Cybersecurity Enhancements in India’s Tech Sector: 2025 Global Disputes Forecast Implications

Introduction

The Indian technology industry which is currently valued at USD 350 billion and is set to drive closer to 10% of the national GDP by 2030 is increasingly vulnerable to cybersecurity threats which can hinder growth in the industry. In January, the Baker McKenzie Global Disputes Forecast 2025 has defined cybersecurity and data privacy as the major litigation risk that global enterprises face, with 45% of the surveyed senior attorneys identifying them as the top issues, even above those related to artificial intelligence. Based on the findings of more than 600 people around the globe, the report predicts a strong rise in questions and legal cases caused by the geopolitical crisis and the rise in technological dependence.

For India, these findings are particularly urgent. The country is on a swift pace towards the adoption of the Internet of Things (IoT), and by 2025, it is projected to have five billion interconnected devices, as new cybersecurity policies are enacted that will require vulnerabilities to be reported. The paper discusses how the forecast is applicable to the Indian technology industry with references to the threats of IoT, increasing regulatory efforts, and the comparison to the United States models. It also takes into account the tolerance between the small and medium enterprise (SME) compliance costs and the necessity to protect the critical infrastructure.

Baker McKenzie Forecast: The India Vulnerability Landscape. 

According to the January 2025 report developed by Baker McKenzie, cybersecurity is perceived as the biggest global risk, where a 52% probability of investigation is estimated because of sophisticated threats like ransomware and supply-chain attacks. This trend is represented in the Indian technology industry that has registered over 1.8 million cyberattacks in 2024. This is particularly focused on IoT devices due to the vulnerability in encryption and patching.

Recent changes to the Information Technology Act of 2000 and the CERT-In guidelines denote the necessity of disclosing the vulnerabilities of IoT systems, which is compatible with the focus of the forecast on proactive mitigation of risks. In the updated Code of Practice on Securing Consumer IoT 2025, the responsible disclosure requirements are introduced, which obliges manufacturers to fix the vulnerabilities within specified timepoints to avert exploitation. These actions are indicative of a regulatory change turning to proactive/planned responses in an effort to contain the occurrence of data breaches which currently cost Indian companies an average of INR 20 crore each. In addition to managing the direct threats, these efforts are also meant to make India more competitive globally to create a platform on which more comparative and critical analysis can be done.

IoT Vulnerabilities, Comparative Regulatory Advantage, and SME-Critical Infrastructure Trade-offs

Cyber laws on the IoTs, proposed in 2025, prescribe disclosure of vulnerabilities to the framework that focuses on transparency and resilience. Silence increases risks, and the rules consider any disclosure in CERT-In and remediation plans as mandatory, and notified in six hours of the detection as specified in the February 2025 advisory CIAD-2025-0007. This warning concerns the IoT devices connected to satellites, which are especially prone to remote attack.

These rules can be justified by the experience of India: in 2024, attacks on IoT networks have increased by a third, mainly because of the unpatched devices that allowed larger attacks. The legislation promotes ethical hacking and responsibility by vendors by making them disclose information, which proofs to be morally right could mitigate the conflicts that are expected in the Baker McKenzie forecast by avoiding the loss of data before it became a legal suit. The requirements, though challenging, increase the level of confidence in the ecosystem. The regulations minimize the risk of cascading failures in interdependent systems by making sure that vulnerabilities are mitigated in a timely manner and according to the global standards.

A comparative analysis shows that India is better than the United States in regulatory design. The centralized model of India is opposite to the fragmented US model, which is based on a piecemeal of NIST models and CISA regulations as well as industry-specific legislation like HIPAA. The result of such fragmentation is compliance silos and interstate-level requirements that are not consistent, making it harder to coordinate at the national level. Comparatively, the amendments to the IT Act and the Digital Personal Data Protection Act (DPDPA) 2023, which will come into effect in 2025 in India, provide only one model, which consists of breach notifications and vulnerability reporting and is controlled centrally by CERT -In.

This model enables reporting of the incidents to occur quicker, six hours in India versus 72 hours under the US SEC to report the material breaches, and also to share the threat-intelligence quicker. India has its approach based on structural efficiencies based on its economic setting whereby the government acts as the coordinator in minimizing duplication in a multi-agency system. Comparative research indicates that this may limit impacts of breaches by 15-20 %. The dependence on centralized state processes is also a matter of concern in terms of resource constraints, however.

The cost of compliance of SMEs concerning the critical infrastructure protection is another problem. The 90% of the tech sector in India is in the SMEs, and the compliance cost is disproportionately high. Until 2025, SMEs have had to allocate INR 5-10 lakh on cybersecurity per year, that is over 5 % of their incomes. These costs include audits, tools and training and such measures as encryption and vulnerability test are also necessary. Although essential and crucial in safeguarding critical infrastructure including the power grids and finance systems, the expenses are heavy on the SMEs who are disadvantaged by economies of scale.

The reason of such actions is the long-term positive outcomes. In one example, compliance with cybersecurity saves USD1.45 million on average per firm due to cost of breaches. Nevertheless, the existing system tends to disregard the weaknesses of SMEs. Approximately 85% of SMEs outsource IT services, but it is only 40% of them who properly screen their outsources. This brings about the risks of supply-chains: In 2024, 15% of SMEs had been breached via these channels. Critical infrastructure needs to be reinforced, and without subsidised structures, the asymmetry in compliance expenses will lead to the strangulation of SME innovation.

Conclusion

According to the Baker McKenzie 2025 forecast, cybersecurity is the greatest threat to international companies, and the technology industry of India is not an exception. Compulsory IoT reporting and central control provide India with comparative advantages over the US disjointed systems and puts it in a better position to act faster and more consistently in response to threats. Nonetheless, the cost of compliance to the SMEs is high and this explains why balanced strategies that ensure protection of critical infrastructure do not limit innovations.

The future of India is in the matching of proactive disclosure of vulnerabilities and equal compliance mechanisms. It would help in enhancing resilience, diminishing conflict, and sustainable development during a time of increasing risks across the globe.

Author:–Durva Shinde,  in case of any queries please contact/write back to us at support@ipandlegalfilings.com or   IP & Legal Filing.

References

1. The Information Technology Act, 2000, No. 21 of 2000, India Code (2000), https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.
2. The Digital Personal Data Protection Act, 2023, No. 22 of 2023, India Code (2023), https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf.
3. Indian Computer Emergency Response Team, Ministry of Elecs. & Info. Tech., Directions Under Sub-Section (6) of Section 70B of the Information Technology Act, 2000, No. 20(3)/2022-CERT-In (Apr. 28, 2022), https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf.
4. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, 88 Fed. Reg. 51,896 (July 26, 2023) (codified at 17 C.F.R. pts. 229, 232, 240, 249).
5. Regulation S-P: Privacy of Consumer Financial Information, 89 Fed. Reg. 47,700 (May 31, 2024) (codified at 17 C.F.R. pt. 248).
6. Ministry of Elecs. & Info. Tech., Gov’t of India, Estimation and Measurement of India’s Digital Economy (2024), https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=2097125.
7. Nat’l Ass’n of Software & Servs. Cos., India’s Tech Industry: Strategic Review 2024 (2024).
8. Verizon, 2024 Data Breach Investigations Report (2024), https://www.verizon.com/business/resources/reports/dbir/.
9. Zscaler, Mobile, IoT, and OT Threat Report 2024 (2024), https://www.zscaler.com/resources/threat-reports/.
10. India Brand Equity Found., Information Technology India (2025), https://www.ibef.org/industry/information-technology-india.