified law, and not the same instrument as the DPDP Act, 2023 — the framework operationalises State cyber-readiness while the Act governs personal-data protection. CERT-In, not MeitY's framework, remains the statutory incident-response agency. The State SOC is distinct from the Government SOC (GSOC) at NIC: the State SOC is to be integrated with the GSOC, not replaced by it. The CISO is a State-government officer role, not a CERT-In post.

For UPSC: MeitY's four State cyber pillars = notified Policy + empowered CISO + State SOC (integrated with NIC's GSOC) + Cyber Crisis Management Plan; anchored to the DPDP Act, 2023, fully enforceable from 13 May 2027; CERT-In is the IT Act Section 70B nodal agency.

Why it matters

The problem the framework attacks is structural. Citizen-facing services have moved online faster than the institutions that hold the data have matured their defences, and the weakest link in a federal system is rarely the Union-level CERT-In — it is the uneven State estate, where some governments have a CISO and a functioning SOC and others have neither. A breach of a State health or welfare database is, in practical terms, a breach of millions of citizens at once, and the attack surface is widening as AI-enabled attacks lower the cost of intrusion. By converting four readiness measures from good practice into stated requirements, and by tying them to the DPDP Act's enforceable timeline, MeitY shifts State cyber-security from optional to obligatory.

The approach is also notable for being cooperative-federal rather than coercive. Cyber-security touches "public order" and "police," which are State subjects, so a uniform Union diktat would be contested; a consultative four-stage route that ends at the Cabinet Secretariat builds buy-in while still producing one national baseline. The emphasis on indigenous solutions under Aatmanirbhar Bharat, on Secure-by-Design and Zero Trust, and on capacity-building through ISEA and iGOT Karmayogi signals that the gap being closed is as much about trained people and resilient architecture as about any single tool. For an aspirant, this is a clean, current illustration of how the State and the Union share a security responsibility that neither can discharge alone.

For Mains

Anchor

A question on India's cyber-security architecture or on data governance can be anchored on this framework as the most recent attempt to standardise State-level cyber readiness through the four pillars — notified Policy, CISO, State SOC and CCMP — within a cooperative-federal process.

Substantiation

Supplies concrete data points: four mandatory requirements, all 36 States/UTs covered, a four-stage summit, the DPDP Act's 13 May 2027 enforceability deadline, and the named institutional chain (CERT-In, NIC's GSOC, NeGD, State CSIRTs).

Problematisation

The release itself implies the gap: State cyber-security is uneven, many States lack an empowered CISO or an operational SOC, and AI-enabled attacks are escalating — the very reason a baseline had to be imposed.

Way-forward

Offers a ready way-forward template — mandate a notified policy, an empowered CISO, an integrated SOC and a crisis-management plan in every State, backed by Secure-by-Design, Zero Trust and trained personnel through ISEA and iGOT Karmayogi.

Position

States the government's stance: cyber-security preparedness is a legal obligation under the DPDP Act, 2023, to be achieved through consultation and a Whole-of-Government approach rather than a unilateral mandate.

Deploys into: cyber-security and protection of critical information infrastructure (GS3.18); e-governance, transparency and data protection in administration (GS2.15); and Union–State coordination on a shared security responsibility.

Ministry of Electronics & IT · 2026-05-16 · PRID 2261823 · PIB source ↗