India AI Regulation 2026. What global operators face in a rapidly growing AI market without a comprehensive statute.

India is the world's most populous country and one of the fastest-growing markets for AI deployment in financial services, healthcare, agriculture, and public administration. It has no comprehensive AI statute. Its primary legal instrument is the Digital Personal Data Protection Act 2023. Sector regulators have moved ahead of national legislation to establish AI governance expectations in regulated industries. The National AI Mission launched in March 2024 signals the government's intent to build both infrastructure and safety frameworks. This guide explains what global operators deploying AI systems in India must navigate in 2026, and how India's approach positions relative to the EU AI Act and other major jurisdictions.

The regulatory landscape in brief

India's AI regulatory environment in 2026 is characterised by three concurrent elements: a data protection statute with direct implications for AI-driven decision-making, sector-level regulatory guidance from three major financial regulators, and a government-funded national mission that is building both compute infrastructure and safety standards. No single statute establishes comprehensive AI-specific requirements for private sector operators.

This architecture is not the product of regulatory inattention. India's government has made a deliberate policy choice to pursue innovation-first AI development while constructing governance infrastructure in parallel, rather than imposing a comprehensive regulatory framework before the market has matured. The IndiaAI Mission, approved in March 2024, is explicit about this sequencing: establish compute capacity and a domestic AI ecosystem first, then codify safety standards as the technology and its applications become better understood.

For global operators, the practical consequence is that compliance in India requires disaggregated analysis. The questions to ask are: does your AI deployment process personal data of Indian residents (DPDPA applies); do you operate in a regulated financial or insurance sector (RBI, SEBI, or IRDAI guidance applies); are you engaging with Indian government procurement (IndiaAI Mission standards apply as de facto criteria); and are you in a sector such as healthcare where additional sector guidance has been issued? The answers determine which obligations are binding and which represent voluntary best practice.

The Ministry of Electronics and Information Technology (MEITY) has issued advisory documents on responsible AI that apply across sectors. These are not legally binding on private operators but they represent the government's stated expectations and are likely to inform future legislation. The trajectory is clearly towards greater formalisation of AI governance requirements, and operators who have built governance programmes consistent with international standards will be better positioned when that formalisation accelerates.

The Digital Personal Data Protection Act 2023 and AI

The Digital Personal Data Protection Act 2023 (DPDPA) received Presidential assent on 11 August 2023. It is the primary instrument through which India regulates the processing of personal data, including processing by automated means. The Act applies to the processing of digital personal data within India, and to the processing of digital personal data outside India where such processing is in connection with any activity related to offering of goods or services to data principals within India. This extraterritorial scope means that a global operator running AI systems from infrastructure outside India may nonetheless be subject to the Act if its systems are processing data of Indian residents in connection with Indian market activities.

The Act's central structure follows a data fiduciary and data principal model. Data fiduciaries are persons who determine the purpose and means of processing personal data. Where an AI system is used to process personal data to make or substantially inform a decision about an individual, the operator of that system is the data fiduciary. The fiduciary obligations under the DPDPA include obtaining valid consent for processing, limiting use of data to the specified purpose, maintaining data accuracy, and implementing appropriate security safeguards.

Automated decision-making is not addressed by a dedicated provision in the DPDPA in the manner of Article 22 of the EU's General Data Protection Regulation. However, the Act's consent and purpose limitation requirements apply to automated processing, and the data principal's right to access information about their personal data and the means by which it has been processed engages the transparency obligations of any AI deployment. Where an AI decision produces a consequential outcome for a data principal, such as a credit decision, an insurance pricing determination, or an employment screening outcome, the DPDPA's fairness and accuracy obligations are directly engaged.

The Act creates the category of Significant Data Fiduciary, which is determined by the Central Government based on the volume and sensitivity of personal data processed, the risk to the rights of data principals, the potential impact on national security or public order, and the risk to electoral democracy. Significant Data Fiduciaries face a set of enhanced obligations that go beyond the baseline requirements. These include the appointment of a Data Protection Officer based in India, the requirement to conduct periodic Data Protection Impact Assessments, and the requirement to undertake algorithmic audits. The algorithmic audit requirement is the most directly AI-specific obligation in the current Indian statutory framework. It requires Significant Data Fiduciaries to have their algorithms audited by independent auditors to assess their impact on data principals' rights.

The Data Protection Board of India, established under Section 14 of the DPDPA, has adjudicatory powers to investigate complaints and impose financial penalties. Penalties for breaches of the Act can reach INR 250 crore (approximately EUR 27 million) per breach. The Board is not yet fully constituted as of May 2026, and its procedural rules are still being developed. Operators should monitor the Board's establishment and its early adjudicatory decisions as indicators of enforcement priorities.

Sector regulation: RBI, SEBI, and IRDAI

In the absence of a comprehensive AI statute, India's sector regulators have established the most substantive and binding AI governance requirements that currently apply to private sector operators. The three regulators with the most developed AI governance frameworks are the Reserve Bank of India, the Securities and Exchange Board of India, and the Insurance Regulatory and Development Authority of India.

Reserve Bank of India

The Reserve Bank of India has been the most active sector regulator in articulating AI governance expectations for financial institutions. RBI guidance addresses the use of AI and machine learning in credit underwriting, risk assessment, fraud detection, and customer service. The core requirements that emerge from RBI guidance for banks and non-banking financial companies operating under RBI supervision are explainability, model risk management, audit trail maintenance, and bias monitoring.

Explainability requirements mean that AI-driven credit decisions must be capable of being explained to the affected customer in meaningful terms. A model that produces a credit refusal must be accompanied by human-intelligible reasons that the institution can communicate. This is a substantive operational requirement: it rules out fully opaque black-box models for consequential credit decisions without adequate interpretation layers. Model risk management requirements mean that AI models used for credit and risk decisions must be subject to the same validation, back-testing, and ongoing monitoring procedures as statistical models. There is no AI-specific exemption from model governance requirements; the standards that apply to credit scorecards apply equally to machine learning systems.

Audit trail requirements mean that institutions must maintain records of AI-driven decisions sufficient to allow retrospective review by supervisors and by internal audit. This has direct implications for model documentation, prediction logging, and data lineage tracking. Bias monitoring requirements mean that institutions must actively test for demographic bias in AI outputs and maintain evidence that their systems do not produce systematically discriminatory outcomes across protected characteristics.

Securities and Exchange Board of India

SEBI has addressed AI in two primary contexts: algorithmic trading and AI-driven investment advisory. Algorithmic trading regulation in India predates the current AI governance discussion and applies a co-location and risk management framework that has been extended to cover AI-driven trading strategies. For investment advisers and research analysts using AI to generate recommendations, SEBI has issued guidance requiring that AI-generated content be clearly identified as such and subject to appropriate human oversight before being communicated to clients.

SEBI's approach reflects the same concern that drives sector AI governance globally: that AI systems deployed in high-stakes financial decisions require governance infrastructure proportionate to their impact. The practical requirements for SEBI-regulated entities include identification and tagging of AI-generated outputs, human review procedures for AI-assisted recommendations, and maintenance of audit records showing the basis for advice provided to clients.

Insurance Regulatory and Development Authority of India

IRDAI has issued a circular on the use of AI in insurance underwriting and claims settlement that imposes requirements on insurers operating in India. The circular requires that AI models used in underwriting decisions be subject to actuarial validation before deployment and on a periodic basis thereafter. This means that an AI system used to price a motor insurance policy or to assess a health insurance application must be reviewed by a qualified actuary who can attest that the model's outputs are actuarially sound and consistent with the insurer's pricing philosophy.

Claims settlement AI is subject to additional oversight requirements. Fully automated claims decisions above defined thresholds require human review before payment is made or denied. IRDAI's circular reflects the insurance regulator's established concern with treating customers fairly: an AI system that systematically delays or denies legitimate claims creates conduct risk that supervisors expect insurers to manage through governance rather than post-hoc remediation.

The National AI Mission and the AI Safety Institute

The National AI Mission, formally the IndiaAI Mission, was approved by the Union Cabinet in March 2024 with a total outlay of INR 10,372 crore (approximately EUR 1.1 billion) over five years. The Mission has seven pillars: compute infrastructure, foundational model development, a datasets platform, application development, future skills, startup financing, and responsible AI. The responsible AI pillar is the most directly relevant to global operators.

The Mission includes a component that establishes an AI Safety Institute for India, modelled on the AI Safety Institutes established in the United Kingdom and the United States. The India AI Safety Institute is intended to conduct evaluations of AI systems for safety risks, develop testing methodologies, and contribute to international alignment on AI safety standards. As of May 2026, the Safety Institute is in its formative phase. It has not yet published binding evaluation requirements or testing standards that apply to private operators.

The significance of the Mission for global operators lies not in its current binding effect but in its signalling function. The government has committed substantial public resources to building AI governance infrastructure and has explicitly stated that responsible AI is a component of national AI strategy. Publication of safety guidelines, evaluation frameworks, or mandatory testing requirements by the Safety Institute would be consistent with the Mission's stated objectives and should be anticipated on a two to three year horizon. Operators building AI governance programmes for India should design them to accommodate the probable direction of Mission outputs: risk-based evaluation, safety testing for high-stakes systems, and transparency in how AI outputs are generated and used.

Government AI procurement is already being shaped by Mission priorities. Public-private partnerships in AI deployment for agricultural advisory, public health monitoring, and financial inclusion are being structured around responsible AI principles. For operators seeking to participate in this market segment, alignment with Mission standards is effectively a qualification criterion.

MEITY and the advisory framework

The Ministry of Electronics and Information Technology has been the primary government body producing advisory guidance on AI governance for private sector operators. MEITY's advisory on responsible AI development, published in 2023, sets out principles for AI systems that the government expects operators to respect: safety, reliability, explainability, fairness, accountability, privacy, and security. These principles map closely to international frameworks including the OECD AI Principles and the NIST AI Risk Management Framework.

MEITY advisories are not binding on private operators in the same way that DPDPA provisions or RBI circulars are binding. They do not carry penalties for non-compliance. However, they represent the government's stated expectations and have influenced the approach of sector regulators who have developed their own AI guidance. For operators in sectors not directly covered by RBI, SEBI, or IRDAI guidance, MEITY advisories provide the closest available signal of what Indian authorities expect from AI deployment in practice.

MEITY has also been responsible for drafting the framework for AI governance that has been circulated for consultation within government. This draft framework, which has not been published in final form as of May 2026, is understood to propose a risk-tiered approach to AI regulation with different obligations applying at different risk levels. If finalised, this framework would represent the closest India has come to a comprehensive AI governance statute in the private sector context. Operators should monitor MEITY publications and consultations as indicators of the regulatory direction that is most likely to be formalised.

How India compares to the EU AI Act and other major jurisdictions

The EU AI Act, which entered into application from August 2024 with staggered timelines for different obligation categories, is the most comprehensive legislative framework for AI governance currently operative in any major jurisdiction. It applies a product-safety model to AI systems, distinguishing prohibited systems, high-risk systems, limited-risk systems, and minimal-risk systems. High-risk systems, defined in Annex III of the Act, are subject to mandatory conformity assessments, technical documentation requirements, registration obligations, and a penalty regime with extraterritorial application. The Act applies to AI systems placed on the EU market or whose outputs are used in the EU regardless of the provider's establishment. For a detailed analysis of what the EU AI Act requires of operators, see the EU AI Act operator obligations guide on agentliability.eu.

India's current framework is substantially less prescriptive than the EU model in every dimension. There is no Indian equivalent of the Annex III high-risk classification. There are no mandatory conformity assessment procedures for AI systems. There is no centralised registration requirement. The penalty regime that exists under the DPDPA applies to data protection violations rather than to AI-specific governance failures. The sector guidance from RBI, SEBI, and IRDAI addresses AI governance in those sectors but does not purport to be a comprehensive AI regulatory framework.

The United Kingdom's approach, through the AI Safety Institute and the government's published principles-based framework, is advisory at the national level and sector-based at the regulatory level, which is structurally similar to India's current position. The difference is that UK sector regulators, particularly the Financial Conduct Authority, have developed more detailed AI governance expectations than their Indian counterparts, and the UK AI Safety Institute has a more developed evaluation programme.

The United States federal position resembles India's in its reliance on sector regulation and voluntary frameworks in the absence of a comprehensive statute. The NIST AI Risk Management Framework provides a voluntary reference that has been widely adopted. For a detailed comparison of the US, EU, and UK approaches, see the US, EU, and UK comparison on this site. The Asia-Pacific AI governance landscape provides context for India within its regional environment.

The practical comparison for a global operator is the following. A compliance programme built for the EU AI Act will, in most respects, satisfy current Indian requirements and exceed them in technical documentation depth. However, EU AI Act compliance does not automatically satisfy sector-specific obligations under RBI, SEBI, or IRDAI guidance, which have specific requirements for Indian financial and insurance markets that reflect domestic regulatory priorities. An operator entering the Indian market should layer its analysis: EU AI Act compliance establishes a strong voluntary ceiling; Indian sector guidance establishes binding sector-specific floors that must be addressed independently.

What operators should do now

The absence of a comprehensive AI statute does not mean that India is a low-governance environment for AI deployment. The combination of DPDPA obligations, sector regulatory guidance, and the direction of government policy creates a substantive set of requirements that global operators must address. The following five steps represent the practical compliance priorities for operators deploying AI in India in 2026.

First, assess DPDPA applicability to your AI deployment. If your AI systems process personal data of Indian residents, the Act applies regardless of where you process that data. Identify whether your deployments engage the consent, purpose limitation, or accuracy obligations of the Act. If your processing volume or sensitivity profile is likely to result in designation as a Significant Data Fiduciary, begin preparing for the enhanced obligations that designation entails, including Data Protection Impact Assessments and algorithmic accountability mechanisms. The Central Government has not yet published the criteria or list for Significant Data Fiduciary designation, but operators who are large-scale processors of sensitive categories of data should assume they are within scope of future designations.

Second, identify which sector regulator governs your activities in India. For financial services operators, the relevant regulator is RBI for banking and credit activities and IRDAI for insurance. For capital markets activities, SEBI applies. Review the AI governance guidance published by your sector regulator and confirm that your AI systems meet the explainability, model risk management, audit trail, and bias monitoring requirements that the guidance establishes. Do not assume that compliance with equivalent sector guidance in your home jurisdiction satisfies Indian requirements: Indian sector guidance reflects domestic priorities and may impose requirements that differ from their UK, EU, or US equivalents.

Third, document your AI governance programme in a form that is legible to Indian regulatory expectations. The DPDPA's Data Protection Impact Assessment framework provides one template. MEITY's responsible AI principles provide another. The NIST AI Risk Management Framework, which has influenced both Indian government thinking and international standards, provides a structured basis for documenting risk identification, risk measurement, risk management, and governance. An operator that has documented its AI systems' purposes, inputs, decision logic at an appropriate level of abstraction, testing procedures, monitoring arrangements, and human oversight mechanisms is well positioned for regulatory review under any of the applicable Indian frameworks.

Fourth, monitor publications from the IndiaAI Mission, the India AI Safety Institute, and MEITY on an ongoing basis. The Mission's safety framework is in active development and may produce evaluation requirements or mandatory testing standards within the next two years. MEITY's draft AI governance framework, when finalised, could create new binding obligations across sectors. Staying current with these developments allows operators to anticipate requirements and build governance infrastructure proactively rather than reactively.

Fifth, consider the EU AI Act as a voluntary governance ceiling. Building your India AI governance programme to the standard required for EU high-risk system compliance means investing in technical documentation, conformity assessment processes, and monitoring infrastructure that exceeds current Indian requirements. This investment has two benefits. It positions the organisation credibly with Indian government procurement partners who expect international-standard governance. And it reduces the gap that must be closed when India's legislative framework inevitably moves toward more comprehensive and prescriptive AI regulation.

Frequently asked questions