CLAT 2027 cohort — enrolment closes soonJudiciary Foundation now enrollingSummer litigation internship — apply by 5 JulyCorporate & transactional internship — 8 seatsLegal Drafting Intensive — 4 weeks, small cohort
Izel.Legal
← All articles
Practice9 min read

Cybersecurity Clauses in Commercial Contracts: An Emerging Legal Imperative In India

Cybersecurity clauses have evolved from optional boilerplate provisions into critical risk- mitigation tools.

SD
Srijopriyo Das
Intern-June 2026 ·

INTRODUCTION

With the digital revolution, the digital economy is valued at over $1 trillion by 2025, and commercial contracts are the backbone of business transactions1. Due to this, it has transformed the business landscape and made organisations rely on e-contracts, cloud computing and third- party vendors not just to increase operations but also to grow more2. Unfortunately, the interconnectedness of the business has led to escalating cyberattacks like the 2024 ransomware hit on CoWIN or breaches in MegaCorp Bank. This shows that India needs to introduce necessary cybersecurity clauses in business transactions3.

Cybersecurity clauses have evolved from optional boilerplate provisions into critical risk- mitigation tools." - Vaishnobi Kumari4

Cybersecurity is taking shape in the contractual clauses in the modern world, and India is adapting, whether it's through the DPDP Act5 or the IT Rules6. Delhi High Court in the case of Amazom .com NV Investment Holdings LLC v. Future Retail Ltd7 emphasised the contractual intent in digital services, and ignoring cybersecurity risks invites liability.

EVOLUTION OF CYBER SECURITY THREATS

In recent decades, cyber threats have transformed from just isolated hacks to well-organised hacks sometimes sponsored by states. “Society and warfare have evolved from horses against metal to metal against the matrix8. During the early 2000s, India’s IT Act targeted basic e- commerce frauds, but by 2010, phishing and DDoS attacks surged, and by 2013, the case of the Nestle breach, which leaked millions of customer data9.

Post 2016, after demonetization and the rise of digital payments like UPI10, new cybersecurity threats were introduced, like the 2018 Cosmos Bank ATM heist, which was successful, and hackers were able to steal $13.5 million11. Moreover, during the pandemic, we saw a rise in remote work, leading to a 300% rise in fileless malware attacks, ransomware expansion and breaches in the digital supply chain12. In 2025, an AIIMS Delhi cyberattack disrupted healthcare, and India witnessed the evolution of ransomware into double extortion13.

REASONS WHY CYBER SECURITY CLAUSES SHOULD BE INCLUDED IN COMMERCIAL CONTRACTS

Cybersecurity is a major issue in the contemporary digital economy that goes beyond the technological domain, making it both a business and a legal issue. Implementing it is now essential to deal with the rise of various cybersecurity threats, as clause bridges a gap between patchwork regulation and enforceability14 .Without clauses, Section 43A15 offers vague compensation for negligent handling of sensitive data, as these clauses allocate the liability. Moreover, the enforcement of such clauses has complied with the DPDP Act's16 consent and digital minimisation under Section 6(1) mandates, shielding parties from heavy fines. International framework like the General Data Protection Regulation17 of the European Union or the California Consumer Privacy Act18 of the United States creates regulatory pressure in India to align clauses for cross-border deals, and it's vital for India’s $200 billion IT exports.

The court has upheld such clauses, as in the Swastik Gases Pvt. Ltd v. Indian Oil Corp. Ltd. 19 The Supreme Court stressed the need for specific performances in tech contracts. Investors, partners, regulators and customers view cybersecurity as a tool of credibility that requires commitment of the company to cybersecurity. NASSCOM surveys show 68% of Indian firms prioritise vendors with robust cyber terms. And excluding risks business continuity a PwC study found 40% of Indian breaches stemmed from vendor lapses.20

REGULATORY IMPACT OF CYBERSECURITY CLAUSES ON COMMERCIAL CONTRACTS

In India, the issue of cybersecurity threats has become crucial in incorporating related provisions in commercial contracts with evolving legal obligations rather than purely technical considerations. Software-as-a-Service, cloud services, supply chain, vendor contracts, mergers, acquirers, joint ventures and E-Commerce platforms have been highly affected21.With the growing prominence of cloud computing, cloud services agreements such as Software-as-a-Service(SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) are particularly impacted because of their role in data fiduciaries under India’s data protection framework22. After the enactment of the Digital Personal Data Protection Act23 ,commercial contracts in these sectors often require service providers to adopt “reasonable security safeguards” and permit audits as per applicable rules and law24 .Cyber security clauses are drafted in line with statutory duties imposed on the service provider to prevent unauthorised access or data misuse in government-facing or public sector contracts25. Supply chain and vendor contracts have also taken legal significance in India. Courts have recognised that data breaches often happen through third-party vendors, making it essential to have contractual accountability. Due to this, Indian commercial contracts do not include an obligation for prompt breach, notification, cooperation with investigations and identification of regulatory penalties. These clauses show the growing legal expectation that principal entities must oversee and control the vendors handling sensitive data26. In mergers, acquisitions, and joint ventures, cybersecurity has emerged as a legal due diligence issue rather than a purely operational concern. Transactional practices in India now routinely examine historical data breaches, compliance with data localisation norms, and exposure to regulatory penalties27. Under the Indian data protection and information technology laws, parties can be protected from future liabilities with the help of cybersecurity representation, warranties and post-transaction covenants28.E-commerce platforms, payment intermediaries, healthcare entities, and fintech companies are subject to statutory oversight. Regulatory frameworks governing payments, health facts and consumer protection are incorporated within these commercial contracts29. With the help of contractual remedies, the following data breaches show that cybersecurity clauses now function as enforceable legal obligations.

ELEVATING DATA PROTECTION AND SECURITY CLAUSES

The best practices in drafting cybersecurity clauses in India focus on the flexibility of the law and regulatory alignment. Modifying the contractual requirements according to the specifics of the transaction and the sensitivity of the data is one of the fundamental principles30. There are more stringent statutory requirements in contracts that deal with financial, health, or consumer data, and heightened protection is necessary31 .The other prudent method, as per the law, is technology-neutral drafting. Indian courts would be more inclined to implement those clauses that should comply with what is deemed as reasonable security practices, as opposed to those that specify strict technical requirements that can be outdated32. This strategy enables contracts to be up to date even with the changes in regulatory standards.It is also important to have a balanced drafting. Provisions that place burdens on the parties in an equitable manner and have well-organised mechanisms of escalation have fewer chances of being found unconscionable or commercially unreasonable33. The Indian entities also tend to use industry-standard templates, most of which are starting points, and make adjustments to statutory and sector-specific requirements34.Periodic review and amendment clauses are becoming common in order to make sure that contracts are in line with regulatory developments. The implementation of a correlation between cybersecurity requirements and insurance coverage also enhances the protection of risks and proves commercial wisdom35.

CONCLUSIONS AND SUGGESTIONS

In Indian legal terms, cybersecurity provisions have been invaluable resources to address statutory risk, contractual liability, and regulatory compliance. They also capture the evolution of the reactive dispute settlement to preventive law regulation in business dealings. Policymakers can also look to launching model contractual terms in the data-heavy industries so as to enhance their effectiveness36 .This can be done by involving a standard, pre-approved template for specialised sectors like the FinTech, HealthTech and E-Commerce, where regulators can establish a uniform cybersecurity baseline, bypassing complex legal frameworks like the DPDP Act3738 .Lawyers should acquire a specialised knowledge in computer-related laws and contract writing. An increased correspondence between the statutory duties and contractual penalties will increase legal security. Legal researchers suggests that this can be achieved by replacing vague security definitions with internationally recognised benchmarks like ISO/IEC 27001 which will give courts an objective measure of negligence39. Furthermore, this paper emphasises hardcoding strict statutory breach notification timelines and unlimited liability carve-outs into agreements to ensure third-party vendors are held financially accountable for regulatory fines. Finally, it is necessary to note that the cybersecurity provisions are not only technical protection but also legally binding tools that secure business relations within the rapidly changing Indian digital economy. The companies that take the initiative to incorporate legally sound cybersecurity measures will be in a better position to fight regulatory reviews and litigation40.


1 Ministry of Electronics and Information Technology, India Digital Economy Report (2023).

2 NASSCOM, Technology Contracts and Digital Commerce in India (2024).

3 CERT-In, Annual Cyber Security Report (2024).

4 Vaishnobi Kumari, "Cyber Security Clauses in Commercial Contracts: A Growing Necessity," Journal of Legal Research and Juridical Sciences (2026).

5 Digital Personal Data Protection Act 2023, s4

6 Information Technology Act 2000 ss 43A, 72A.

7 Amazon.com NV Investment Holdings LLC v Future Retail Ltd (2021) SCC OnLine Del 3773.

8 Nicholas Sciarrone, 'Cyber Warfare: The New Front' (George W Bush Presidential Centre 20 November 2022)

9 CERT-In Advisories (2010–2015).

10 Reserve Bank of India, Cyber Security Framework for Banks (2016).

11 Brian Krebs, 'Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning' (Krebs on Security, 17

August 2018)12 Interpol, Global Cybercrime Report (2021).

13 Ministry of Health and Family Welfare, Cyber Incident Briefs (2023–24).

14 OECD, Digital Security Risk Management (2019).

15 Information Technology Act 2000 s 43A.

16 Supra 5.

17 Regulation (EU) 2016/679 (GDPR)

18 California Consumer Privacy Act 2018.

19 Swastik Gases Pvt Ltd v Indian Oil Corp Ltd (2013) 9 SCC 32.

20 PwC, India Cyber Risk Survey (2024).21 NASSCOM, Cybersecurity and Commercial Contracts in India (2024)

22 Supra 5.

23 Ibid.

24 MeitY, Draft Digital Personal Data Protection Rules (2024).

25 Supra 6.

26 CERT-In, Directions Relating to Information Security Practices (2022).

27 SEBI, Guidelines on Due Diligence in M&A Transactions (2023).

28 DPDP Act 2023; IT Act 2000.

29 Reserve Bank of India, Cyber Security Framework for Payment Systems (2021).30 RBI and MeitY Sectoral Cybersecurity Guidelines.

31 RBI, Cyber Security Framework for Banks (2016).

32 Central Inland Water Transport Corp v Brojo Nath (1986) 3 SCC 156 (SC).

33 Ibid.

34 NASSCOM, Model Technology Contract Clauses (2024).

35 Insurance Regulatory and Development Authority of India, Cyber Insurance Guidelines.36 DPIIT, Model Contractual Framework for Digital Economy (Policy Note).

37 Ibid.

38 Supra 5.

39 Ministry of Electronics and Information Technology, Guidelines for Cyber Security Clauses in Commercial Contracts (Policy Note).

40 Supreme Court of India, Commercial Contract Jurisprudence.

SD
Written by
Srijopriyo Das
Intern-June 2026
Keep reading

More field notes.

Next step

Book a free discovery call.

30 minutes with a senior advocate to scope your matter or your course. We'll tell you honestly whether we can help — and what the right engagement would look like.

Or send us a message →

Next CLAT cohort starts 20 July
Internship applications close 5 July