IT Act 2000

Section 25

Suspension of Licence

THE STATUTE

Original Text

(1) The Controller may, if he is satisfied after due inquiry as specified in sub-section (2) that a Certifying Authority has— (a) made a statement in, or in relation to, the application for the issue or renewal of the licence, which is incorrect or false in material particulars; (b) failed to comply with the terms and conditions subject to which the licence was granted; (c) failed to maintain the standards specified under clause (b) of sub-section (2) of section 20; (d) contravened any provisions of this Act, rule, regulation or order made thereunder, revoke the licence granted to it: Provided that the Controller may, instead of revoking a licence under this sub-section, suspend such licence for such period as he thinks fit, if he is of the opinion that the circumstances do not warrant revocation. (2) No licence shall be revoked or suspended under sub-section (1), unless the Certifying Authority concerned has been given a reasonable opportunity of showing cause against the proposed revocation or suspension. (3) Notwithstanding anything contained in sub-sections (1) and (2), if the Controller is of the opinion that it is necessary in public interest so to do, he may, by order, suspend the licence of a Certifying Authority with immediate effect, subject to the condition that the Controller shall, within a period of three days of such suspension, give an opportunity to such Certifying Authority of showing cause against the proposed suspension or revocation.

Simplified

Section 25 is the primary enforcement provision against licensed Certifying Authorities — it gives the Controller power to revoke or suspend a CA's licence where the CA has fallen short of its regulatory obligations. Four grounds for revocation are specified: material misrepresentation in the licence application, non-compliance with licence conditions, failure to maintain Controller-specified standards, and any contravention of the IT Act or delegated legislation. The Controller may choose suspension instead of outright revocation where circumstances do not warrant the more severe sanction — providing a proportionality principle in licence enforcement. Section 25(2) provides the fundamental due process protection: no licence may be revoked or suspended without first giving the CA a reasonable opportunity to show cause. This applies the audi alteram partem principle at the licence enforcement stage. However, Section 25(3) creates an important emergency exception: where the Controller considers it necessary in public interest, a licence may be suspended with immediate effect. The emergency suspension takes immediate force, but the Controller must within three days give the CA an opportunity to show cause — so the suspension is immediate but the hearing obligation is deferred, not eliminated. This emergency provision is critical for situations where a CA's operations pose an imminent risk to relying parties — for example, if evidence emerges that a CA is issuing fraudulent certificates or that its key generation systems have been compromised.

Legal Evolution

Section 25 was in the original IT Act 2000. The emergency suspension power in Section 25(3) reflects the systemic risk that a compromised CA creates: every certificate it has issued, and every signature made with those certificates, becomes suspect. Rapid suspension capability protects the broader PKI ecosystem from cascading trust failures.

Key Amendments

Unchanged since the original IT Act 2000.

Cyber Protocol Info

Section Type: ORIGINAL

OffenceN/A (Regulatory — Licence Enforcement Provision)

CognizableN/A

Trial AuthorityN/A

Cross-References

22 : Application for Licence 26 : Notice of Suspension or Revocation of Licence 33 : Surrender of Licence 57 : Appeal to Appellate Tribunal