IT Act 2000

Section 17

Appointment of Controller and other Officers

THE STATUTE

Original Text

(1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers as it deems fit. (2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government. (3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. (4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central Government. (5) There shall be a seal of the Office of the Controller.

Simplified

Section 17 creates the apex regulatory authority for India's digital signature and Public Key Infrastructure (PKI) ecosystem. The Controller of Certifying Authorities (CCA), operating under MeitY, sits at the top of India's PKI trust hierarchy. The CCA's Root Certificate is the cryptographic trust anchor of the entire system: every digital signature certificate issued by any licensed Certifying Authority in India chains back to the CCA Root. Without this root of trust, individual CA certificates would have no common verifiable basis. The CCA's core functions under Sections 17–20 include: licensing Certifying Authorities under Section 21; exercising supervisory functions under Section 18; recognising foreign CAs under Section 19; and investigating contraventions under Section 28. Currently licensed CAs in India include eMudhra, Sify Technologies, NSDL e-Governance Infrastructure, (n)Code Solutions (GNFC), CDAC, and IDRBT. The seal of the Controller's office (Section 17(5)) gives the CCA's official acts and documents legal formality. Deputy Controllers and Assistant Controllers handle day-to-day regulatory functions under the Controller's supervision.

Legal Evolution

The CCA was established in 2000 under the Department of Information Technology (now MeitY). India was among the first Asian countries to establish a statutory PKI regulator. The CCA now also oversees eSign service providers and Aadhaar-based authentication infrastructure, significantly expanding its remit beyond the original 2000 framework.

Key Amendments

Core appointment framework unchanged since 2000.

CCA's effective jurisdiction expanded by MeitY to cover eSign and Aadhaar authentication providers.

Cyber Protocol Info

Section Type: ORIGINAL

OffenceN/A (Institutional/Administrative Provision)

CognizableN/A

Trial AuthorityN/A

Cross-References

18 : Functions of Controller 21 : Licence to Issue Electronic Signature Certificates 28 : Power to Investigate Contraventions