What is the DPDP Rule 2025 in India?
The Digital Personal Data Protection (DPDP) Rules, 2025, were announced by the Ministry of Electronics and Information Technology (MeitY) on November 13, 2025, which provide the operational framework for the DPDP Act, 2023, translating its broad legal principles into specific, actionable requirements for businesses, government bodies, and individuals.
The core purposes of DPDP Rules are as follows:
- Empowers Citizens: Gives "Data Principals" (individuals) granular control over their information.
- Ensures Accountability: Mandates that "Data Fiduciaries" (entities that collect data) follow strict security and transparency protocols.
- Digital-First Governance: Establishes a fully digital enforcement mechanism through the Data Protection Board of India.
The DPDP Rules introduce a phased approach allowing organizations to implement different requirements progressively. :
- Immediate (Nov 13, 2025): Launch of the Data Protection Board and key definitions.
- 12 months (Nov 13, 2026): Consent Manager registration and rules become enforceable.
- 18 months (May 13, 2027): Full compliance required for notice, consent, data erasure, and individual rights.
India’s DPDP Rules impose penalties on Data Fiduciaries based on the specific type of violation.
- Illegal data trading: Up to 10x gains or VND 3 billion.
- Cross-border transfer violations: Up to 5% revenue or VND 3 billion.
- Other violations: Max VND 3 billion fine; half for individuals.
- Enforcement: Administrative sanctions, plus criminal penalties if severe.
Compliance Brief
India DPDP Rules 2025 Compliance Guide
Learn how to comply with India’s DPDP Rules 2025 using data security, encryption, key management, and identity solutions.
How Thales Helps with DPDP Rules Compliance
Thales’ solutions can help organisations in India to address the seven rules in the DPDP Rule 2025 with a unified approach to data security and identity management.
DPDP Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs and a secure Content Delivery Network (CDN).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the India DPDP Rules 2025
How Thales helps:
- Manage all users, including the workforce, contractors, third-party users such as customers, suppliers, logistics, and B2B or B2C type users.
- Create frictionless, secure, and privacy-protected access for your customers.
How Thales helps:
- Identify structured and unstructured sensitive data at risk on premises and in the cloud.
- Identify the current state of compliance, document gaps, and provide a path to full compliance.
- Transparent and continuous encryption protects against unauthorized access by users and processes in hybrid environments.
- Provide a unified visibility of risks to critical data with a unique view of the strength of encryption for data across your entire data estate.
- Prevent unauthorized access and alteration to its internals, including the audit logs.
- Pseudonymize sensitive information in databases.
- Protect data in motion with high-speed encryption.
- Streamline key management in cloud and on-premises environments with key lifecycle management.
- Protect the root-of-trust of a cryptographic system within a highly secure environment.
- Enforce granular access control with transparent encryption for privileged users to prevent misuse or abuse.
- Manage system and data access rights (access control) by supporting role-based authorization (RBAC) and conditional authorization (ABAC).
- Control and manage privileged user accounts by supporting the enforcement of multi-factor authentication (MFA) for accessing critical systems.
- Design authorization and approval procedures (User Journey Orchestration) for privileged user accounts and store and display as a privileged user activity report for detailed auditing.
Solutions:
Data Security
Data Discovery & Classification
Enterprise & Cloud Key Management
Identity & Access Management
How Thales helps:
- Alert or block database attacks and abnormal access requests in real time.
- Monitor file activity over time to set up alerts on activity that can put your organization at risk.
- Monitor active processes to detect ransomware – identifying activities such as excessive data access, exfiltration, unauthorized encryption, or malicious impersonation of a user, and alerts/blocks when such an activity is detected.
- Unify key management operations with role-based access control and provide full audit log review.
How Thales helps:
- Ensure secure deletion by removing keys from CipherTrust Manager, digitally shredding all instances of the data.
How Thales helps:
- Classify and assign specific sensitivity levels for data when you are defining your data stores and your classification profiles for different types of data sets.
- Provide real-time data dashboards and reports.
How Thales helps:
- Secure sensitive data and maintain complete governance and control of sensitive data and the associated encryption keys and policies with Bring-Your-Own-Encryption (BYOE), Hold-Your-Own-Key (HYOK) and Bring-Your-Own-Key (BYOK) approaches, as well as a centralized multi-cloud key management.
- Offer transparent encryption and access control for data residing.
- Encrypt sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized applications and personnel.
- Allow root users to do their job without abusing data by privileged user access controls.
- Accelerate threat detection and ease forensics with data access audit logging.
- Employ strong, standards-based encryption protocols, such as the Advanced Encryption Standard (AES) for data encryption and Elliptic Curve Cryptography (ECC) for key exchange.
- Simplify key management across on-premises and multi-cloud deployments by centralizing control on the FIPS140-2 Level 3 environment.
- Secure data-in-transit with future-proof encryption technologies to avoid “Harvest now, decrypt later”.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.