Published Paper Details:

Abstract Corporate liability for cybercrimes in India has moved from a narrow focus on individual wrongdoers to a wider scrutiny of organisational systems, board oversight, digital supply chains, and technology partners. This shift became sharper after the "Indian Computer Emergency Response Team (CERT-In) Directions dated 28 April 2022" imposed a six-hour reporting window, uniform time synchronisation, and log retention for a large class of service providers and corporate entities, since any silence or delay now points directly to organisational default rather than to a faceless attacker. At the same time, the "Digital Personal Data Protection Act, 2023" created an administrative penalty regime of up to INR 250 crore for failure to take reasonable security safeguards, thereby converting many data compromise situations from a criminal pursuit to a regulatory and quasi-civil exposure that still sits side by side with the criminal offences in the "Information Technology Act, 2000" and allied laws. The study explores how "Section 85 of the Information Technology Act, 2000" builds vicarious liability on persons in charge, how "Section 79 of the Information Technology Act, 2000" retains conditional immunity for intermediaries, how the 2021 Intermediary Rules as updated on 6 April 2023 expand due diligence, and how the new criminal codes, mainly the "Bharatiya Nyaya Sanhita, 2023" and the "Bharatiya Sakshya Adhiniyam, 2023", supply the general criminal law backdrop for corporate cyber prosecutions after 1 July 2024. The paper reads these instruments together with leading rulings such as "Standard Chartered Bank v. Directorate of Enforcement", "Iridium India Telecom Ltd v. Motorola Inc.", and "Shreya Singhal v. Union of India" to show that Indian courts are ready to attach mens rea to juristic persons, to pierce managerial layers, and to deny safe harbour where platform conduct becomes active. The analysis culminates in governance-oriented suggestions and a harmonised view of corporate-facing duties across IT Act, CERT-In, DPDP, and BNS regimes.