AboutBlogBusiness First AIFounder FreedomBook a conversation

AI governance and compliance for businesses operating in India

May 17, 2026
Two professionals reviewing documents at an office desk
TL;DR

India governs AI through sector regulators rather than a single Act, with the DPDP Act as the horizontal data law and significant penalties for non-compliance. UK businesses processing Indian personal data, supplying AI into Indian banking or capital markets, or using Indian outsourcers need to map both DPDP and sector-specific obligations alongside their UK and EU compliance picture. The light-touch framing does not mean low liability.

Key takeaways

- India governs AI through sector regulators rather than a single Act, with the 2025 guidelines placing enforcement on the RBI for banking, SEBI for capital markets, and sector ministries for healthcare and other sensitive areas. - The Digital Personal Data Protection Act 2023 imposes data fiduciary obligations with penalties up to INR 250 crore per incident on any UK business processing Indian personal data, including through Indian outsourcers or shared platforms. - UK firms supplying AI-enabled tools to Indian banks face RBI model risk governance and outsourcing requirements; those serving capital markets firms must address SEBI's algorithmic trading framework, including pre-deployment testing and audit logs. - Nearly 60% of Indian organisations lack a mature AI governance policy despite 80% declaring AI a core strategic priority, creating shadow AI and intellectual property exposure risks where UK business data sits in the same environment. - India's governance framework interacts with UK and EU compliance obligations: ICO AI guidance, the EU AI Act's extraterritorial scope, and FCA outsourcing expectations all apply alongside DPDP and sector rules.

A UK-based software firm supplying analytics to mid-size Indian banks hit a compliance problem that stopped their renewal cold. One of their clients’ compliance officers sent a detailed questionnaire: AI model documentation, data residency, what happened to Indian personal data inside the platform. The firm had good answers on some of it. On the rest, they were working from assumptions. That gap, between what a UK business assumes and what an Indian regulator already expects, is where compliance exposure concentrates.

India’s AI governance landscape has moved quickly. The rules span data protection law, sector regulation, and government guidelines published in late 2025. For UK owner-operators with Indian clients, outsourcing partners, or data flows touching India, knowing the structure matters now.

What is India’s approach to AI governance?

India governs AI through sector regulators rather than a single binding Act. The 2025 India AI Governance Guidelines assign enforcement responsibility to existing bodies: the Reserve Bank of India for banking and payments, SEBI for capital markets, and relevant ministries for healthcare. The framework targets applications of AI rather than the underlying technology, with coordination handled by a proposed AI Governance Group.

The horizontal data law is the Digital Personal Data Protection Act 2023, administered by the Ministry of Electronics and Information Technology. The DPDP Act introduces consent requirements, purpose limitation, and security obligations for data fiduciaries, with penalties up to INR 250 crore per incident. A 2024 advisory from MeitY separately directs platforms and intermediaries using AI to implement due diligence measures under the IT Act 2000, covering transparency obligations and controls on unlawful content. India’s preference for innovation-enabling governance means the regulatory picture is fragmented by design. For a UK business, the working question is not which Act applies but which regulator touches your sector.

Why does this matter for UK owner-operators?

The DPDP Act sets penalties up to INR 250 crore (roughly USD 30 million) per incident for data fiduciaries who fall short on consent or security. Any UK business processing Indian personal data through a partner, platform, or cross-border service qualifies as a data fiduciary under that law. A light-touch policy stance does not reduce the potential penalties.

The pace of AI adoption inside India adds a second risk layer. Survey data from Pinac Law’s 2025 workplace governance guide indicates that nearly 60% of Indian organisations either lack an AI governance policy or are still developing one, even as 80% have declared AI a core strategic priority. That mismatch produces shadow AI exposure: staff uploading customer data or proprietary code to public AI tools without authorisation. Over 40% of documented shadow AI incidents have involved intellectual property compromise. If your Indian outsourcing partner carries that gap, and your data sits in their environment, the risk belongs to your business as much as theirs. Explicitly covering AI governance and data handling in vendor assessments is a reasonable precaution before extending or renewing any outsourcing arrangement.

Where will you actually meet these rules?

The rules surface most visibly in financial services. RBI outsourcing directions require Indian banks to retain ultimate accountability for any vendor function, meaning UK firms supplying AI-driven credit scoring or fraud detection face model documentation and audit trail requirements through their clients’ internal governance. SEBI’s algorithmic trading framework adds pre-deployment testing, kill switches, and audit logs for capital markets tools.

Beyond financial services, the IT and outsourcing sector brings questionnaire-based exposure. India’s major technology services firms, including Infosys, TCS, and Wipro, have built internal AI governance frameworks that frequently exceed current regulatory requirements because global client demands push them there. A UK SME working with these firms, or with their tier-two peers, should expect formal due diligence queries about AI model documentation, data handling, and DPDP compliance. The same logic runs in the other direction: when you are the client purchasing AI-enabled services from an Indian firm, you should run equivalent due diligence to satisfy your UK GDPR obligations.

Healthcare introduces a further layer. India’s National Digital Health Mission and its telemedicine guidelines require clear consent mechanisms and strict privacy controls. UK healthtech firms selling AI tools into Indian hospital systems face growing pressure to explain algorithmic behaviour and evidence absence of bias. There is no dedicated healthcare AI statute yet, but the combination of DPDP obligations and procurement-driven contractual standards creates practical requirements that operate like one.

When do you need to act, and when can you wait?

Act now if any of these describe your situation: you process Indian personal data directly or through a vendor; you supply AI-enabled tools into Indian banking, capital markets, or healthcare; your outsourcing partner in India has access to UK client or employee data. In any of those situations, DPDP obligations and sector-level expectations are already live, not prospective rules on a future timeline.

Three practical starting points fit a realistic working week. First, map your data flows involving India. Confirm whether DPDP data-fiduciary obligations apply. The test is straightforward: if your systems receive, store, or process data about Indian residents, they apply. Second, update your vendor questionnaire to cover AI governance explicitly. The due diligence you would run on a UK AI tool applies equally to Indian vendors, covering where data goes, who trains on it, what access controls are in place, and what happens at contract end. Third, run a Data Protection Impact Assessment that explicitly covers the India leg of any AI deployment touching personal data. The ICO’s DPIA guidance covers your UK obligations; DPDP requirements cover the Indian portion. They are broadly compatible, and a single documented exercise can address both.

One assumption worth correcting before you decide to wait: the absence of a single AI Act does not mean low liability. DPDP penalties are already in force. RBI and SEBI enforcement on model governance is active. Firms that defer compliance work on the grounds that India’s regime is “still developing” are miscalibrating the actual enforcement risk.

How does this connect to your UK and EU compliance picture?

India’s rules do not sit in isolation. ICO guidance on AI and data protection applies whenever UK residents’ data passes through an Indian system, regardless of where the processing takes place. EU AI Act obligations can reach UK-based suppliers of high-risk AI into EU member states, with fines up to €35 million or 7% of global turnover. FCA-regulated firms must evidence appropriate governance over any AI-enabled function outsourced to India.

This creates a layered compliance picture for businesses operating across both environments. An AI system touching Indian personal data, processed in part by an Indian vendor, and delivering outputs to EU-based clients can sit under DPDP, the EU AI Act, ICO guidance, and RBI or SEBI expectations simultaneously. The practical answer is to map the data flows, identify which personal data belongs to which jurisdiction, and design your governance work to address all applicable regimes in a single documented exercise rather than as separate projects.

India’s stated preference for techno-legal mechanisms, combining technical safeguards such as audit logs and watermarking with legal controls, aligns closely with the approach recommended by the NCSC for secure AI development. Firms that have completed solid governance work for their UK compliance will find much of the documented framework reusable in India-specific conversations with clients or regulators. The difference is the sectoral distribution of enforcement: in the UK and EU you are dealing with one or two primary regulators; in India you may face three or four, depending on your sector and the functions your AI performs.

If you would like to talk through what this means for your specific business and the AI arrangements you operate, a conversation is the right place to start. Book a conversation.

Sources

- Government of India, Press Information Bureau (2025). India AI Governance Guidelines. Whole-of-government AI framework targeting applications rather than the underlying technology, organised around enablement, regulation and oversight. https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc2025115685601.pdf - Office of the Principal Scientific Adviser to the Government of India. Strengthening AI Governance Through Techno-Legal Framework. Outlines India's approach combining technical safeguards with legal controls and identifies the DPDP Act and IT Act 2000 as the governance baseline. https://psa.gov.in/CMS/web/sites/default/files/publication/AI-WP_TechnoLegal.pdf - Ministry of Electronics and Information Technology, Government of India (2023). Digital Personal Data Protection Act 2023. Sets data fiduciary obligations, consent requirements, and penalties up to INR 250 crore per incident for non-compliance. https://www.meity.gov.in/data-protection-framework - Reserve Bank of India (2023). Governance of Model Risk for Banks and NBFCs. Requires model validation, monitoring, and documentation for AI and ML models used in financial services functions. https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12452 - Reserve Bank of India (2017). Managing Risks and Code of Conduct in Outsourcing of Financial Services. Requires banks to retain ultimate accountability for outsourced functions, applying directly to UK AI service providers in credit and fraud detection. https://rbi.org.in/Scripts/NotificationUser.aspx?Id=3945 - Securities and Exchange Board of India (2022). Framework for Algorithmic Trading. Mandates pre-deployment testing, kill switches, and audit logs for automated trading systems including AI and ML models. https://www.sebi.gov.in/legal/circulars/aug-2022/framework-for-algorithmic-trading_61636.html - Information Commissioner's Office. Guidance on AI and data protection. Sets ICO expectations on transparency, fairness, data minimisation, and DPIAs for AI systems processing UK personal data, applying when that data passes through Indian systems. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/ - European Parliament and Council of the EU (2024). Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act). Imposes risk-tiered obligations with extraterritorial reach for high-risk AI systems deployed to EU users, fines up to €35 million or 7% of global turnover. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689 - UK National Cyber Security Centre. Guidelines for secure AI system development. Covers supply-chain risk, secure development, and logging requirements applicable to AI built or maintained by overseas partners. https://www.ncsc.gov.uk/collection/guidelines-for-secure-ai-system-development - Pinac Law (2025). AI Governance Policy: Essential Considerations for Indian Workplaces. Cites survey data showing nearly 60% of Indian organisations lack mature AI governance and documents shadow AI incidents including intellectual property exposure. https://pinaclaw.com/wp-content/uploads/2025/11/AI-Governance-Policy-Essential-Considerations-Clean.pdf

Frequently asked questions

What does India's DPDP Act mean for a UK business using Indian outsourcers?

If your outsourcing arrangement involves Indian personal data, including employee records or customer data processed by your Indian partner, the DPDP Act treats your business as a data fiduciary. Consent obligations, purpose limitation, and security requirements apply to those arrangements. Penalties run up to INR 250 crore per incident. Reviewing your vendor contracts and data processing terms against DPDP requirements is the practical starting point.

Does India have an AI Act like the EU?

India has deliberately chosen a sector-led approach rather than a single binding AI Act. The 2025 India AI Governance Guidelines assign enforcement responsibility to the RBI in banking, SEBI in capital markets, and MeitY for platform obligations. The DPDP Act provides the horizontal data law. This fragmented structure means compliance exposure depends heavily on which sector your Indian operations sit in, not a single Act you can read cover to cover.

How do I know whether the EU AI Act applies to my AI work involving India?

The EU AI Act applies extraterritorially when the output of a high-risk AI system reaches EU users, regardless of where the system is built or operated. If you develop AI with Indian partners but deploy it for EU-based clients, the Act's obligations can apply to your business. The trigger is where the affected person is located, not where the processing takes place.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd