BACK TO IT ACT
IT Act 2000AMENDED 2008

Section 70

Protected System

THE STATUTE

Original Text

(1) The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system. (2) The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (1). (3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine. (4) The Central Government shall prescribe the information security practices and procedures for such protected systems.

Simplified

Section 70 is India's critical infrastructure protection provision under cyber law — it creates a category of specially designated computer systems where unauthorised access attracts the highest non-terrorism punishment under the IT Act (10 years, versus 3 years for general hacking under Section 66). The Central or State Government may notify any computer resource that directly or indirectly affects Critical Information Infrastructure (CII) as a 'protected system'. CII is defined under Section 70A as computer resources whose incapacitation would have a debilitating impact on national security, economy, public health, or safety. Protected systems so far notified include: nuclear power plant control systems, air traffic management systems, banking settlement infrastructure, power grid SCADA systems, and railway signalling networks. The provision covers both actual access and attempted access — an attacker who is stopped by a firewall but demonstrably attempted to penetrate a protected system still commits the Section 70 offence. Only persons expressly authorised in writing by the Government may access protected systems — no implied authorisation, no contractor-by-inference access. The mandatory written authorisation requirement is stricter than the general 'authorised access' standard under Section 66. Section 70(4) empowers the Central Government to prescribe information security practices for protected systems — the basis for sector-specific cybersecurity standards issued by CERT-In and sectoral regulators (RBI, SEBI, IRDAI) for their respective critical infrastructure.

Common Queries

The Central Government has notified nuclear power plant systems, air traffic management, power grid SCADA systems, banking clearing infrastructure, and railway signalling networks as protected systems. The full list is not entirely public.
Section 70(3) prescribes imprisonment up to 10 years and fine — the highest punishment in the IT Act for a non-terrorism cyber offence.
Only the appropriate Government, by written order, can authorise persons to access a protected system. No implied or blanket contractor authorisation is sufficient — access must be expressly authorised in writing for each person.

Legal Evolution

Section 70 existed in the original IT Act 2000 in a narrower form. The 2008 Amendment substantially expanded it — the original provision did not explicitly reference Critical Information Infrastructure and had a lower punishment. The revised Section 70 brought India's framework closer to international standards such as the Budapest Convention on Cybercrime and the US Computer Fraud and Abuse Act's elevated penalties for attacks on protected computers.

Key Amendments

2008 Amendment elevated the punishment and explicitly linked protected systems to Critical Information Infrastructure.

Section 70A (National Nodal Agency) and Section 70B (CERT-In) added by 2008 Amendment as institutional complements to Section 70.

NCIIPC (National Critical Information Infrastructure Protection Centre) established under Section 70A is the primary body designating protected systems.