Candour Legal – Best Lawyers in Ahmedabad | Law firm in Ahmedabad
The government is now weighing a dedicated legal framework for artificial intelligence built around graded, risk-based regulation, a marked shift from its earlier position that existing statutes were adequate to the task. Officials have told reporters that the proposed approach would classify AI systems by the risk they pose, impose minimal obligations on low-risk applications such as chatbots and productivity tools, and reserve stricter duties for high-risk uses in sectors such as banking, health and critical infrastructure. The move follows the November 2025 India AI Governance Guidelines and the February 2026 amendment to the IT Rules, and signals that Delhi’s light-touch stance on AI regulation is beginning to firm up into something closer to codified law.
MeitY’s India AI Governance Guidelines, released on 5 November 2025 under the IndiaAI Mission, set out seven guiding principles, among them trust, accountability and innovation over restraint, and recommended new institutional architecture: an AI Governance Group to coordinate policy across ministries, a Technology and Policy Expert Committee to advise it, and an AI Safety Institute to handle technical standards and testing. Central to the Guidelines was a graded liability approach, under which responsibility for AI-related harm would be apportioned between developers, deployers and users according to their degree of control over the system, rather than falling automatically on any single party.
At the time, the Guidelines were explicitly framed as non-binding. The government’s stated position, articulated by IT Secretary S. Krishnan, was that most foreseeable harms from AI could be addressed through existing law, including the Information Technology Act, 2000, the Bharatiya Nyaya Sanhita, 2023, the Digital Personal Data Protection Act, 2023, and consumer protection legislation, without a standalone statute.
That position found partial expression in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, notified by MeitY on 10 February 2026 through Gazette Notification G.S.R. 120(E) and in force from 20 February 2026. The amendment brought synthetically generated information, covering AI-generated text, images, audio and video, within the due diligence obligations that social media platforms and other intermediaries already owe under the 2021 IT Rules, principally around labelling and disclosure of AI-generated content. It was, in substance, an extension of the existing intermediary framework rather than a bespoke AI statute.
The proposals now under discussion go further. According to officials cited in recent reporting, the government is considering classifying AI systems into risk tiers, with low-risk categories such as chatbots, productivity tools and recommendation systems facing minimal regulation, and high-risk applications in banking, health and critical infrastructure subject to tighter obligations. Also under consideration is a mandate requiring that dangerous AI systems be capable of being disabled, along with obligations to disclose technical information to authorities during security incidents. A related proposal would build an India-specific risk assessment framework for AI and a national database to track AI-related security incidents.
Perhaps the most consequential proposal is to amend the IT Act’s definition of “intermediary” itself. The current definition, built around search engines, telecom service providers and cyber cafes, sits uneasily with generative AI systems that produce content autonomously or in response to user prompts and continue to refine their outputs through ongoing learning. Extending or recasting this definition would determine whether, and how, AI developers and deployers inherit the safe-harbour protections and due diligence duties that currently attach to conventional intermediaries.
For technology lawyers, the central question is no longer whether AI will be regulated in India but how quickly the intermediary framework will be recast to fit it. Companies deploying generative AI tools, particularly in customer-facing applications, should expect a compliance regime resembling the existing IT Rules due diligence structure, extended to cover risk classification, incident reporting and possibly a kill-switch obligation for higher-risk deployments.
The proposed framework does not operate in isolation. The Reserve Bank of India has separately proposed draft guidelines requiring regulated entities to put in place a board-approved model risk management framework covering AI and machine-learning models, with periodic validation, tolerance limits and mandatory reporting of high-risk deployments to the board’s risk management committee. Banks and NBFCs already grappling with the RBI’s sector-specific AI risk proposals will need to track how any horizontal, IT Act-based classification interacts with these vertical, sector-specific obligations, an overlap that compliance teams in banking and finance will need to map carefully once both frameworks take clearer shape.
Any risk-based AI framework will also intersect with the Digital Personal Data Protection Act, 2023. AI systems that process personal data to generate outputs already attract obligations under the DPDP Act independent of any AI-specific law; a graded regulatory regime would layer AI-specific risk classification on top of existing data fiduciary obligations, requiring privacy and cyber law practitioners to advise on both regimes in tandem rather than treating them as separate compliance tracks.
India’s shift toward risk tiering echoes, in concept, the structure of the European Union’s Artificial Intelligence Act, which sorts AI systems into unacceptable, high, limited and minimal risk categories with correspondingly graduated obligations. The comparison should not be overstated: India’s proposals, as reported, remain anchored in amending the existing IT Act framework rather than enacting a freestanding AI code, and officials have not confirmed whether a separate statute or a further round of rules under the IT Act is the preferred route. The direction of travel, however, is unmistakably toward more structured, tiered regulation than the guidelines-only approach adopted in November 2025.
Nothing here is settled. The proposals remain at the discussion stage, and officials have not indicated a timeline for introducing a bill or notifying further rules. Practitioners should watch for a formal consultation paper or draft bill, which would clarify whether India opts for a standalone AI statute, a further amendment to the IT Act, or a combination of both. Until then, the November 2025 Guidelines and the February 2026 intermediary amendment remain the operative reference points for advising clients on AI compliance in India.
Is India planning a new, standalone law for artificial intelligence?
The government is considering it, but no bill has been introduced or finalised. Officials have indicated that a new law, or an amendment to the Information Technology Act, 2000, may adopt graded, risk-based regulation, but this remains at the proposal stage as of July 2026.
What is the graded, risk-based approach to AI regulation reportedly under consideration?
It would classify AI systems by the level of risk they pose, with light-touch treatment for low-risk uses such as chatbots and productivity tools, and stricter obligations, potentially including mandatory disable capability and incident disclosure, for high-risk uses in sectors such as banking, health and critical infrastructure.
Will the definition of “intermediary” under the IT Act change because of AI?
A recommendation under consideration is to amend the IT Act’s intermediary definition to address AI systems that generate content autonomously or through continuous learning, since the current definition was drafted with search engines and telecom providers in mind, not generative AI.
What are the India AI Governance Guidelines, 2025?
Released by MeitY on 5 November 2025 under the IndiaAI Mission, these are non-binding guidelines built around seven principles and a graded liability approach that apportions responsibility for AI-related harm among developers, deployers and users based on their control over the system.
How does India’s approach compare with the EU AI Act?
Both adopt risk-tiered classification, but India’s proposals, as currently reported, work within the existing IT Act framework rather than creating a standalone AI code of the EU’s scale, and remain unconfirmed pending a formal bill or consultation paper.
BEFORE YOU GO
Tell us what's going on and a Candour Legal advocate will call you back — no charge, no obligation.
Schedule my free assessment Call now