BACK TO IT ACT
IT Act 2000
Section 89
Power of Controller to Make Regulations
THE STATUTE
Original Text
(1) The Controller may, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette, make regulations consistent with this Act and the rules made thereunder to carry out the purposes of this Act. (2) In particular, and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namely:— (a) the particulars relating to maintenance of data base containing the disclosure record of every Certifying Authority under clause (n) of section 18; (b) the conditions and restrictions subject to which the Controller may recognise any Foreign Certifying Authority under sub-section (1) of section 19; (c) the terms and conditions subject to which a licence may be granted under clause (c) of sub-section (3) of section 22; (d) other standards to be observed by the Certifying Authorities; (e) the manner in which the Certifying Authority shall conduct its dealings with the subscribers; (f) the form and manner in which applications may be made and the fee to be paid for obtaining recognition of foreign Certifying Authorities; (g) the requirements for the issue of a Electronic Signature Certificate; (h) the form and manner in which the Certifying Authority shall publish information; and (i) such other matters which are required to be specified by regulations.
Simplified
Section 89 confers on the Controller of Certifying Authorities the power to make regulations — the third tier of subordinate legislation under the IT Act (below the Act itself and the Central Government's rules under Section 87). Section 89 regulations are specific to the CA ecosystem: they govern the detailed operational requirements for Certifying Authorities that are too granular or technical for the principal Act or the broader rules to specify. The process requires Advisory Committee consultation and Central Government approval before publication — ensuring oversight of the Controller's regulatory power. The subjects of regulation under Section 89(2) include: the public CA database under Section 18(n); conditions for recognising foreign CAs under Section 19; licence terms and conditions under Section 22; technical and operational standards for CAs; subscriber dealing requirements; foreign CA recognition application procedures; Electronic Signature Certificate issuance requirements; and CA information publication requirements. Regulations made under Section 89 include the Information Technology (Certifying Authority) Regulations 2001, which specify the detailed technical, audit, and operational requirements for CA licensing — including the key generation ceremony procedures, HSM requirements, physical security standards, and audit cycle requirements. These regulations are the most technically detailed element of India's PKI legal framework and are the primary compliance reference for licensed CAs.
Common Queries
The Controller of Certifying Authorities can make regulations on technical standards for digital signatures, the manner of issuing DSCs, security procedures for CAs, and other matters within the Controller's jurisdiction under the IT Act.
Legal Evolution
Section 89 was in the original IT Act 2000. The three-tier regulatory structure (Act → Rules → Regulations) allows the most technical CA-specific requirements to be set at the regulatory level, where they can be updated more flexibly than primary legislation while still requiring Central Government approval.
Key Amendments
Amended by IT (Amendment) Act 2008: 'Digital Signature Certificate' replaced by 'Electronic Signature Certificate'.