Our Expert in India
Every digital platform operating in India, from social-media giants and cloud-hosting providers to niche e-commerce marketplaces, must grapple with one critical compliance question: what is the penalty for failing to observe the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021? The consequences are neither theoretical nor trivial. Non-compliant intermediaries face a cascading set of risks that includes loss of statutory safe-harbour protection under Section 79 of the IT Act, 2000, exposure to civil and criminal proceedings under multiple overlapping statutes, government-issued blocking and takedown orders, and severe reputational damage that can erode user trust overnight.
With the Ministry of Electronics and Information Technology (MeitY) uploading updated intermediary guidance material on 10 February 2026, the regulatory posture has hardened, and enforcement signals indicate that the era of passive oversight is ending.
Before diving into the legal mechanics, compliance officers and in-house counsel need the headline picture. The IT Rules 2021, read together with the parent IT Act, 2000, and other applicable statutes, expose non-compliant intermediaries to five distinct categories of adverse consequence:
Industry observers expect enforcement activity to accelerate through 2026 as MeitY builds institutional capacity and leverages the Intermediary Guidelines 2026 materials to hold platforms accountable in real time.
Understanding what is the penalty for any specific breach requires mapping three layers of regulation: the parent statute, the subordinate rules, and the evolving regulatory guidance. The framework has been amended several times since its inception, and each iteration has expanded both the scope of obligations and the severity of consequences.
Section 2(1)(w) of the IT Act, 2000 defines an “intermediary” broadly. The term covers any person who, on behalf of another, receives, stores or transmits electronic records or provides any service with respect to such records. Practical examples include social-media platforms, internet service providers (ISPs), cloud-hosting services, search engines, online marketplaces, online gaming platforms and messaging applications. The IT Rules 2021 further distinguish between ordinary intermediaries and significant social media intermediaries (SSMIs), platforms with 50 lakh or more registered users in India, which carry additional obligations.
The core obligations for intermediaries are set out in Part II of the IT Rules 2021, particularly Rules 3, 4 and 5. Rule 3 prescribes “due diligence” requirements, publishing terms of service, establishing a grievance redressal mechanism, and honouring government takedown orders within prescribed timelines. Rule 4 imposes additional due diligence on SSMIs, including appointing a Chief Compliance Officer, a Nodal Contact Person and a Resident Grievance Officer, all of whom must be resident in India. Rule 5 governs the Grievance Appellate Committee mechanism introduced by the 2023 amendment.
| Year | Development | Key Impact |
|---|---|---|
| 2011 | IT (Intermediaries Guidelines) Rules, 2011 notified | First subordinate rules prescribing safe-harbour conditions |
| 2021 | IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 notified on 25 February 2021 | Expanded due diligence, SSMI designation, digital-media ethics code, three-tier grievance redressal |
| 2023 | Amendments adding Grievance Appellate Committee and fact-check unit provisions | New appellate redressal layer; government fact-check power (contested in courts) |
| 2026 | MeitY uploads updated intermediary guidance materials on 10 February 2026 | Signals intensified enforcement posture; consolidates compliance expectations |
One of the most common misconceptions is that the IT Rules 2021 themselves prescribe standalone monetary fines for each breach. In reality, the Rules operate primarily through a conditional safe-harbour mechanism: compliance with prescribed due diligence is the price of immunity. When that compliance lapses, penalty exposure flows from the parent IT Act, other statutes, and court-ordered remedies. The table below maps the principal penalty categories, their legal bases, illustrative ranges and the enforcing authorities.
| Penalty Type | Legal Basis | Illustrative Range / Consequence | Enforcement Authority |
|---|---|---|---|
| Loss of safe harbour (civil exposure) | Section 79(2)(c) read with Rule 3, IT Rules 2021 | Platform treated as publisher; unlimited civil liability for third-party content (damages, injunctions) | Civil courts; High Courts (writ jurisdiction) |
| Monetary penalty, failure to protect data / implement security practices | Section 43A, IT Act 2000 | Compensation to affected persons; no statutory cap but courts have awarded multi-crore damages | Adjudicating Officers (IT Act, Section 46); civil courts |
| Monetary penalty, failure to furnish information / comply with directions | Section 44, IT Act 2000 | Up to ₹1.5 lakh per failure (individual); up to ₹5 lakh (continuing contravention) | Adjudicating Officers |
| Penalty on body corporate for data breach / negligence | Section 43A, IT Act 2000 (read with Reasonable Security Practices Rules) | Up to ₹5 crore per contravention (proposed DPDP Act framework expands this further) | Adjudicating Officers; Data Protection Board (under DPDP Act) |
| Criminal prosecution, obscene / sexually explicit content | Sections 67, 67A, 67B, IT Act 2000 | Imprisonment up to 5–7 years and fine up to ₹10 lakh (enhanced for child sexual abuse material) | Police (Cyber Crime units); Special Courts |
| Criminal prosecution, non-compliance with blocking order | Section 69A read with IT (Procedure and Safeguards for Blocking of Access) Rules, 2009 | Imprisonment up to 7 years and fine | MeitY (issuance); Police / Courts (prosecution) |
| Criminal liability of officers / directors | Section 85, IT Act 2000; BNS provisions on abetment | Personal criminal liability where offence committed with consent / connivance of officer | Police; Courts |
| Blocking / takedown of platform or content | Section 69A, IT Act; Rule 3(1)(d), IT Rules 2021 | Complete or partial blocking of platform within India | MeitY; Courts |
| Regulatory directives to publishers / OTT | Part III, IT Rules 2021 (Digital Media Ethics Code) | Apology, warning, censure, or content modification / deletion directives | Ministry of Information and Broadcasting (MIB); Self-Regulatory Bodies; Interdepartmental Committee |
The critical takeaway from this penalty map is that the IT Rules 2021 do not need to prescribe standalone fines to be consequential. Their power lies in conditioning safe-harbour on compliance, and the moment safe harbour falls away, a cascade of liabilities under multiple statutes is triggered simultaneously.
Section 79 of the IT Act is the central safe-harbour provision for intermediaries in India. It grants immunity from liability for third-party information, data or communication links made available or hosted by the intermediary, but only if three cumulative conditions are satisfied. The intermediary must not initiate the transmission, select the receiver, or modify the information. It must observe due diligence as prescribed under the Rules. And it must act expeditiously to remove or disable access to material upon receiving actual knowledge or a government/court order. The loss of safe harbour under the IT Rules 2021 is therefore the single most consequential penalty an intermediary can face, because it converts a shielded platform into an exposed publisher.
An intermediary forfeits safe harbour when it fails to satisfy any of the due diligence requirements in Rule 3 (for all intermediaries) or Rule 4 (additional obligations for SSMIs). The most common triggers include:
Once safe harbour is lost, the intermediary is treated as a publisher or originator of the content. The practical consequences are severe and immediate:
A recurring question from platform compliance teams is whether the IT Rules 2021 themselves create new criminal offences. They do not in isolation. However, non-compliance with the Rules removes the protective shield that would otherwise prevent criminal prosecution under a range of existing statutes. The practical effect is that the Rules function as a gateway: comply, and the criminal statutes remain largely inapplicable; fail to comply, and officers face personal prosecution risk.
The primary criminal provisions applicable to intermediaries include Sections 67 (publishing obscene material), 67A (sexually explicit material), and 67B (child sexual abuse material) of the IT Act, each carrying imprisonment terms of up to five or seven years. Section 69A, read with the Blocking Rules, criminalises non-compliance with blocking orders with imprisonment up to seven years. Beyond the IT Act, the BNS provisions on abetment and criminal conspiracy can apply where a platform knowingly fails to remove content that constitutes a criminal offence. Copyright infringement under the Copyright Act, 1957 and offences under the Protection of Children from Sexual Offences (POCSO) Act, 2012 also create criminal liability that the safe-harbour shield would ordinarily deflect.
Consider a hosting provider that receives a government order under Section 69A to block access to specified URLs and fails to comply within the stipulated timeline. That failure is itself a criminal offence, regardless of the nature of the content. Alternatively, consider an SSMI that has not appointed a Resident Grievance Officer. A user reports non-consensual intimate imagery. The platform has no mechanism to process the complaint within 24 hours as required by Rule 3(2)(b). The victim files a criminal complaint. Without safe-harbour protection, lost because of the officer-appointment failure, the platform’s executives face potential prosecution for abetment or negligence facilitating the offence.
In a third scenario, an online marketplace is aware of counterfeit goods being sold by a vendor but fails to act on takedown notices. Once safe harbour is forfeited, the marketplace faces prosecution for criminal conspiracy in trademark counterfeiting alongside the infringing vendor.
These scenarios are not hypothetical. Industry observers expect enforcement authorities to pursue test cases against non-compliant platforms to establish precedent and signal the seriousness of the regulatory framework.
The MeitY upload of 10 February 2026 is significant not because it introduces new legal provisions, but because it signals a consolidation of regulatory expectations and an operational readiness for enforcement. The document updates and reiterates the intermediary due diligence framework, clarifies government expectations on compliance timelines, and aligns the guidance with recent judicial developments.
Alongside this, MeitY has been issuing blocking orders under Section 69A with increasing frequency. The Government of India notified the IT Rules 2021 on 25 February 2021, and since that date, hundreds of blocking orders have been issued to platforms ranging from social-media services to VPN providers. The Ministry of Information and Broadcasting has simultaneously exercised its powers under Part III of the Rules to issue directives to digital news publishers and OTT platforms regarding content that violates the Code of Ethics.
The establishment of the Grievance Appellate Committees, three committees notified in January 2023, adds another enforcement channel. Users dissatisfied with intermediary responses to complaints can now escalate to these government-appointed bodies, which have the power to issue binding orders to platforms. Early indications suggest these committees are becoming more active and are likely to generate a body of compliance-enforcement jurisprudence that will shape platform behaviour going forward.
Understanding what is the penalty is only half the equation. Platforms need a structured, actionable programme to mitigate those penalties. The following intermediary compliance checklist maps each obligation to the relevant Rule and provides a clear, prescriptive action item. Compliance officers should treat this as a baseline, legal counsel should tailor each item to the platform’s specific risk profile and sector.
Compliance is not just about internal processes, it must be embedded in the platform’s legal documentation. The following templates provide starting points that counsel should adapt to each platform’s specific circumstances. These are illustrative and do not constitute legal advice.
“Users acknowledge that [Platform Name] operates as an intermediary as defined under Section 2(1)(w) of the Information Technology Act, 2000. Users shall not host, display, upload, modify, publish, transmit, store, update or share any information that: (i) belongs to another person to which the user does not have any right; (ii) is defamatory, obscene, pornographic, invasive of privacy, or otherwise unlawful; (iii) is harmful to children; or (iv) violates any applicable law for the time being in force. [Platform Name] reserves the right to terminate user accounts and remove content that violates these terms, and to cooperate with law enforcement agencies in accordance with applicable law.
Users agree to indemnify [Platform Name] against all claims arising from content uploaded or shared by the user.
This clause should be adapted to include the full list of prohibited content categories set out in Rule 3(1)(b)(ii) and should be rendered in the local languages of the platform’s user base where practicable.
“Upon receipt of a complaint from a user or a direction from a court or government authority: (1) the Grievance Officer shall acknowledge the complaint within 24 hours via the platform’s complaint-tracking system; (2) for complaints relating to content depicting nudity, sexual acts, impersonation or morphed images, the trust-and-safety team shall review and, where the complaint is substantiated, remove or disable access to the content within 24 hours; (3) for all other complaints, the Grievance Officer shall investigate and dispose of the complaint within 15 days; (4) the complainant shall be informed of the action taken; (5) all actions shall be logged in the compliance-reporting system for inclusion in the monthly compliance report.”
Platforms should ensure this protocol is integrated into their operational workflows with automated alerts and escalation triggers, not merely documented as a policy.
Online gaming platforms face a heightened compliance burden under the IT Rules 2021, particularly following the 2023 amendments that introduced provisions specifically targeting online games. Under Rule 3(1)(b)(v), intermediaries must make reasonable efforts to prevent users from hosting or sharing content relating to online games that are not verified by a self-regulatory body recognised by MeitY. Online gaming intermediaries are required to display a verification mark and inform users whether a game involves real-money wagering and the associated financial risks.
For gaming platforms, the penalty exposure is compounded by the interaction between IT Rules compliance and state-level gambling and gaming legislation, goods and services tax (GST) requirements, and consumer-protection regulations. A gaming platform that loses safe harbour not only faces the standard cascade of civil and criminal exposure described above, but also opens itself to state-level regulatory action, including potential licence revocation, and tax-enforcement proceedings where GST treatment depends in part on the platform’s legal characterisation as an intermediary or principal.
Industry observers expect the online gaming sector to be a priority enforcement target as MeitY and state regulators coordinate their compliance-verification efforts through 2026 and beyond.
| Entity Type | Key Obligations Under IT Rules 2021 | Penalty / Consequence (Summary) |
|---|---|---|
| Significant Social Media Intermediary (SSMI) | All basic due diligence (Rule 3) plus additional due diligence (Rule 4): appoint Chief Compliance Officer, Nodal Contact Person and Resident Grievance Officer; publish monthly compliance reports; enable first-originator traceability for messaging; deploy technology-based content-identification measures | Enhanced enforcement risk; loss of safe harbour triggers unlimited civil liability; criminal prosecution of officers under Sections 67/69A/85 of IT Act; blocking orders; MeitY administrative directives |
| Other Intermediaries (hosting providers, small platforms, ISPs) | Basic due diligence (Rule 3): publish terms of service, appoint a grievance officer, acknowledge complaints within 24 hours, resolve within 15 days, comply with government orders within 36 hours, preserve records for 72 hours on request | Loss of safe harbour; administrative orders; civil liability for third-party content; potential criminal exposure under IT Act and other statutes; reputational damage |
| Digital News Publishers / OTT Platforms | Part III obligations: adhere to Code of Ethics (norms of journalistic conduct for news; classification and age-appropriate access for OTT); participate in three-tier grievance-redressal mechanism (self-regulation, self-regulatory body, Interdepartmental Committee) | Regulatory action by Ministry of Information and Broadcasting including warnings, censure, apology requirements, content modification or deletion orders; potential blocking under Section 69A |
The question of what is the penalty for non-compliance with the IT Rules, 2021 has no single numerical answer, because the penalty framework is not a fixed fine schedule but a graduated, multi-layered system of consequences anchored in the conditional safe-harbour mechanism. Loss of safe harbour is the trigger event, and once it occurs, liability compounds across civil, criminal and regulatory dimensions simultaneously. The 2026 enforcement signals from MeitY make clear that regulatory patience is finite and that platforms operating in India without a robust compliance programme are accepting an escalating, existential risk.
Platforms should take two immediate steps. First, conduct a comprehensive compliance gap assessment against every obligation in Rules 3, 4 and 5, using the checklist above as a baseline. Second, remediate identified gaps, appoint officers, update terms of service, deploy technical safeguards, and implement documented grievance-redressal protocols, before the next enforcement cycle. How to mitigate IT Rules penalties is ultimately a question of institutional commitment: the platforms that invest in compliance infrastructure now will preserve their safe harbour, and those that do not will face the full weight of a regulatory framework designed to hold them accountable.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Siddharth Mahajan at Athena Legal Advocates & Solicitors, a member of the Global Law Experts network.
posted 21 minutes ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
Find the right Advisory Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message
