The increasing relevance of Artificial Intelligence (AI) and the polarization of global geopolitics are the two constants in 2025, which will influence business strategies going forward. With India positioning itself to become an AI leader, the question arises: What must Indian businesses do to stay ahead of the curve? The short answer is (i) identify the opportunities, (ii) understand the global and domestic regulatory framework (or lack thereof), and (iii) ensure compliance.
Identifying the opportunities
India’s focus on promoting AI and related advanced technologies is clear from this year’s Union Budget 2025-2026, with the budgetary allocation of more than 9000 crores in research and development, cyber security projects, specified government programs, and the setting up of various autonomous bodies, summarized below.
Further, there is a heightened inclusion of AI in sectors such as finance, health, agriculture, and medical sectors. India’s start-up revolution, with the creation and democratization of infrastructure, the introduction of government funding schemes, and the availability of fintech and digital payment facilities, also contributes to the growth of advanced technologies in India. Moreover, active measures to empower the Indian workforce with future skills at school and university levels are being proactively undertaken by the Government. While this will create a sandbox for Indian companies to plant and grow their AI ventures, Indian and global regulatory environment must also be understood to create ventures built to not just succeed but persevere.
Understanding the legal framework
AI regulation is a dynamic field, with regulation varying by the day. AI regulation essentially has two objectives: minimizing adverse development, deployment, and use of AI, specifically taking into consideration international and national political and cyber security; and encouraging innovation. The shape of AI regulation takes different forms in different countries based on the country’s priority on these two aspects.
For instance, the European Union has comprehensive legislation – the Artificial Intelligence Act – that targets AI regulation based on risk classification. China, on the other hand, only aims to regulate the deployment and use of AI in specific sectors such as the internet and social media, national security, healthcare, finance, education, etc. Contrary to both these approaches, the United States and United Kingdom have resisted specific legislation to ensure freedom for innovation, however, with guidelines that encourage voluntary commitments. Despite the varying approach, all countries emphasize the regulation of AI and related hardware for national security based on their foreign policy, especially by regulation of trade, albeit the regulation may focus on curbing one another.
The differences in these approaches were prominent during the Paris AI Summit, co-chaired by India, that concluded in February 2025, with broad affirmations on promoting inclusive, ethical, and sustainable AI development and deployment, along with global cooperation and equitable access. This declaration was signed by 64 countries, including India, but the United States and the United Kingdom declined to sign for different reasons. As Prime Minister Modi called for global AI governance, United States Vice President J D Vance criticized over-regulation by the European Union and warned against striking AI deals with ‘authoritarian regimes’, while the United Kingdom refused to sign the declaration as it lacked practical clarity on global governance and national security considerations.
Presently, India has no AI-specific legislation. The Information Technology Act 2000 and its Rules, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, govern the deployment of AI. Criminal violations are governed by applicable provisions of the Bharatiya Nyaya Sahita or the Indian Penal Code. Other relevant laws, such as intellectual property, export controls, sanctions, and environmental laws, have no AI-specific measures and apply on a generic basis.
The Indian Government has undertaken several measures to formulate its AI regulations. Most recently, the Ministry of Electronics and Information Technology released its Report on AI Governance Guidelines Development (Report) for comments. The Report suggests a regulatory regime largely based on self-regulation and activity-based (taxation, online safety, consumer protection, data protection, anti-trust, copyright, patent, employment, contracting, etc.) regulation. The Report also reinforces the general governance principles of transparency; accountability; safety, reliability & robustness; privacy and security; fairness & non-discrimination; human-centered values & ‘do no harm’; inclusive & sustainable innovation; digital by design governance. Public comments have been filed on this Report.
Further, sectoral regulators such as the Reserve Bank of India, Securities and Exchange Board of India, Department of Telecommunication, Ministry of Defence, and Insurance Regulatory and Development Authority have undertaken measures to ensure the safe and fair deployment of AI in the financial, securities, telecommunication, defense, and insurance sectors respectively. Finally, several regulatory frameworks that are awaiting enforcement, especially laws relating to data protection and sustainable development, will likely incorporate provisions specific to AI.
Ensuring compliance
The companies that develop, deploy, or use AI in their business must discern how the regulations impact their business. Taking into consideration the plethora of laws and their continuous advancements, the recommended solution is to create an internal compliance system within the company. Considering the number of startups operating in this space, the solution can be to take outside counsel in the case of smaller and medium-sized companies. The compliance system needs to focus on not just ensuring compliance with the existing laws but to ensure regular training and raising awareness in the organization, auditing the business of the company, ensuring the security of data and for companies engaged in cross border business and trade, to ensure reduction of the risk of violation of applicable laws and compliance with export controls and sanctions laws.
Such compliance programs must be able to identify red flags and protect unauthorized data transfers and access through not just tangible but intangible transfers as well. Intangible transfers include the exchange or dissemination of knowledge, skills, and technical expertise; digital and online transfers like uploading on the cloud, via email or teleconferencing and webinars; providing data vide open-source technologies; data and algorithm sharing; intellectual property transfer; employee exchanges; creation of joint ventures; remote technical supports, etc.
For companies engaged in international trade, especially those looking at developing and deploying AI extraterritorially or in India using foreign-made components and technologies, there is the additional consideration of international export controls and sanctions. For instance, trade with countries like Russia and Belarus, though not prohibited by Indian laws, can be damaging for businesses looking at trading with countries such as the United States, European Union, United Kingdom, Japan, etc., considering the geopolitical positions of countries. Notably, the United States, working with the European Union, Japan, and the United Kingdom, has developed the Common High Priority List, which includes items that Russia seeks to procure for its weapons programs, including electronic integrated circuits, machines for the reception, conversion and transmission or regeneration of voice, images, or other data, radar apparatus, capacitors, ball bearings, roller bearings, optical devices, transformers, connectors, diodes, transistors, semiconductor devices, etc.
Such businesses must take appropriate measures to improve their credibility, including implementing a quality Internal Compliance Program targeting compliance with not just Indian but international export control and sanctions laws. Such businesses can also opt for schemes such as the Authorized Economic Operator program and the Validated End-User program. Notably, the Validated End-User program has recently been mandated by the US Bureau of Industry and Security with respect to trade by the United States concerning AI and the export of advanced computing Integrated Circuits and related items in the recently published Interim Final Rule on January 15, 2025. The Validated End-User program allows exporters from the United States to ship designated items to pre-approved entities under a general authorization instead of under multiple individual export licenses, thereby ensuring easy, quick and reliable access to US products and technology that are governed by export controls.
Going forward, navigating AI regulations and voluntary compliance will be key for Indian businesses to mitigate risks, foster innovation, and stay relevant globally. With the regulatory landscape becoming increasingly complex and interlinked, companies must stay abreast with not just Indian but international laws and adapt their organizational structure to harness the AI revolution and stay ahead of the curve in the incoming AI revolution. What will make businesses in this space to stand apart and garner credibility will be their compliance not just with the letter of law but more importantly the spirit of law.
DISCLAIMER: The views expressed are solely of the author and ETLegalWorld does not necessarily subscribe to them. ETLegalWorld will not be responsible for any damage caused to any person or organization directly or indirectly.
