Resiliency Of Cyber Laws And Challenges

ABSTRACT:

Particularly speaking of cyber resiliency provided by SaaS companies, it is the kind of guidelines designed to improve an organization’s ability to continuously deliver its intended business outcomes despite adverse cyber events, which include a breach (unauthorized access to a computer system or network resulting in compromise of data and security), insider threat, ransomware attack (a type of cyberattack where hackers encrypt your data and demand a ransom i.e. payment) or other disruptive events. As cyber resiliency brings many events together such as cybersecurity with Zero Trust principles, business continuity, cyber recovery, and organizational resilience strategies, along with these technicalities, SaaS companies are often required to deal with such events legally and also to prevent repetitive future occasions. In India, to deal with such events, there are several legislations such as IT ACT 2000, DPDA 2023, National Cyber Security Policy (NCSP) 2013, Sector-specific guidelines, etc., under various authorities. And if a company serves international clients, it also must comply with international standards and regulations. Despite India’s evolving digital economy and push for startup innovation, current cyber laws remain reactive and outdated for matters that require careful consideration of SaaS businesses. Bridging these remedial gaps with targeted legislation, better enforcement of the law, and harmonization with international standards is essential for SaaS companies to operate securely and confidently in the Indian market and grow by avoiding and safeguarding the same for the future.

SCOPE OF LAW IN CYBER RESILIENCY:

As digitalization accelerates in sectors like finance, healthcare, education, and governance. The legal framework of cyber resiliency plays a foundational role in defining protections, responsibilities, and enforcement mechanisms aimed at securing cyberspace. While still evolving, Indian cyber laws and policies provide the groundwork for a resilient digital facility, such as:

1) Information Technology Act, 2000 (IT Act): The core legal framework of this act is in governing e-commerce, cybercrime, and digital security. It provides legal recognition of electronic records and digital signatures. Also, penal provisions for hacking, data breaches, identity theft, cyber terrorism, and liability for negligence in protecting sensitive personal data.

2) Digital Personal Data Protection Act, 2023 (DPDP Act): DPDA is India’s first dedicated data protection law, enacted to regulate personal data processing by both government and private entities. The act enforces data fiduciary obligations, requiring organizations to take "reasonable security safeguards" and mandates breach notification to the Data Protection Board and affected individuals.

3) National Cyber Security Policy: NCSP 2013 is a key document outlining India’s approach to strengthening its cyber ecosystem. While it is a policy rather than a law, it plays a foundational role in shaping the core legal and strategic framework for cybersecurity in India. This policy aims to create a secure and resilient cyberspace for citizens, businesses, and government.

4) Sector-Specific Legal Regulations: There are different mandates of law on various authorities like RBI which Mandates cyber risk management for banks and NBFCs, including board oversight and incident reporting, IRDAI Guidelines (Insurance) deal with Insurers must establish cyber crisis management plans and audit digital infrastructure, Healthcare sectors initiatives are underway to develop cybersecurity norms for e-health systems, and other tailored controls in sensitive sectors help an aim to prevent systemic risks and build sectoral resiliency.

5) Other major issues: Contractual, Licensing and Usage Restrictions, IP and concerned matters are dealt as per the already specified laws in India.

GAPS WITHIN CYBER LAWS AND ITS COMPLIANCE:

While cyber laws provide a basic legal framework for digital operations, there are significant remedial gaps when it comes to addressing the unique needs and risks faced by SaaS companies. These gaps create uncertainty and expose SaaS providers to potential legal and operational vulnerabilities.

1) The pace of technological change often outstrips the development of legal frameworks. By the time laws are established, new technologies and cyber threats have emerged, making it challenging to protect against them.

2) The balance between privacy and security impacts legal outcomes: increased government surveillance can infringe on privacy, while inadequate security increases vulnerability to cyberattacks.

3) Software-as-a-service providing companies are not recognized as a distinct entity or operational model. There are no tailored safeguards or obligations specific to multi-tenant cloud services, API-driven architectures, or continuous deployment models. The absence of SaaS-specific legal provisions somehow creates challenges for SaaS companies.

4) Due to a lack of cyber resilience standards, there is no mandated cyber legal framework for incident response, redundancy, threat monitoring, or BCP (Business Continuity Planning) for SaaS firms. The guidelines from CERT-In (Computer Emergency Response Team - India) are recommendatory, not enforceable in cyber practices. This also creates a difference between compliance and smooth hustle-free functioning of SaaS bodies, which indirectly disrupts the socio-economic factors.

5) Indian cyber laws are more of a punitive nature instead of being preventative, hence are largely punishment-focused (e.g., data theft, hacking, identity fraud). It rarely addresses resilience-based remedies like recovery obligations, service continuity, etc.

6) Cyberattacks often originate outside India or involve cloud infrastructure hosted in abroad. At the same time, Indian laws have limited jurisdictional power over foreign servers, global SaaS tools, and cross-border data transfers. Tech industries have been facing these jurisdictional and enforcement challenges for a very long time.

7) Indian law does not impose binding obligations on private SaaS providers or on other firms with the same purposes in tech; therefore, most companies are self-regulated in cybersecurity, with no statutory duty to ensure resilience for end-users.

8) Indian laws do not reflect global best practices like the NIST Cybersecurity Framework (USA) and the EU Cybersecurity Act. This isolates India’s cyber law from modern standards of cyber resilience because India is not a signatory to global treaties like the Budapest Convention on Cybercrime. This is one of the main reasons why cyber laws in India remain outdated and disconnected from how cyber threats are managed globally.

9) Lawmakers often lack technical understanding of cyber issues in high-risk areas such as Denial-of-service risks, real-time intrusion detection, and API exploitation in SaaS, and it results in vague laws because if the basics of the main problem are not understood by maker of law, then how will it lead to the proper justice intended to be provided? Hence, more often laws don’t address what legislators don’t understand, leading to legal silence in high-risk areas.

Hence, outdated laws, lack of specific sector rules, no binding guidelines for preventive measures, and only punishment focused laws that too not cover all high-risk areas, along with limits in jurisdictions without proper compliance with international laws and regulations also followed by lower literacy or less understanding in cyber makes it even more challenging to grow in such surroundings.

BRIDGING OF GAPS:

There are many backlashes we can observe in the Indian cyber laws that create backlogs in statutory compliances of tech service providing firms with respect to cyber resiliency, these can be altered if insight changes are made within laws by focusing on issues of cyber fields which are less discussed in current provisions of law that are making big impacts on practical basis.

1) Legislative Reform: Enactment of a new comprehensive cybersecurity law may create a very big impact on both companies and court cases. Modern laws with mandatory minimum resilience standards are very basic and need substantial laws. Also, defining every important cyber aspect and providing them pivotal consideration in new comprehensive laws such as SaaS, APIs, and cloud services, which are not defined in currently enforced laws, will be a great step towards a hassle-free legal compliance of firms.

2) Legally requiring organizations (especially digital and tech companies like SaaS, cloud, FinTech, etc.) to be prepared for, withstand, recover from, and continue operations during and after cyberattacks or IT disruptions. Because most current laws in India (like the IT Act, 2000) focus only on security and data protection (e.g., preventing hacking and data

breaches), but they don’t ensure resilience, such as: How fast must a company restore services after a ransomware attack? What if the cloud service provider collapses? What should be the legally enforceable uptime guarantee for SaaS platforms? Cyber resilience fills this gap.

3) Transform CERT-In advisories into legally binding rules, especially breach reporting timelines (e.g., within 6 hours), log retention, and monitoring obligations. Strengthening CERT-In and making guidelines enforceable will play a crucial role in the resiliency of laws.

4) Introduction of sector-specific cyber resilience regulations for industries like fintech, Healthtech, E-governance, and other important tech industries shall come into force.

5) Encouraging collaboration between legal bodies (MeitY, NCIIPC), Tech industry (SaaS startups, cloud firms), and cybersecurity professionals (CERTs, SOCs) for building joint responsive legal frameworks, sharing real-time threat intelligence altogether will Enable Public-Private Cyber Resilience Partnerships which may Align lawmaking with real

world tech expertise and operational needs.

6) Forming an independent regulatory body with powers to audit SaaS providers’ resilience readiness, penalize resilience failures, Issue cyber-readiness ratings, and Mandate periodic cyber drills and threat simulations to provide better and dedicated functioning of firms.

7) Aligning India's legal, regulatory, and policy mechanisms with international standards, norms, and best practices in cybersecurity and cyber resilience. For Legal interoperability with other countries, Stronger protection for SaaS and digital platforms, and better trust in India’s digital infrastructure globally.

8) Eliminating legal ambiguity in cloud-based resilience failures. In current cyber laws, there is limited legal clarity on how responsibilities are divided between cloud service providers and SaaS providers, and with end users. Without legal clarity, shared responsibility becomes a shared loophole. Hence, it must formalize this model in modern laws to ensure SaaS and cloud providers collaborate on resilience. Protect user data through well-defined legal frameworks.

9) Introducing Cyber resilience disclosures for SaaS firms to improve transparency, trust, and legal recourse for consumers. Just like financial disclosures, SaaS providers should be legally required to publish cyber resilience policies and disclose past incidents, along with offering compensation frameworks post-breach.

CONCLUSION:

As of 2023, India has become home to more than one thousand SaaS companies, with over 150 companies having annual revenues of more than US$ 1 million. Revenue from India’s SaaS market is expected to grow from US$ 7.18 billion in 2023 to US$ 62.93 billion by the year 2032 as per the reports shared by IBEF. These reports are only of Saas firms, meanwhile, total IT revenue is 245 billion, followed by the vast tech industry with over 170,000 IT companies as per the previous year's records. And these prospects of SaaS and other tech firms in India appear attractive, and several factors of advanced adapted laws will help the sector further expand to new heights. The impact of globally recognized and comprehensive cyber laws will not only secure the legal realm but also boost the growth of the country.

REFERENCES:

1) Statista, https://www.statista.com/outlook/tmo/cybersecurity/india

2) Ministry of Home Affairs on press release on “Cyber Crimes” 28 Oct 2.24 3) https://zettawise.in/blog/article/cybersecurity-laws-in-india-challenges-and-loopholes

4) The New Indian Express reports on the MHA issuing an alert against cyber criminals impersonating laws

5) Amlegals, https://amlegals.com/impact-of-the-digital-personal-data-protection-act-on saas/