What Is the Penalty for Non-compliance with IT Rules, 2021? Fines, Safe-harbour Loss & Criminal Risk for Intermediaries

Every digital platform operating in India, from social-media giants and cloud-hosting providers to niche e-commerce marketplaces, must grapple with one critical compliance question: what is the penalty for failing to observe the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021? The consequences are neither theoretical nor trivial. Non-compliant intermediaries face a cascading set of risks that includes loss of statutory safe-harbour protection under Section 79 of the IT Act, 2000, exposure to civil and criminal proceedings under multiple overlapping statutes, government-issued blocking and takedown orders, and severe reputational damage that can erode user trust overnight.

With the Ministry of Electronics and Information Technology (MeitY) uploading updated intermediary guidance material on 10 February 2026, the regulatory posture has hardened, and enforcement signals indicate that the era of passive oversight is ending.

Quick Answer, What Penalties Can Apply to Intermediaries and Platforms?

Before diving into the legal mechanics, compliance officers and in-house counsel need the headline picture. The IT Rules 2021, read together with the parent IT Act, 2000, and other applicable statutes, expose non-compliant intermediaries to five distinct categories of adverse consequence:

• Loss of safe-harbour protection. Under Section 79 of the IT Act, an intermediary forfeits its immunity from liability for third-party content if it fails to observe the due diligence obligations prescribed in Rule 3 of the IT Rules 2021. Once safe harbour is lost, the platform is treated as a publisher and becomes directly liable for unlawful user-generated content.
• Administrative and financial penalties. Sections 43A, 45 and 46 of the IT Act empower the government to impose monetary penalties, up to ₹5 crore per contravention in certain categories, on bodies corporate that fail to implement reasonable security practices or comply with prescribed rules.
• Criminal prosecution of officers and entities. Sections 67, 67A, 67B and 85 of the IT Act, along with provisions of the Bharatiya Nyaya Sanhita (BNS), create criminal liability for individuals, including company directors and compliance officers, when platform non-compliance facilitates the publication or transmission of prohibited content.
• Blocking and takedown orders. Under Section 69A of the IT Act and the corresponding Blocking Rules, MeitY can direct intermediaries to block access to specific content or entire platforms. Failure to comply with a blocking order is itself a criminal offence punishable with imprisonment of up to seven years and a fine.
• Reputational and commercial sanctions. Beyond statutory penalties, non-compliance triggers contractual cascades, loss of advertising partnerships, app-store de-listing, investor concern and user attrition, that can be existentially damaging to platform businesses.

Industry observers expect enforcement activity to accelerate through 2026 as MeitY builds institutional capacity and leverages the Intermediary Guidelines 2026 materials to hold platforms accountable in real time.

Legal Framework and Scope: IT Act 2000, IT Rules 2021 and the 2026 Updates

Understanding what is the penalty for any specific breach requires mapping three layers of regulation: the parent statute, the subordinate rules, and the evolving regulatory guidance. The framework has been amended several times since its inception, and each iteration has expanded both the scope of obligations and the severity of consequences.

What Counts as an Intermediary Under the Act

Section 2(1)(w) of the IT Act, 2000 defines an “intermediary” broadly. The term covers any person who, on behalf of another, receives, stores or transmits electronic records or provides any service with respect to such records. Practical examples include social-media platforms, internet service providers (ISPs), cloud-hosting services, search engines, online marketplaces, online gaming platforms and messaging applications. The IT Rules 2021 further distinguish between ordinary intermediaries and significant social media intermediaries (SSMIs), platforms with 50 lakh or more registered users in India, which carry additional obligations.

Key Rule Citations and Legislative Timeline

The core obligations for intermediaries are set out in Part II of the IT Rules 2021, particularly Rules 3, 4 and 5. Rule 3 prescribes “due diligence” requirements, publishing terms of service, establishing a grievance redressal mechanism, and honouring government takedown orders within prescribed timelines. Rule 4 imposes additional due diligence on SSMIs, including appointing a Chief Compliance Officer, a Nodal Contact Person and a Resident Grievance Officer, all of whom must be resident in India. Rule 5 governs the Grievance Appellate Committee mechanism introduced by the 2023 amendment.

Summary of Penalties and Enforcement Routes Under IT Rules 2021

One of the most common misconceptions is that the IT Rules 2021 themselves prescribe standalone monetary fines for each breach. In reality, the Rules operate primarily through a conditional safe-harbour mechanism: compliance with prescribed due diligence is the price of immunity. When that compliance lapses, penalty exposure flows from the parent IT Act, other statutes, and court-ordered remedies. The table below maps the principal penalty categories, their legal bases, illustrative ranges and the enforcing authorities.

The critical takeaway from this penalty map is that the IT Rules 2021 do not need to prescribe standalone fines to be consequential. Their power lies in conditioning safe-harbour on compliance, and the moment safe harbour falls away, a cascade of liabilities under multiple statutes is triggered simultaneously.

How Loss of Safe Harbour Happens, Legal Mechanics and Consequences

Section 79 of the IT Act is the central safe-harbour provision for intermediaries in India. It grants immunity from liability for third-party information, data or communication links made available or hosted by the intermediary, but only if three cumulative conditions are satisfied. The intermediary must not initiate the transmission, select the receiver, or modify the information. It must observe due diligence as prescribed under the Rules. And it must act expeditiously to remove or disable access to material upon receiving actual knowledge or a government/court order. The loss of safe harbour under the IT Rules 2021 is therefore the single most consequential penalty an intermediary can face, because it converts a shielded platform into an exposed publisher.

Triggers for Loss of Intermediary Protections

An intermediary forfeits safe harbour when it fails to satisfy any of the due diligence requirements in Rule 3 (for all intermediaries) or Rule 4 (additional obligations for SSMIs). The most common triggers include:

• Failure to publish required policies. Rule 3(1)(a) requires intermediaries to prominently publish rules, regulations, privacy policy and user agreement that inform users not to host, display, upload or share prohibited content.
• Failure to act on complaints within prescribed timelines. Rule 3(1)(d) requires an intermediary to acknowledge a complaint within 24 hours and resolve it within 15 days. Non-compliance with these timelines, particularly for content relating to impersonation, nudity or morphed images of women, can strip safe harbour.
• Failure to appoint mandatory officers (SSMI). Rule 4(1)(a) requires SSMIs to appoint a Chief Compliance Officer, a Nodal Contact Person and a Resident Grievance Officer, all of whom must be residents of India. Non-appointment means the SSMI is non-compliant from day one.
• Failure to enable traceability (SSMI). Rule 4(2) requires SSMIs providing messaging services to enable identification of the first originator of information when directed by a court or government order. This remains one of the most contested obligations, but non-compliance carries the same safe-harbour consequences.
• Failure to comply with government directions. Rule 3(1)(b) requires intermediaries to inform users about and comply with government orders for information removal or access disabling within 36 hours of receipt.

Consequences of Losing Safe Harbour

Once safe harbour is lost, the intermediary is treated as a publisher or originator of the content. The practical consequences are severe and immediate:

• Unlimited civil liability. The platform becomes directly liable in defamation, intellectual property infringement, privacy violation and other tort claims filed by affected individuals. Damages are not capped.
• Injunctive relief. Courts can grant mandatory injunctions requiring the platform to remove content, alter algorithms or even suspend services, measures that would ordinarily be unavailable against a protected intermediary.
• Criminal exposure. Without safe harbour, the intermediary and its officers may be prosecuted as principals or abettors for offences committed through user-generated content, rather than being shielded as neutral conduits.
• Contractual cascading. Loss of safe harbour frequently triggers breach-of-representation clauses in advertising agreements, partnership contracts and investor covenants, compounding the financial damage well beyond regulatory fines.

Criminal Exposure, When Intermediaries or Officers Risk Criminal Prosecution

A recurring question from platform compliance teams is whether the IT Rules 2021 themselves create new criminal offences. They do not in isolation. However, non-compliance with the Rules removes the protective shield that would otherwise prevent criminal prosecution under a range of existing statutes. The practical effect is that the Rules function as a gateway: comply, and the criminal statutes remain largely inapplicable; fail to comply, and officers face personal prosecution risk.

Overlap with IT Act, BNS and Other Statutes

The primary criminal provisions applicable to intermediaries include Sections 67 (publishing obscene material), 67A (sexually explicit material), and 67B (child sexual abuse material) of the IT Act, each carrying imprisonment terms of up to five or seven years. Section 69A, read with the Blocking Rules, criminalises non-compliance with blocking orders with imprisonment up to seven years. Beyond the IT Act, the BNS provisions on abetment and criminal conspiracy can apply where a platform knowingly fails to remove content that constitutes a criminal offence. Copyright infringement under the Copyright Act, 1957 and offences under the Protection of Children from Sexual Offences (POCSO) Act, 2012 also create criminal liability that the safe-harbour shield would ordinarily deflect.

Practical Scenarios Illustrating Criminal Risk

Consider a hosting provider that receives a government order under Section 69A to block access to specified URLs and fails to comply within the stipulated timeline. That failure is itself a criminal offence, regardless of the nature of the content. Alternatively, consider an SSMI that has not appointed a Resident Grievance Officer. A user reports non-consensual intimate imagery. The platform has no mechanism to process the complaint within 24 hours as required by Rule 3(2)(b). The victim files a criminal complaint. Without safe-harbour protection, lost because of the officer-appointment failure, the platform’s executives face potential prosecution for abetment or negligence facilitating the offence.

In a third scenario, an online marketplace is aware of counterfeit goods being sold by a vendor but fails to act on takedown notices. Once safe harbour is forfeited, the marketplace faces prosecution for criminal conspiracy in trademark counterfeiting alongside the infringing vendor.

These scenarios are not hypothetical. Industry observers expect enforcement authorities to pursue test cases against non-compliant platforms to establish precedent and signal the seriousness of the regulatory framework.

Enforcement Signals Since 2024–2026, What Regulators Are Doing Now

The MeitY upload of 10 February 2026 is significant not because it introduces new legal provisions, but because it signals a consolidation of regulatory expectations and an operational readiness for enforcement. The document updates and reiterates the intermediary due diligence framework, clarifies government expectations on compliance timelines, and aligns the guidance with recent judicial developments.

Alongside this, MeitY has been issuing blocking orders under Section 69A with increasing frequency. The Government of India notified the IT Rules 2021 on 25 February 2021, and since that date, hundreds of blocking orders have been issued to platforms ranging from social-media services to VPN providers. The Ministry of Information and Broadcasting has simultaneously exercised its powers under Part III of the Rules to issue directives to digital news publishers and OTT platforms regarding content that violates the Code of Ethics.

The establishment of the Grievance Appellate Committees, three committees notified in January 2023, adds another enforcement channel. Users dissatisfied with intermediary responses to complaints can now escalate to these government-appointed bodies, which have the power to issue binding orders to platforms. Early indications suggest these committees are becoming more active and are likely to generate a body of compliance-enforcement jurisprudence that will shape platform behaviour going forward.

Mitigation and Compliance, Intermediary Due Diligence Checklist

Understanding what is the penalty is only half the equation. Platforms need a structured, actionable programme to mitigate those penalties. The following intermediary compliance checklist maps each obligation to the relevant Rule and provides a clear, prescriptive action item. Compliance officers should treat this as a baseline, legal counsel should tailor each item to the platform’s specific risk profile and sector.

Technical Measures, Content Moderation and Traceability

• Rule 3(1)(b), Automated content filtering. Deploy technology-based measures to proactively identify and remove content depicting child sexual abuse material, rape or content previously ordered to be removed by a court or government. Maintain audit logs of automated actions.
• Rule 4(2), First-originator traceability (SSMI messaging services). Implement a technical architecture that can identify the first originator of information in India when directed by a judicial or government order. Ensure the mechanism does not compromise end-to-end encryption of message content for all users, but enables originator identification for specific flagged communications.
• Rule 4(4), Grievance reporting mechanism. Build a prominent, easily accessible complaint intake system on the platform, accessible from every page or screen, that allows any user or victim to file a complaint with a unique tracking number.
• Rule 3(1)(j), 72-hour information preservation. Maintain systems to preserve information and associated records for 72 hours after receiving an order from a government agency, for investigation purposes.

Contractual Measures, Terms of Service and Indemnities

• Rule 3(1)(a), Terms of service. Publish comprehensive, India-specific terms of service that clearly inform users of the categories of prohibited content (as listed in Rule 3(1)(b)(ii)) and the consequences of violating those terms, including account termination.
• Vendor and partner contracts. Include intermediary-compliance warranties and indemnities in all contracts with content partners, advertisers and technology vendors. Ensure contractual chains do not create gaps where non-compliant content could enter the platform without oversight.
• User agreement consent flows. Ensure every user positively consents to the terms of use at registration and upon each material update, with auditable records of consent.

Operational, Grievance Redressal, Nodal Officer and Chief Compliance Officer

• Rule 4(1)(a), Appoint mandatory officers (SSMI). Appoint a Chief Compliance Officer (responsible for overall compliance), a Nodal Contact Person (24×7 liaison with law enforcement) and a Resident Grievance Officer (public-facing complaints handler). All must be residents of India and senior employees of the platform.
• Rule 3(2), Grievance redressal timelines. Acknowledge every complaint within 24 hours. Resolve complaints within 15 days. For complaints relating to content depicting nudity, sexual acts, impersonation or morphed images, remove or disable access within 24 hours of receipt.
• Rule 4(1)(d), Monthly compliance reports (SSMI). Publish a monthly compliance report detailing the number of complaints received, actions taken, and content removed, broken down by category. Ensure the report is publicly accessible and submitted to MeitY.

Documentation and Audits

• Maintain comprehensive records. Document every complaint, government order, blocking directive, and platform action taken in response. Retain records for the period prescribed by the Rules and any applicable data-retention law.
• Conduct periodic compliance audits. At minimum, conduct an annual internal audit of intermediary-compliance processes, officer appointments, and technical measures. Engage external counsel or auditors where the platform operates as an SSMI.
• Train staff. Ensure all relevant personnel, legal, trust and safety, engineering, customer support, are trained on IT Rules obligations, escalation protocols and government-liaison procedures.

Practical Drafting Examples and Templates to Preserve Safe Harbour

Compliance is not just about internal processes, it must be embedded in the platform’s legal documentation. The following templates provide starting points that counsel should adapt to each platform’s specific circumstances. These are illustrative and do not constitute legal advice.

Sample Terms-of-Service Clause, Limiting Liability and Requiring User Compliance

“Users acknowledge that [Platform Name] operates as an intermediary as defined under Section 2(1)(w) of the Information Technology Act, 2000. Users shall not host, display, upload, modify, publish, transmit, store, update or share any information that: (i) belongs to another person to which the user does not have any right; (ii) is defamatory, obscene, pornographic, invasive of privacy, or otherwise unlawful; (iii) is harmful to children; or (iv) violates any applicable law for the time being in force. [Platform Name] reserves the right to terminate user accounts and remove content that violates these terms, and to cooperate with law enforcement agencies in accordance with applicable law.

Users agree to indemnify [Platform Name] against all claims arising from content uploaded or shared by the user.

This clause should be adapted to include the full list of prohibited content categories set out in Rule 3(1)(b)(ii) and should be rendered in the local languages of the platform’s user base where practicable.

Sample Notice-and-Takedown Protocol

“Upon receipt of a complaint from a user or a direction from a court or government authority: (1) the Grievance Officer shall acknowledge the complaint within 24 hours via the platform’s complaint-tracking system; (2) for complaints relating to content depicting nudity, sexual acts, impersonation or morphed images, the trust-and-safety team shall review and, where the complaint is substantiated, remove or disable access to the content within 24 hours; (3) for all other complaints, the Grievance Officer shall investigate and dispose of the complaint within 15 days; (4) the complainant shall be informed of the action taken; (5) all actions shall be logged in the compliance-reporting system for inclusion in the monthly compliance report.”

Platforms should ensure this protocol is integrated into their operational workflows with automated alerts and escalation triggers, not merely documented as a policy.

Sector Spotlight, Online Gaming Platforms and What Is Different

Online gaming platforms face a heightened compliance burden under the IT Rules 2021, particularly following the 2023 amendments that introduced provisions specifically targeting online games. Under Rule 3(1)(b)(v), intermediaries must make reasonable efforts to prevent users from hosting or sharing content relating to online games that are not verified by a self-regulatory body recognised by MeitY. Online gaming intermediaries are required to display a verification mark and inform users whether a game involves real-money wagering and the associated financial risks.

For gaming platforms, the penalty exposure is compounded by the interaction between IT Rules compliance and state-level gambling and gaming legislation, goods and services tax (GST) requirements, and consumer-protection regulations. A gaming platform that loses safe harbour not only faces the standard cascade of civil and criminal exposure described above, but also opens itself to state-level regulatory action, including potential licence revocation, and tax-enforcement proceedings where GST treatment depends in part on the platform’s legal characterisation as an intermediary or principal.

Industry observers expect the online gaming sector to be a priority enforcement target as MeitY and state regulators coordinate their compliance-verification efforts through 2026 and beyond.

Obligations by Entity Type, Comparison Table

Conclusion, How to Mitigate IT Rules Penalties: Two Steps Every Platform Should Take Now

The question of what is the penalty for non-compliance with the IT Rules, 2021 has no single numerical answer, because the penalty framework is not a fixed fine schedule but a graduated, multi-layered system of consequences anchored in the conditional safe-harbour mechanism. Loss of safe harbour is the trigger event, and once it occurs, liability compounds across civil, criminal and regulatory dimensions simultaneously. The 2026 enforcement signals from MeitY make clear that regulatory patience is finite and that platforms operating in India without a robust compliance programme are accepting an escalating, existential risk.

Platforms should take two immediate steps. First, conduct a comprehensive compliance gap assessment against every obligation in Rules 3, 4 and 5, using the checklist above as a baseline. Second, remediate identified gaps, appoint officers, update terms of service, deploy technical safeguards, and implement documented grievance-redressal protocols, before the next enforcement cycle. How to mitigate IT Rules penalties is ultimately a question of institutional commitment: the platforms that invest in compliance infrastructure now will preserve their safe harbour, and those that do not will face the full weight of a regulatory framework designed to hold them accountable.

Sources

1. Ministry of Electronics & Information Technology (MeitY), Intermediary Guidelines (Feb 10, 2026 upload)
2. MeitY, IT Rules 2021 (consolidated, updated 06.04.2023)
3. Ministry of Information & Broadcasting (MIB), IT Rules 2021 PDF
4. PRS Legislative Research, IT Rules 2021 Tracker
5. LiveLaw, FAQs on IT Rules 2021
6. Cyril Amarchand Mangaldas, Intermediary Guidelines Analysis
7. Press Information Bureau (PIB), Government Notification (Feb 25, 2021)