CEA Invites Public Comments on Draft Cybersecurity Regulations for the Power Sector, 2025

Introduction

The digital transformation of power in India is advancing rapidly as a result of automation, smart grids, and information and operation technologies. Unfortunately, this digital transformation places the nation’s critical power infrastructure at greater risk from cybersecurity threats. In light of the recognized vulnerabilities, the Central Electricity Authority (“CEA”) has published the Draft CEA (Cyber Security in Power Sector) Regulations, 2025[1] for public consultation.

Explanation

The draft regulations apply to all entities operating in the generation, transmission, and distribution of electricity, as well as to power exchanges, load despatch centres, forecasting agencies, and vendors providing ICT or control systems. These entities, referred to as “Responsible Entities,” are required to implement prescribed cybersecurity measures.

The draft suggests that a Chief Information Security Officer (“CISO”) and an alternate CISO must be appointed in each organization. Both must be Indian nationals, in the senior management tier, reporting directly to the top executive of the entity. Additionally, the regulations require each organization to establish an Information Security Division (“ISD”), which will run on a 24×7 basis and be staffed with qualified and certified cybersecurity professionals for monitoring, threat detection, and reporting. This is a shift to a proactive cybersecurity posture from a reactive one, as vigilance is to be operationalized and embed as a norm in every power utility.

The regulations require extensive technical and procedure controls. Each responsible entity must create a Cyber Security Policy and a Cyber Crisis Management Plan (“CCMP”), both of which must be approved by the top management of the entity. Both the Cyber Security Policy and Cyber Crisis Management Plan will set out roles and responsibilities, as well as procedures and escalation processes, incident management and response and during a cyber event/emergency. 

Technical controls will require the deployment of firewalls, intrusion detection and prevention systems, security information and event management (“SIEM”) tools, and web application firewalls. Each entity will also conduct regular vulnerability assessments, penetration tests, and risk analyses to identify and eliminate cyber risks. Remote access to critical systems is to be tightly regulated. The draft mandates multi-factor authentication, activity logging, and session monitoring for all remote operations. Regular patch management, configuration reviews, and continuous updates of antivirus and firmware are compulsory. These requirements ensure that cybersecurity is continuously maintained, not treated as a one-time compliance exercise.

Recognising the interconnected nature of the energy sector, the draft regulations impose obligations on vendors and service providers. In addition to this, utilities need to include cybersecurity expectations in procurement contracts and security assessments for all web applications, portals and digital systems prior to being in operation. This focus on “security by design” is aimed at addressing vulnerabilities that arise from third-party components and preventing the supply chain from being the entry point of a cyberattack.

Entities are required to perform a cybersecurity audit, both post-mortem and targeted, on timely basis. The audits will be required to examine IT and operational technology (“OT”) environments and categorize vulnerabilities by severity. Critical and high-risk deficiencies will have to be remediated in without delay and compliance reports will be submitted to the CEA.

The draft also obligates utilities to report all major cybersecurity incidents to CSIRT-Power in a specified timeframe, to allow for the ongoing collection of real-time data about cyberthreats to allow co-ordinated responses and/or policy implementations. The CEA’s implementation includes coordination with national agencies, such as CERT-In and the National Critical Information Infrastructure Protection Centre (“NCIIPC”), with respect to overall compliance and coordination on the national level.

The draft regulations for 2025 build upon the previously shared Cyber Security in Power Sector Guidelines, 2021. While the Guidelines that were issued in 2021 were merely advisory in nature, the draft implements standards that will pursue an enforceable requirement by law. The draft also supplements existing, national cybersecurity initiatives under the Information Technology Act, 2000, and under the direction of CERT-In. The end goal of the draft regulations is to create an integrated and harmonising cybersecurity framework that includes both information technology and operational technology in the electricity sector.

Conclusion

The draft CEA (Cyber Security in Power Sector) Regulations, 2025 represents an important milestone in establishing a secure digital foundation to the power infrastructure in India. The framework aims to embed cyber security into the power ecosystem through institutional responsibility, technical controls and mandatory audits. The real challenge now is the implementation of the framework, with resource issues, gaining the cooperation of stakeholders and modernising legacy systems being areas to address.

[1] https://cea.nic.in/wp-content/uploads/notification/2025/10/Draft_Central_Electricity_Authority_Cyber_Security_in_Power_Sector_Regulations_2025__Invitation_of_Public_Comments..pdf