Back to Blog
7 min read

India Plans Risk-Based AI Law with RBI, SEBI as Sector Regulators

India's proposed risk-based AI law, signalled 6 July 2026, places low-risk AI like chatbots under minimal rules and high-risk banking and health AI under RBI, SEBI, and IRDAI oversight.

India Plans Risk-Based AI Law with RBI, SEBI as Sector Regulators

India Proposes a Risk-Based AI Law on 6 July 2026

An Indian government official briefed The Economic Times on 6 July 2026 on a proposed AI regulatory framework that would sort artificial intelligence systems into risk tiers and apply graded rules to each — a structure that mirrors the European Union's AI Act in architecture but would be substantially lighter in legal force. The briefing represents the clearest public signal yet that India intends to regulate AI through a dedicated, tiered framework rather than relying entirely on existing statutes, sector-specific guidance from financial regulators, or the voluntary AI principles published by MeitY in 2021. No draft bill, formal consultation paper, or legislative timeline has been made public as of 6 July 2026, but the framework's shape is now on the record.

The Two Risk Tiers: Low-Risk and High-Risk

The proposed framework divides AI systems into risk categories with rules matched to each band. Low-risk AI — including chatbots, productivity tools, and content recommendation systems — would face minimal regulatory requirements. The low-risk designation is designed to avoid burdening the large majority of enterprise AI deployments, consumer applications, and developer tooling with compliance overhead that regulators consider disproportionate to the actual risk those systems present.

High-risk AI systems are defined as those operating in banking, finance, health, and critical infrastructure. The official confirmed these sectors would face stricter duties: more detailed documentation requirements, pre-deployment risk assessments, and ongoing obligations around monitoring, incident reporting, and human oversight. The naming of banking and finance as high-risk aligns with what the Reserve Bank of India has already been moving toward independently in its own guidance on AI model risk management for financial institutions, published in early 2026.

Sectoral Regulators as Front-Line Enforcers

A structurally significant element of the proposed framework is the delegation of AI oversight to existing sectoral regulators rather than the creation of a new standalone AI authority. The Reserve Bank of India, the Securities and Exchange Board of India, and the Insurance Regulatory and Development Authority of India would be empowered to prescribe their own sector-specific AI rules within the high-risk tier. This means fintech, investment management, insurtech, and banking companies would face AI compliance requirements shaped by the regulators who already oversee their core operations — bodies with existing domain expertise in financial system risk — rather than a new vertical AI regulator whose institutional knowledge of sector-specific risk would need to be built over years.

The practical implication of this structure is that Indian AI regulation in high-risk sectors will evolve unevenly. RBI is already the most active of the three in AI governance — its 2026 guidance on AI model risk management for banks and NBFCs is already in effect. SEBI's AI rules for securities and investment management are expected to follow. IRDAI's AI requirements for insurance applications are the least developed of the three as of July 2026. Companies operating across multiple regulated sectors will face a mosaic of sector-specific AI obligations rather than a single unified compliance framework.

The Emergency Disable Clause

The proposed framework includes a provision that has reportedly been under government consideration for over a year: a "disable clause" that would allow authorities to order a company to switch off a dangerous AI system or compel the disclosure of its technical details in an emergency. The clause targets AI systems operating in high-risk sectors such as financial infrastructure, health systems, and critical public utilities. The 6 July briefing did not specify which authority would hold the power to invoke the disable clause, what conditions would constitute a qualifying emergency, or the technical scope of the required disclosure. The absence of these details means the clause is currently a stated intent rather than an operationally defined regulatory power.

The National AI Security Incident Database

The framework also references a potential national database for AI-related security incidents. Modelled loosely on cybersecurity incident reporting systems, the database would aggregate information on AI system failures, unexpected outputs, and security events across regulated sectors. A centralised incident registry allows regulators to identify systemic patterns — a particular model architecture causing repeated failures across multiple institutions, or a vendor whose systems generate disproportionate incident volumes — that would be invisible if each organisation only reported to its immediate sector regulator. No technical specification for the database, reporting timelines, or responsible authority has been shared publicly.

How India's Proposed Law Compares to the EU AI Act

The government official explicitly compared India's approach to the EU AI Act: both frameworks use risk tiering and ease rules for low-risk applications. The structural difference is in legal force and mechanism. The EU AI Act is binding primary legislation with mandatory conformity assessments for high-risk systems, requirements for post-market monitoring, and direct financial penalties — up to 3 percent of annual global turnover — for non-compliance. India's proposed approach, as described on 6 July 2026, leans on existing statutes and voluntary codes rather than new primary legislation with independent enforcement powers. This makes the Indian framework lighter to enact and more adaptable as the technology evolves, but also means compliance obligations will initially resemble enforceable best-practice guidance more than hard legal duties — a common approach among non-EU countries seeking to signal AI governance intent without locking in rigid rules for a rapidly changing technology.

What This Means for Indian Tech Builders and Startups

For Indian software companies and startups building AI products, the risk-tier structure clarifies the compliance planning horizon. Teams building chatbots, productivity tools, recommendation engines, or general-purpose developer tooling are in the low-risk band: minimal near-term regulatory change is expected for them. Teams building AI systems for lending decisioning, credit scoring, insurance underwriting, clinical decision support, or management of critical infrastructure are in the high-risk band and should begin preparing now — well before a draft bill is published. The RBI and SEBI are already operating in this space and are likely to issue additional sector-specific AI guidance independently of a broader legislative framework, on timelines that will not wait for the full law to be finalised.

For early-stage fintech and healthtech startups, the 6 July briefing is the signal to begin building AI governance documentation and internal risk assessment processes. Large Indian IT services companies delivering AI systems to regulated-sector clients internationally will also need to track whether India's framework, once published, creates compliance expectations that affect contracts with clients operating in India's regulated industries.

The Bottom Line

India's government briefed The Economic Times on 6 July 2026 on a proposed risk-based AI regulatory framework. Low-risk AI — chatbots, productivity tools, recommendation systems — faces minimal rules. High-risk AI in banking, finance, health, and critical infrastructure faces stricter duties overseen by RBI, SEBI, and IRDAI as sector regulators. The proposal includes an emergency disable clause for dangerous AI systems and a national AI security incident database. No draft bill or formal timeline has been published. India's approach mirrors the EU AI Act's risk-tier architecture but is substantially lighter in legal force, relying on existing statutes and voluntary codes rather than new primary legislation. For Indian product teams, the high-risk tier definition is the key planning input: AI systems for fintech, insurtech, and health applications are in scope for meaningful compliance obligations, while general-purpose AI tools remain in the minimal-regulation low-risk band.

Frequently Asked Questions

What did India's government propose for AI regulation on 6 July 2026?+

An Indian government official told The Economic Times on 6 July 2026 that India is developing a risk-based AI regulatory framework classifying AI systems by danger level. Low-risk AI — chatbots, productivity tools, and recommendation systems — would face minimal regulation. High-risk AI in banking, finance, health, and critical infrastructure would face stricter documentation, oversight, and compliance duties enforced by sectoral regulators: the Reserve Bank of India, the Securities and Exchange Board of India, and the Insurance Regulatory and Development Authority of India. The proposal also includes an emergency disable clause for dangerous AI systems and a national AI security incident database. No draft bill, consultation paper, or legislative timeline has been published as of 6 July 2026.

What is the emergency disable clause in India's proposed AI framework?+

The disable clause is a proposed regulatory provision that would allow Indian government authorities to order a company to switch off an AI system it judges dangerous, or compel disclosure of the system's technical details in an emergency. The clause targets AI systems operating in high-risk sectors such as financial infrastructure, health systems, and critical public utilities. The 6 July 2026 briefing did not specify which authority holds the power to invoke it, what conditions constitute a qualifying emergency, or what technical disclosure would be required. The provision has reportedly been under government consideration for over a year and remains at an intent stage without operationally defined parameters.

How does India's proposed AI law compare to the EU AI Act?+

Both frameworks use risk-based tiering: low-risk AI faces minimal rules, high-risk AI faces stricter requirements. The key difference is legal force. The EU AI Act is binding primary legislation with mandatory conformity assessments for high-risk systems, post-market monitoring requirements, and direct financial penalties of up to 3 percent of annual global turnover for non-compliance. India's proposed approach, as described on 6 July 2026, relies on existing statutes and voluntary codes rather than new primary legislation, with sectoral regulators as front-line enforcers rather than a new standalone AI authority. India's framework is lighter to enact and revise but provides weaker initial enforcement guarantees than the EU model.

Which Indian tech sectors face the highest AI compliance risk under the proposed law?+

Fintech, banking technology, insurtech, and health technology companies face the highest compliance risk. AI systems used in lending decisioning, credit scoring, insurance underwriting, investment recommendations, clinical decision support, and management of critical infrastructure are explicitly named as high-risk applications. These sectors would be regulated by their existing sectoral overseers — RBI for banking and NBFCs, SEBI for securities and investment management, and IRDAI for insurance — under AI-specific rules those regulators will be empowered to prescribe. Companies in these sectors should begin building AI governance documentation, internal risk assessments, and human oversight mechanisms in advance of formal regulatory publication, given that RBI and SEBI are already active in this space.

TT

Written by

TechPillow Team

Sharing insights on technology, product development, and the Indian tech ecosystem.

Ready to Build Something Extraordinary?

From ideation to launch, we're your end-to-end technology partner.

Book a Free Strategy Call