IT Act 2000AMENDED 2008

Section 70A

National Nodal Agency

THE STATUTE

Original Text

(1) The Central Government may, by notification in the Official Gazette, designate any organisation of the Government as the national nodal agency in respect of Critical Information Infrastructure Protection. (2) The national nodal agency designated under sub-section (1) shall be responsible for all measures including Research and Development relating to protection of Critical Information Infrastructure. (3) The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed.

Simplified

Section 70A is the statutory foundation for the National Critical Information Infrastructure Protection Centre (NCIIPC), which was established in 2014 under the National Technical Research Organisation (NTRO) and operates under the Prime Minister's Office. NCIIPC is India's designated national nodal agency under Section 70A and is responsible for all aspects of protecting Critical Information Infrastructure — defined as computer resources whose incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety. NCIIPC's core functions include: identifying and notifying CII sectors (currently: power and energy, banking and finance, telecom, transport, government, and strategic/public enterprises); issuing sector-specific cybersecurity guidelines; coordinating with sectoral regulators (RBI, SEBI, TRAI, CEA); receiving and analysing threat intelligence; and supporting incident response for CII operators. Section 70A(2) notably gives NCIIPC a research and development mandate in addition to its regulatory role — reflecting the legislature's view that CII protection requires continuous innovation, not just compliance. The 'manner of performing functions' delegation in Section 70A(3) has been exercised through NCIIPC's published guidelines, which are not statutory rules but carry significant regulatory weight as the nodal agency's formal guidance.

Common Queries

NCIIPC (National Critical Information Infrastructure Protection Centre) is India's designated national nodal agency under Section 70A, established in 2014 under NTRO. It identifies CII sectors, issues cybersecurity guidelines, coordinates threat intelligence, and supports incident response for critical infrastructure.

NCIIPC has identified six CII sectors: power and energy, banking and finance, telecom, transport, government, and strategic and public enterprises. Each sector has a designated sectoral CERT.

NCIIPC's guidelines are not statutory rules under the IT Act but carry significant regulatory weight as the nodal agency's formal guidance. Non-compliance with specific directions issued under Section 70 can attract criminal liability.

Legal Evolution

Section 70A was inserted by the IT (Amendment) Act 2008. The original IT Act 2000 had Section 70 protecting specific computer resources but no institutional framework for systematic CII protection. The 2008 Amendment created the three-provision architecture: Section 70 (protected systems), Section 70A (nodal agency), and Section 70B (CERT-In) — mirroring the US model of CISA, US-CERT, and sector-specific protections.

Key Amendments

Inserted by IT (Amendment) Act 2008 — no equivalent in original IT Act 2000.

NCIIPC formally established in 2014 under NTRO as the designated nodal agency.

NCIIPC guidelines are the primary regulatory instrument for CII sector cybersecurity standards.

Cyber Protocol Info

Section Type: AMENDED

OffenceN/A (Institutional provision — establishes nodal agency for CII protection)

CognizableN/A

Trial AuthorityN/A

Cross-References

70 : Protected System 70B : Indian Computer Emergency Response Team 69B : Power to Monitor Traffic Data for Cyber Security