Critical Infrastructure Protection in India is primarily addressed through the concept of Critical Information Infrastructure (CII), which is a legal concept defined in the Information Technology Act, 2000. CII is defined as a "computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety". The concept originated from the need to mitigate the potentially debilitating impacts of cyber threats on vital sectors, with global incidents like the 2010 Stuxnet attack highlighting the risk to industrial control systems.
The institutional mechanism for this protection is the National Critical Information Infrastructure Protection Centre (NCIIPC), a specialized governmental security agency. The NCIIPC was formally set up in 2014 through a gazette notification on January 16, 2014, under Section 70A(1) of the Information Technology (Amendment) Act, 2008. Operating as a unit of the National Technical Research Organisation (NTRO) under the Prime Minister's Office (PMO), the NCIIPC is the national nodal agency for coordinating all protection measures.
The mechanism works by empowering the Central Government, under Section 70 of the IT Act, 2000, to declare any computer resource a "protected system". The NCIIPC identifies critical sectors, including Power & Energy, Telecom, and Banking/Financial Services & Insurance. Any person who attempts to secure unauthorized access to a protected system can face imprisonment for up to ten years. The NCIIPC collaborates with related institutions like the Indian Computer Emergency Response Team (CERT-In) and the National Cyber Coordination Centre (NCCC). Recently, the Ministry of Electronics and IT (MeitY) has declared the IT resources of specific entities, such as ICICI Bank and HDFC Bank, as CII. Furthermore, in 2023, the government was finalizing the first-of-its-kind National Cybersecurity Reference Framework to guide critical infrastructure sectors.