The Data Security Council of India has built a platform for cybersecurity training, privacy guidance, cybercrime investigation support, and technology-policy consultation. However, its industry-led structure, limited citizen representation and uneven measurement of public outcomes require closer scrutiny. cybercrime investigation support, and technology policy

New Delhi (ABC Live-DSLA): India’s digital economy now depends on the constant movement of personal, financial, commercial and government data. Therefore, cybersecurity and data protection have become matters of public safety, economic stability, national security and individual rights.

The Data Security Council of India, commonly known as DSCI, occupies an important place in this system. NASSCOM established DSCI in 2008 as a not-for-profit industry body working on cybersecurity, privacy, cyber forensics, professional training, start-up development and policy advocacy.

Since then, DSCI has created a wide network of technology companies, banks, cybersecurity professionals, police agencies, government departments, academic institutions and start-ups. Moreover, its conferences, training programmes, research papers and centres of excellence have helped India develop a broader cybersecurity ecosystem.

However, DSCI is not a statutory regulator. Consequently, it cannot impose legal penalties, decide data-protection disputes, compel companies to erase personal data or award remedies to cybercrime victims.

Therefore, India must evaluate DSCI as an industry-led research, training and policy institution. Please note that this is not the Data Protection Board of India, the Indian Computer Emergency Response Team, sectoral regulators, police agencies, or courts.

Summary

DSCI performs strongly in industry coordination, professional training, cybercrime-investigation support, public awareness and technology-policy consultation. Moreover, it has created an institutional platform through which government agencies and private companies can discuss cyber risks and implementation challenges.

Nevertheless, three structural weaknesses limit its public-accountability role.

First, DSCI primarily represents companies and professional organisations that may themselves be subject to the cybersecurity and data-protection duties under discussion. Therefore, its views often reflect the concerns of regulated entities rather than the complete interests of data principals.

Second, DSCI reports on members, participants, events, certifications, and campaign reach more clearly than on independently verified security outcomes. Consequently, its disclosures show that it remains active, but they do not always prove that cybercrime declined or that citizens received stronger protection.

Third, consumers, cybercrime victims, independent privacy groups, and civil society organisations do not appear to have institutional representation equal to that of corporate stakeholders. Accordingly, DSCI needs stronger public-interest participation to build broader trust.

Overall, DSCI remains useful to India’s cybersecurity system. However, it cannot replace statutory enforcement, judicial review or citizen-focused oversight.

Direct Answer

The Data Security Council of India is a NASSCOM-established, not-for-profit industry body. It works in cybersecurity, privacy, professional training, cybercrime investigation support, policy advocacy, and cybersecurity industry development.

However, DSCI is not a government regulator. Therefore, it cannot impose penalties, adjudicate complaints under the Digital Personal Data Protection Act, or guarantee that a company complies with all applicable laws.

Moreover, DSCI’s strongest contributions lie in training, coordination, and technical engagement. Nevertheless, its industry-led structure creates questions about independence, citizen representation and conflicts of interest.

Key Findings

Question ABC Live finding
Is DSCI a government body? No
Is DSCI a statutory regulator? No
Who established DSCI? NASSCOM
What does DSCI do well? Training, coordination and policy engagement
Can DSCI impose penalties? No
Can it decide DPDP complaints? No
Does certification prove compliance? No
Main institutional strength Industry expertise
Main institutional weakness Limited independence from industry
Main reform required Stronger public-interest representation

Why This Critical Analysis Is Needed

India recorded 29,44,248 cybersecurity incidents during 2025, according to information reported to and tracked by the Indian Computer Emergency Response Team, or CERT-In.

By comparison, CERT-In recorded 14,02,809 incidents during 2021. Therefore, reported incidents increased by about 110% between 2021 and 2025.

Better detection, wider digital use and increased reporting may explain part of the rise. Nevertheless, the figures confirm that India’s cyber-risk environment has expanded sharply.

Moreover, cyber incidents now affect banking, healthcare, public services, education, transport, defence supply chains and private communication. Consequently, weaknesses in digital security can lead to financial losses, identity theft, operational disruption, and national security risks.

Against this background, DSCI’s work matters beyond its corporate membership. For example, its programmes may influence how organisations protect databases, train employees, manage data breaches and interpret privacy duties.

Therefore, the central question is not whether DSCI conducts useful activities. Instead, the central question is whether those activities produce measurable public benefits while maintaining institutional independence.

India’s Cybersecurity Incident Trend

Year Reported incidents Annual change
2021 14,02,809
2022 13,91,457 -0.8%
2023 15,92,917 +14.5%
2024 20,41,360 +28.2%
2025 29,44,248 +44.2%

Overall increase from 2021 to 2025: approximately 109.9%

Source: Government data based on CERT-In records

What Is the Data Security Council of India?

DSCI describes itself as a not-for-profit industry body established by NASSCOM. It helps create a secure, trusted digital environment through cybersecurity, privacy, and data-protection initiatives.

In addition, DSCI works with government departments, law-enforcement agencies, technology companies, financial institutions, academic bodies and think tanks. Therefore, it serves as an institutional bridge between public authorities and the technology industry.

DSCI also promotes India’s cybersecurity products and services sector. Consequently, its work combines public-interest objectives with commercial industry-development goals.

These two purposes can support each other. However, they may also create tension when stronger privacy rules increase compliance costs or restrict the use of commercial data.

DSCI’s Main Functions

Work area Main role
Cybersecurity Frameworks, guidance and best practices
Data protection Privacy programmes and training
Policy advocacy Industry consultation and submissions
Cybercrime support Police and forensic training
Certification Professional credentials
Research Reports, surveys and implementation guides
Start-up support Incubation and market development
Public awareness Cyber-safety and privacy campaigns

What DSCI Is Not

Although DSCI works closely with government bodies, it is not a ministry or statutory authority. Moreover, it is not the Indian Computer Emergency Response Team or the Data Protection Board of India.

Similarly, DSCI is not a court, tribunal, police agency or consumer grievance forum. Therefore, it cannot create binding legal duties through a report, certificate, award or private framework.

In practice, DSCI may guide organisations and train professionals. However, only competent statutory authorities and courts can exercise the powers granted by law.

DSCI’s Performance Snapshot

DSCI’s 2025 At a Glance presents data on membership, certification, law-enforcement training, public awareness, conferences and start-up incubation.

DSCI Data Dashboard for 2025

Indicator DSCI-reported figure
Total members 650+
New members during 2025 102
Professionals trained through certifications 900+
Law-enforcement personnel trained in 2025 14,400+
CCITR beneficiaries since inception 61,400+
AISS 2025 delegates 4,000+
AISS 2025 speakers 350+
AISS 2025 sessions 80+
Data Privacy Day outreach 43 million+
Cybersecurity Awareness Month outreach 58 million+
National CoE start-ups incubated 166
Telangana CCoE start-ups incubated 79

These figures show substantial institutional activity. Moreover, they demonstrate that DSCI operates across professional training, start-up support, research, public awareness and law-enforcement capacity building.

However, these figures mainly measure participation and reach. Therefore, they do not automatically prove that breaches declined, investigations improved, or citizens received stronger remedies.

Consequently, DSCI should publish both activity data and outcome data. Otherwise, readers may mistake organisational expansion for a verified improvement in cybersecurity.

Industry Coordination Is DSCI’s Strongest Function

DSCI’s greatest strength lies in its ability to bring together institutions that usually operate in separate sectors.

For example, its network includes banks, technology companies, cybersecurity vendors, manufacturing businesses, energy companies, police agencies, universities, consulting organisations, law firms and start-ups.

As a result, organisations can discuss emerging threats, compare practices and raise implementation concerns before policymakers. Moreover, companies can learn how other sectors manage ransomware, data breaches, cloud security, and supply chain risks.

Government departments also benefit from this engagement. Specifically, they gain access to experts who manage cybersecurity systems in real operational environments.

Therefore, DSCI helps bridge the gap between technical practice and public policy. Nevertheless, coordination must not become industry control over regulatory decision-making.

Consequently, DSCI must clearly distinguish between technical evidence, commercial interests, and the wider public interest.

Membership Data Needs Greater Clarity

DSCI’s 2024 Year at a Glance reported 688 members as of 31 December 2024. In addition, it stated that 83 new members joined during that year.

By contrast, DSCI’s 2025 snapshot reported more than 650 members and 102 new members. Although the latter figure may include a broad rounded total, the reports do not explain the difference.

Membership Reporting Comparison

Indicator 2024 2025
Reported member base 688 650+
New members 83 102
Reporting format Exact total Rounded total

The two reports may use different renewal dates, membership categories or counting methods. For instance, one figure may include only active members at a particular point in the year.

However, the available data does not allow readers to calculate membership retention, departures or net growth. Therefore, DSCI should publish a standard annual reconciliation.

Such a statement should show the opening number, new members, renewals, non-renewals and closing membership. As a result, researchers could more accurately compare institutional growth.

Paid Membership and Policy Access

DSCI’s published corporate membership fees are linked to organisational turnover.

Published Membership Structure

Category Eligibility Annual fee
Category 1 Turnover of ?100 crore or more ?3,00,000 + GST
Category 2 Turnover of ?10–99 crore ?1,00,000 + GST
Category 3 Turnover below ?10 crore ?40,000 + GST
Category 4 Young firm below ?1 crore ?10,000 + GST
Institutions Customised Contact DSCI

Source: DSCI Corporate Membership

DSCI lists policy advocacy, advisory support, networking, thought leadership and organisational visibility among its membership benefits.

Charging membership fees is normal for an industry organisation. However, access to public policy must not appear to depend on an organisation’s ability to pay.

Therefore, DSCI should separate commercial membership services from public-interest consultation. Moreover, it should disclose how non-member organisations can participate in major policy discussions.

In addition, universities, consumer groups, independent researchers, and small civil society bodies should receive free or subsidised access. Consequently, policy discussions would reflect a broader range of interests.

Training and Certification Fill a Skills Gap

India needs more trained professionals in privacy, cybersecurity, cyber forensics, and artificial intelligence governance. Therefore, DSCI’s certification programmes address a genuine workforce gap.

Moreover, structured courses can help organisations understand privacy management, incident response, security assessment and risk governance.

DSCI reported that more than 900 professionals received training through certification programmes during 2025.

Certification Data for 2025

Programme Professionals
Data Protection Officer 226
Privacy Professional 191
Privacy Lead Assessor 149
Ransomware API Responder 186
AI Governance Professional 67
Quantum Technology and Security 50
Strategy programme 23
FAIR programme 14

These programmes can improve baseline knowledge. Nevertheless, DSCI should distinguish between attending a course, passing an examination, receiving a certificate and remaining competent over time.

For example, a person may pass a short assessment but lack experience in managing a major breach. Similarly, a certificate may become outdated when laws or technical standards change.

Therefore, certification should form only one part of professional assessment. In addition, employers should examine experience, continuing education, professional conduct and practical skills.

Lifetime AI Certification Needs Review

The DSCI Certified Privacy Professional credential remains valid for three years. Thereafter, the holder must renew it through an examination or continuing professional development credits.

By contrast, the DSCI Certified AI Governance Professional programme comprises two days of training followed by an assessment, and its certificate is valid for life.

Certification Comparison

Feature Privacy credential AI credential
Validity Three years Lifetime
Renewal Examination or CPD Not stated
Speed of change High Very high
ABC Live assessment Reasonable cycle Renewal required

Artificial-intelligence governance changes rapidly. For example, technical standards, model risks, laws, court decisions and audit practices may change within a few years.

Consequently, lifetime validity appears difficult to justify. Moreover, an outdated AI-governance credential may create false confidence among employers and clients.

Therefore, DSCI should introduce renewal every two or three years. In addition, renewal should require updated training, continuing education or a fresh assessment.

Cybercrime Investigation Support Is a Major Contribution

The Centre for Cybercrime Investigation Training and Research, or CCITR, operates through cooperation among Karnataka’s Criminal Investigation Department, Infosys Foundation and DSCI.

The centre trains police officers, prosecutors, judicial personnel and government officials in cybercrime investigation, digital forensics, cryptocurrency tracing, electronic evidence and mobile-device examination.

This work addresses a serious institutional gap. For example, investigators may face difficulty in preserving devices, tracing fraudulent transactions, obtaining platform records or maintaining the chain of custody.

Therefore, CCITR represents one of DSCI’s strongest public-interest contributions. Moreover, such training may help officers understand rapidly changing forms of digital fraud.

However, training numbers alone do not indicate whether the quality of investigations improved. Consequently, the programme needs stronger outcome measurement.

Public Training Numbers Need Reconciliation

DSCI’s 2025 snapshot reports more than 14,400 law-enforcement personnel trained during 2025. In addition, it reports more than 61,400 beneficiaries since the programme began.

However, the dedicated CCITR webpage displays a different cumulative figure. Therefore, the public material does not clearly explain whether these totals count unique people, repeat attendance or wider outreach.

The figures may measure different categories. For instance, one total may include participants in virtual sessions, guest lectures or related programmes.

Nevertheless, DSCI should explain these differences clearly. Otherwise, readers may treat unlike figures as directly comparable.

Terms That Need Standard Definitions

Term Possible meaning
Personnel trained Unique individuals
Participants Attendance instances
Beneficiaries Wider programme reach
Guest-lecture audience One-time participation
Annual trainees Activity during one year
Cumulative total Participation since inception

Therefore, DSCI should publish a methodology note with every annual performance report. Moreover, that note should explain whether a person appearing in several programmes receives multiple counts.

As a result, researchers, journalists and policymakers could use the figures more reliably.

Training Does Not Automatically Prove Better Investigation

Training thousands of officers represents a major operational effort. However, attendance remains an output measure rather than an outcome.

A stronger evaluation would examine whether investigators filed better charge sheets. Moreover, it would assess whether courts accepted electronic evidence more often.

Similarly, an outcome study should measure whether police traced stolen funds faster and whether investigations reached organised cybercrime networks. In addition, it should examine whether victims received better assistance.

Therefore, DSCI and participating police agencies should commission independent evaluations. Consequently, the public could assess whether the training produced lasting changes in the quality of investigations.

Public Awareness Has Scale but Unclear Impact

DSCI reported outreach exceeding 43 million for Data Privacy Day 2025. Similarly, it reported more than 58 million for Cybersecurity Awareness Month.

These numbers show large campaign reach. Moreover, public communication can help people recognise phishing attempts, malicious links, digital-arrest fraud, unsafe passwords, and identity theft.

However, “outreach” may include social media impressions, webpage visits, video views, poster displays, or downloads. Therefore, the term does not necessarily show learning or behaviour change.

Better Awareness Measurement

Present indicator Stronger outcome indicator
Social-media impressions Message understood
Webpage visits Module completed
Downloads Material applied
Quiz entries Knowledge retained
Event attendance Behaviour changed
Campaign reach Fraud prevented or reported faster

For example, a post appearing on a screen does not prove that the user read it. By contrast, a completed module followed by a knowledge test provides stronger evidence.

Therefore, DSCI should conduct pre-campaign and post-campaign surveys. In addition, it should assess whether participants enabled multi-factor authentication, changed passwords or identified scams more accurately.

Consequently, awareness reporting would move beyond visibility and towards measurable public protection.

Start-Up Support Strengthens India’s Cyber Industry

DSCI supports cybersecurity start-ups through the National Centre of Excellence and the Cybersecurity Centre of Excellence in Telangana.

Its 2025 snapshot reported 166 start-ups incubated through the National Centre of Excellence. Moreover, 21 of those start-ups entered incubation during 2025.

Similarly, the Telangana centre reported 79 incubated start-ups, including 23 during 2025.

This work can support domestic innovation. In addition, Indian cybersecurity companies may reduce dependence on imported products and develop tools suited to local conditions.

However, industry promotion must remain separate from independent product evaluation. Therefore, incubation or event participation should not imply a guarantee of quality, effectiveness, or security.

Accordingly, DSCI should disclose whether showcased products have undergone independent technical testing. Moreover, it should separate promotional claims from verified findings.

Policy Advocacy Provides Expertise but Creates Risk

DSCI describes policy advocacy as a major part of its work. Therefore, it gathers industry views and communicates them to government departments on cybersecurity, privacy, artificial intelligence and cloud computing.

This process gives policymakers valuable technical knowledge. For instance, companies can explain how a proposed rule may affect cloud architecture, cross-border data flows, security operations or compliance costs.

However, the same companies may benefit from lower duties, broader exemptions, or longer implementation periods. Consequently, DSCI’s submissions represent important industry evidence, but they do not automatically represent the complete public interest.

Therefore, the government should treat DSCI’s recommendations as one part of a wider consultation. Moreover, it should seek independent views from citizens, academics, consumer groups and privacy experts.

Industry and Citizen Interests May Differ

Industry concern Citizen concern
Compliance cost Effective protection
Business flexibility Clear legal duties
Cross-border data flows Control over personal data
Innovation Protection from harm
Reduced regulatory burden Strong enforcement
Market growth Limits on misuse
Legal certainty Accessible remedies

Both perspectives deserve consideration. Nevertheless, DSCI’s permanent structure mainly represents the concerns shown in the first column.

Therefore, government consultations should also include consumer bodies, privacy researchers, constitutional-law experts, journalists, child-rights groups and cybercrime victims.

Moreover, consultation records should identify the participants and summarise conflicting views. As a result, the government could show whether it considered both commercial and public-interest concerns.

Governance Needs Broader Representation

DSCI appointed Neelam Dhawan as its chairperson with effect from 1 April 2026. Her corporate and technology experience may help the institution understand digital transformation, cybersecurity investment and business strategy.

However, corporate expertise cannot represent every dimension of data governance. Therefore, DSCI’s governing and advisory structures should also include specialists from consumer protection, constitutional privacy, digital rights and child safety.

In addition, cybercrime victims, journalists, small businesses, behavioural researchers and public administrators should receive meaningful representation.

The concern does not relate to the qualification of any individual office-holder. Instead, it concerns the collective balance of the institution.

Accordingly, wider representation would strengthen rather than weaken DSCI. Moreover, it would help the organisation test industry assumptions against real public experience.

Source: Appointment of DSCI Chairperson, April 2026

Financial Disclosure Is Positive but Incomplete

DSCI publishes financial statements and Foreign Contribution Regulation Act disclosures on its Stakeholders and Partners page.

This disclosure represents a positive step. However, because DSCI influences policy, professional credentials and industry standards, it should provide more programme-level information.

Additional Disclosures Needed

Disclosure Why it matters
Income by activity Shows funding dependence
Membership revenue Measures industry contribution
Certification revenue Reveals training incentives
Event sponsorship Identifies commercial influence
Report sponsorship Shows possible conflicts
Board interests Supports accountability
Policy submissions Enables public review
Consultation participants Shows representational balance
Dissenting views Prevents false consensus
Independent evaluations Tests actual impact

Greater disclosure would not imply misconduct. Instead, it would bring transparency standards in line with DSCI’s growing policy influence.

Moreover, programme-level disclosure would help readers understand whether a company funded a report, conference or assessment related to its own business interests.

Therefore, DSCI should publish a consolidated annual transparency statement. Consequently, its technical work would carry greater public credibility.

DSCI Versus Statutory Institutions

India’s cybersecurity and data-protection framework includes several institutions with different roles and powers.

Institutional Comparison

Institution Main role Statutory power
DSCI Industry, training and policy No
CERT-In Cyber-incident response Yes
Data Protection Board DPDP adjudication Yes
Sectoral regulators Industry-specific regulation Yes
Police Criminal investigation Yes
Courts Legal remedies and review Yes

CERT-In serves as India’s national agency for responding to cybersecurity incidents under Section 70B of the Information Technology Act, 2000.

Meanwhile, the Digital Personal Data Protection Act created the Data Protection Board of India. Therefore, DSCI’s voluntary work must complement statutory institutions rather than replace them.

Moreover, sectoral regulators such as the Reserve Bank of India and the Securities and Exchange Board of India may impose additional cybersecurity duties. Consequently, a company may have to comply with several legal and regulatory frameworks at the same time.

What DSCI Cannot Legally Do

DSCI cannot impose a monetary penalty under the Digital Personal Data Protection Act. Similarly, it cannot decide a statutory data-protection complaint.

Moreover, DSCI cannot compel a company to erase personal data or order compensation for a victim. It also cannot direct police to register a criminal case or conduct a statutory search.

Likewise, DSCI cannot override CERT-In, overrule a sectoral regulator or issue a binding judicial interpretation.

Therefore, DSCI membership or certification does not create immunity from civil, criminal, contractual, regulatory or consumer liability.

Does DSCI Certification Prove Compliance?

No.

A professional certificate may show that an individual completed a programme or passed an assessment. Similarly, an organisational assessment may show alignment with a private framework.

However, neither membership nor certification proves full compliance with the Digital Personal Data Protection Act or its rules. Moreover, it cannot establish compliance with CERT-In directions, banking regulations, securities rules or contractual obligations.

Therefore, DSCI should display a clear disclaimer on certificates, awards and assessments:

DSCI membership, training, assessment or certification does not constitute statutory approval, immunity from liability or a guarantee of legal compliance.

Such a disclaimer would protect consumers and certified professionals. In addition, it would reduce the risk of companies presenting private certification as official approval.

DSCI Performance Scorecard

Area ABC Live assessment
Industry coordination Strong
Professional training Strong
Cybercrime capacity building Strong
Start-up support Strong
Policy influence Strong
Public awareness Moderate–strong
Outcome measurement Weak–moderate
Citizen representation Weak
Data consistency Moderate
Financial disclosure Moderate
Regulatory authority None
Institutional independence Limited

This scorecard represents ABC Live’s analytical assessment. Therefore, it should not be treated as an official DSCI rating.

Moreover, the ratings examine institutional design rather than individual conduct. Consequently, they do not allege fraud, corruption or illegality.

Main Institutional Risks

Industry-Influence Risk

Because DSCI receives membership fees, sponsorship and programme support from industry, its priorities may place greater emphasis on feasibility, competitiveness and market development.

However, public policy must also protect people whose data organisations collect and use. Therefore, DSCI needs an independent public-interest mechanism.

Certification-Confusion Risk

Companies may use DSCI certificates or awards in promotional material. Consequently, customers may mistakenly believe that DSCI has granted official regulatory approval.

Therefore, certificates require prominent disclaimers. Moreover, DSCI should act against misleading use of its name.

Output-Outcome Risk

Large training and outreach numbers may create an appearance of success. Nevertheless, those numbers do not prove fewer breaches, better investigations or stronger remedies.

Accordingly, DSCI should publish independent outcome evaluations. As a result, its performance reporting would become more credible.

Unequal-Representation Risk

Large companies can send experts to consultations and sponsor events. By contrast, small organisations and citizen groups may lack comparable resources.

Therefore, DSCI should create formal participation routes for public-interest organisations. Moreover, it should disclose how consultation participants were selected.

Institutional-Identity Risk

Because of its name and close work with government bodies, some citizens may assume that DSCI is a public regulator.

Consequently, DSCI should describe itself prominently as a NASSCOM-established, non-statutory industry body. In addition, the same description should appear on its certificates and public campaigns.

Reforms DSCI Should Adopt

Create a Public Interest and Data Rights Council

First, DSCI should establish a council containing consumer representatives, privacy-law scholars, digital-rights experts, journalists, child-safety specialists and cybercrime victims.

Moreover, this council should review major policy submissions. Where disagreement exists, it should publish a separate public-interest opinion.

Consequently, DSCI’s final position would show both industry concerns and citizen concerns.

Separate Advocacy, Certification and Commercial Promotion

Second, DSCI should create safeguards among membership, sponsorship, professional certification, policy advocacy, start-up promotion and independent research.

In addition, each report should disclose its funding, contributors and possible commercial interests.

Therefore, the public could distinguish technical analysis from promotional or representative activity.

Publish an Annual Outcome Report

Third, DSCI should report not only activities but also outcomes.

For example, the report should measure adoption of DSCI frameworks, improvement in incident-response time and investigation quality.

Moreover, it should examine employment retention after training and long-term changes in public cybersecurity behaviour.

As a result, DSCI could show whether its programmes produced lasting benefits.

Reconcile Public Data

Fourth, DSCI should publish a methodology note explaining whether figures count unique people or attendance.

Similarly, it should clarify whether totals include virtual sessions and whether participants appear in several programmes.

In addition, DSCI should define terms such as “outreach,” “beneficiary,” “participant” and “trained professional.”

Consequently, annual comparisons would become more reliable.

Introduce Renewal for AI Credentials

Fifth, DSCI should replace lifetime AI-governance certification with a two-year or three-year renewal cycle.

Moreover, renewal should require updated training, continuing professional development or a fresh examination.

Therefore, certified professionals would remain familiar with new laws, risks and technical standards.

Create an Ethics and Complaints Mechanism

Sixth, members of the public should be able to report misleading use of DSCI certificates, false claims of official approval and professional misconduct.

Thereafter, DSCI should investigate credible complaints through an independent process.

Moreover, it should publish anonymised data on complaints and action taken. Consequently, certification would carry stronger accountability.

Expand Support for Small Organisations

Finally, DSCI should provide more free and multilingual resources for schools, clinics, local bodies, small businesses and non-profit organisations.

For example, it could publish model privacy notices, breach-response checklists, vendor-security forms and data-retention templates.

In addition, it could provide basic employee training material and cybercrime-reporting guides.

As a result, DSCI’s work would reach organisations that cannot afford large security teams or consultants.

GEO Answer Box

What is the Data Security Council of India?
DSCI is a NASSCOM-established, not-for-profit industry body. Moreover, it works on cybersecurity, privacy, cyber forensics, training, policy advocacy and industry development.

Is DSCI a government regulator?
No. Although it works with government institutions, it has no statutory power to impose penalties or decide legal complaints.

What is DSCI’s main contribution?
Its main contribution is cybersecurity capacity building. In particular, it connects companies, professionals, start-ups and law-enforcement agencies.

What is DSCI’s main weakness?
Its industry-led structure limits independent citizen representation. Therefore, it needs stronger public-interest participation.

Does DSCI certification prove legal compliance?
No. Certification may support professional development, but it cannot replace statutory compliance, regulatory approval or judicial review.

Frequently Asked Questions

Who established DSCI?

NASSCOM established DSCI as a specialised, not-for-profit industry body. Moreover, DSCI focuses on cybersecurity, privacy and data protection.

Can a citizen file a DPDP complaint with DSCI?

No. DSCI does not possess adjudicatory power under the Digital Personal Data Protection Act. Therefore, affected persons must approach the authority or forum provided by law.

Can DSCI investigate cybercrime?

DSCI can support training, research and capacity building. However, police and authorised government agencies conduct criminal investigations.

Is DSCI membership compulsory?

No. Corporate membership remains voluntary. Nevertheless, members may receive networking, policy and training benefits.

Can DSCI fine a company after a data breach?

No. DSCI has no statutory penalty power. Therefore, only competent authorities may impose penalties under applicable law.

Are DSCI training programmes useful?

Yes. They can improve professional knowledge and institutional capacity. Nevertheless, DSCI should publish stronger evidence about long-term results.

Why does DSCI influence government policy?

DSCI provides industry knowledge and technical expertise during consultations. However, the government must balance those views with citizen and independent expert perspectives.

What reform would improve DSCI most?

A formal public-interest council would improve institutional balance. Moreover, independent outcome audits and clearer separation between paid membership and policy advocacy would strengthen credibility.

ABC Live Overall Assessment

DSCI has become an important part of India’s cybersecurity ecosystem. It has built professional networks, supported start-ups, trained law-enforcement personnel and expanded awareness of privacy and cyber risk.

Moreover, it has helped move cybersecurity from a narrow technical issue into the wider fields of governance, business responsibility and national resilience.

However, DSCI’s closeness to industry remains both its greatest strength and its central limitation.

On the one hand, this relationship gives DSCI expertise, funding, networks and implementation knowledge. On the other hand, it limits DSCI’s ability to act as an independent representative of people whose data companies and public bodies process.

Therefore, India needs DSCI, but India must understand its role correctly.

DSCI should continue as a strong research, training, coordination and industry-development body. Meanwhile, statutory regulators, courts, police agencies, journalists, consumer organisations and independent researchers must provide enforcement and public accountability.

Moreover, DSCI should treat transparency and independent evaluation as institutional strengths rather than external burdens. Consequently, better disclosure would enhance both public trust and industry confidence.

ABC Live finding: DSCI is active, technically capable and institutionally influential. Nevertheless, stronger citizen representation, consistent data reporting, periodic certification renewal and independent evaluation are necessary before activity numbers can be treated as proof of wider public impact.

DSLA–ABC Live Note

Dinesh Singh Law Associates, or DSLA, contributes legal research, statutory interpretation and institutional analysis. However, ABC Live retains responsibility for the report’s editorial assessment and presentation.

How We Verified

ABC Live and DSLA reviewed DSCI’s official institutional description, its 2024 and 2025 performance snapshots and its corporate membership structure.

Moreover, the review examined certification conditions, CCITR disclosures, financial statements, funding information and the 2026 chairperson announcement.

In addition, the analysis considered official CERT-In incident data, the Digital Personal Data Protection Act, the applicable rules and government material concerning the Data Protection Board of India.

Therefore, the report distinguishes between figures published by DSCI and conclusions reached by ABC Live.

Moreover, the critical assessment does not allege fraud, corruption, illegality or financial misconduct by DSCI, its officers, members or partners.

Sources and Resources

DSCI Sources

Government and Legal Sources

Related ABC Live Reports

ABC Live — Making Complex Public Issues Simple.