On this page · 10 sections
Summary. India's Information Technology Amendment Rules, 2026 took effect on February 20, 2026, ten days after the Ministry of Electronics and Information Technology (MeitY) notified them on February 10. They define "synthetically generated information" (SGI) for the first time, cut the deadline for removing flagged unlawful content to 3 hours from 36, and require AI-generated media to carry a prominent label plus permanent provenance metadata. Miss the window and a platform can lose safe harbour, exposing it to liability that, alongside the Digital Personal Data Protection Act, 2023, can reach ₹250 crore per breach. Union Minister Ashwini Vaishnaw framed the intent plainly: "what is illegal ... in the physical world is also illegal online."
For founders, marketers and platform teams, this is no longer a consultation draft. It is enforceable law with a compliance clock that already started. Here is what changed, what it requires, and what to do about it.
What changed on February 20, 2026
The amendment edits the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 rather than creating a new statute. Its central move is defining SGI as information that "appears to be reasonably authentic or true but is artificially or algorithmically generated, modified, or altered using a computer resource." That definition pulls deepfakes, AI-cloned audio and synthetic video into the existing due-diligence framework that governs intermediaries.
The ten-day gap between notification on February 10 and enforcement on February 20 gave platforms almost no runway. As of February 20, 2026, the obligations below are live, and non-compliance is measured against them from day one.
| Area | Before February 2026 | After February 20, 2026 |
|---|---|---|
| Takedown deadline (flagged content) | 36 hours | 3 hours |
| AI-generated content | Undefined in the rules | Defined as SGI |
| Labelling of AI media | Not required | Prominent label required |
| Provenance | Not required | Permanent unique identifier |
| Safe harbour | Broad | Conditional on due diligence |
The 3-hour takedown rule
The headline change is speed. For flagged unlawful content acted on through a court order or an authorised government notice, intermediaries must remove or disable access within roughly three hours, down from the earlier 36-hour window. Vaishnaw has said enforcement action on social-media posts is restricted to deepfake and unlawful content, an attempt to answer over-removal concerns raised during consultation.
The stakes are structural, not just operational. Under the amended rules, a platform that fails its due-diligence duties, including the three-hour removal, risks losing safe harbour protection under Section 79 of the IT Act. Analysts describe the effect bluntly: wilful blindness, knowing about unlawful SGI and doing nothing, now functions as a statutory failure of due diligence.
Labelling and provenance: what the rules actually require
Here is the part most coverage gets wrong. The October 2025 draft proposed that a visible watermark cover 10 percent of a synthetic image's surface area. That fixed 10 percent mandate was dropped from the final rules. In its place, the Amendment Rules set a qualitative standard: visual SGI must carry a label that is prominent, easily noticeable and adequately perceivable, and audio SGI must carry a prominently prefixed audio disclosure. Platforms must also embed permanent provenance metadata with a unique identifier that traces content back to the originating service.
So the obligation is real, but it is a "clearly and prominently labelled" test, not a pixel-percentage rule. X has already rolled out "Made with AI" labels as the rules tightened. The table below maps each obligation to who carries it.
| Obligation | Requirement | Applies to |
|---|---|---|
| Rapid takedown | Remove flagged content within 3 hours | All intermediaries |
| SGI labelling | Prominent, perceivable label on synthetic media | Platforms hosting SGI |
| Provenance metadata | Permanent unique identifier on the content | Generating platforms |
| Technical measures | Deploy tools to detect and prevent unlawful SGI | Significant social media intermediaries |
| User declaration | Require users to declare synthetic uploads | All platforms |
What it means for brands and marketers
If your team ships AI-generated images, voiceovers or video in Indian campaigns, the labelling duty reaches you in practice even though the legal duty sits on the platform. Ad creative that hides its synthetic origin can be relabelled or removed by the host platform, and a takedown mid-campaign is worse than a disclosed label. The workable posture is to label AI creative at the source, keep provenance metadata intact through your production pipeline, and document which assets are synthetic. Content-authenticity tooling helps here; our note on SynthID watermarking for marketers covers the provenance side.
What it means for platforms and intermediaries
Significant social media intermediaries carry the heaviest load: deploy technical measures to detect and prevent unlawful synthetic media, label permitted SGI, embed traceable metadata, and act on lawful orders inside the three-hour window. The design problem is that these duties collide. Aggressive automated detection risks over-removal, which Vaishnaw's "deepfake content only" framing warns against, while under-detection forfeits safe harbour. Building a defensible middle path, with logged decisions, human review for edge cases, and an audit trail, is now an engineering requirement, not a policy nicety. For the wider governance picture, see our India sovereign AI and DPDP overview.
India-specific considerations
These rules do not stand alone. They sit alongside the DPDP Act, 2023 and its 2025 rules, so a synthetic asset built from a real person's likeness can trigger both content-labelling duties and data-protection consent duties at once. Vaishnaw has said India's "techno-legal" template is drawing international interest, with three countries signalling they want to model their frameworks on it. For any company operating in India, treat SGI labelling and DPDP consent as a single compliance workstream rather than two, because the same asset often falls under both. Our enterprise AI strategy guide puts this in the broader planning context.
What to do this quarter
Map every place your product or campaigns generate or host synthetic media, then attach a label and provenance metadata at the point of creation. Set an internal removal target well inside three hours for anything flagged by a lawful order, and rehearse it. Keep a log of takedown decisions and labelling actions, because the audit trail is what preserves safe harbour if a regulator asks. Treat this as live compliance, not a draft to monitor.
FAQ
How eCorpIT can help
eCorpIT is a Gurugram-based, CMMI Level 5 technology consultancy that builds content and compliance workflows aligned with India's IT Rules and DPDP requirements. Our senior engineering teams design SGI labelling and provenance pipelines, takedown and grievance tooling, and audit logging that helps platforms preserve safe harbour. We design applications aligned with these frameworks rather than claiming certification. To scope a compliance build, talk to our team.
References
- India introduces mandatory labelling for AI and 3-hour takedown for illegal content - Hogan Lovells.
- MeitY notifies the IT Amendment Rules 2026 - Khaitan & Co.
- India targets deepfakes and AI-generated content: key changes under MeitY's 2026 amendments - Lexology.
- "What is illegal offline is illegal online": Ashwini Vaishnaw on India's deepfake regulation roadmap - ANI.
- India targets deepfakes and AI-generated content: key changes under MeitY's 2026 amendments - Freshfields.
- SGI regulation under India's IT Amendment Rules 2026 - Khurana & Khurana.
_Last updated: July 10, 2026._