A sweeping new study by the National Cyber and AI Center (NCAIC) lays bare the vulnerabilities lurking beneath India’s digital boom — and charts a bold path forward.
The Digital Gold Rush Has a Dark Side
India is the world’s largest instant payments market. With over a billion Aadhaar-linked identities and UPI transactions running into billions every month, the country’s digital economy is the envy of the world. But the State of Cybersecurity and AI in India (2025) report, prepared by NCAIC and released on Independence Day 2025, delivers an uncomfortable verdict: India’s expansion into the digital frontier is outpacing its ability to defend it.
Adversaries are no longer faceless hackers in basements. They wield generative AI to craft deepfakes, launch polymorphic malware, and run industrial-scale social engineering scams. The so-called “digital arrest” scam — where criminals impersonate authorities using AI-generated video — is just one chilling example of what’s already happening on Indian soil.
Who Is Most at Risk?
The report identifies BFSI (banking, financial services, and insurance), healthcare, government bodies, manufacturing, and telecom as the sectors under the heaviest fire. The threat isn’t abstract — high-value UPI fraud, ransomware crippling hospital systems, and attacks on legacy power grid control systems are cited as active, ongoing dangers.
Large banks and telecom firms are relatively well-prepared. The glaring weak spots are MSMEs and tier-2/3 government bodies, which often lack basic patch management, identity controls, and incident response capabilities. Supply chain attacks — infiltrating systems through third-party vendors — remain a chronically underaddressed gap.
The Rules Are Changing, But Can Organisations Keep Up?
India’s regulatory architecture is genuinely strengthening. The Digital Personal Data Protection (DPDP) Act 2023, CERT-In’s mandatory 6-hour breach reporting rules, and tighter oversight from the RBI, SEBI, and IRDAI are pushing organisations toward better security hygiene. The report acknowledges this momentum, but flags a critical bottleneck: compliance capacity among smaller businesses and public entities is deeply uneven. Rules without implementation are just paperwork.
AI: Threat and Shield
The report is clear that AI isn’t just the enemy — it’s also India’s best weapon. Security Operations Centres are already deploying AI co-pilots to accelerate threat detection. Fraud analytics powered by machine learning are stopping UPI scams in real time. Automated malware analysis pipelines can now process threats at a scale no human team could match.
But with AI adoption comes new risk. Prompt injection attacks, compromised training data, deepfake-enabled fraud, and model supply chain vulnerabilities are emerging as the next frontier of cybercrime. The report urges organisations to treat AI systems with the same rigour as they do any critical infrastructure.
The Talent Crisis No One Is Talking About
Perhaps the most sobering finding: India faces an estimated shortfall of 3.5 million cybersecurity professionals by 2025, with 40% of existing graduates lacking practical, hands-on experience. The training infrastructure simply isn’t keeping up. The report calls for a national residency programme, university applied security labs, and a Women in Cyber-AI initiative — with an ambitious target of training 50,000 professionals over three years.
India’s 12-Month Plan
The NCAIC’s proposed action plan centres on five pillars: an AI-for-Cyber National Lab built on India’s own compute infrastructure; standardised GenAI security baselines for major sectors; a National Threat and Fraud Exchange linking banks, telcos, and payment providers with CERT-In; Cyber-AI Talent Clinics with micro-credentials; and an Annual Resilience Index to hold sectors and states publicly accountable.
The ambition is clear. India wants to stop being a consumer of global cybersecurity solutions and become a producer — exporting sovereign, AI-powered security capabilities to the world. Whether that vision becomes reality depends on execution. The clock is already ticking.
