DPDP Rules Notification Status: What Is in Force and What Is Pending
The DPDP Rules 2025 were notified on 13 November 2025. What is in force now, what starts in November 2026, and what waits for May 2027. Status as of July 2026.
On This Page
Regulatory status questions deserve a status page, not a news archive. This page states what is notified, what is in force, and what remains pending under the DPDP Act 2023 and the DPDP Rules 2025.
Status as of July 2026. For deadline planning and the full date-by-date roadmap, see the DPDP compliance timeline.
The Status Table
| Instrument | Status | Date |
|---|---|---|
| DPDP Act 2023 | In force. Presidential assent and Gazette publication | 11 August 2023 |
| Draft DPDP Rules | Superseded by the final Rules | Published 3 January 2025 |
| DPDP Rules 2025 | Notified. Binding law | 13 November 2025 |
| Data Protection Board of India | Established under the Rules notification | From 13 November 2025 |
| Consent Manager registration | Pending. Mandatory from Phase II | 13 November 2026 |
| SDF window compression | Proposed by MeitY, not gazetted | Proposal circulated January 2026 |
| Penalty enforcement | Pending. Expected at the end of the 18-month window | Expected May 2027 |
Each row is expanded below.
What Is in Force Today
The Act itself. The DPDP Act received Presidential assent on 11 August 2023. The obligations it creates for Data Fiduciaries exist now: valid notice under Section 5, consent that meets Section 6(1), withdrawal parity under Section 6(4), and the security safeguards duty under Section 8(5).
The Rules. The Digital Personal Data Protection Rules were notified on 13 November 2025, following the draft published on 3 January 2025. The notification converted procedure from proposal into law: the procedure behind the Section 8(6) breach notification duty, the Consent Manager eligibility conditions in Rule 4 and the First Schedule, and the operational detail behind notice and consent.
The Board. The Rules notification activated the constitution of the Data Protection Board of India, the adjudicatory authority that will hear complaints and impose penalties once enforcement begins.
The draft-to-final delta was procedural, not structural. An organisation that built against the January 2025 draft lost no work.
What Changes on 13 November 2026
Consent Manager registration becomes mandatory. Phase II of the Rules implementation closes the window for unregistered operation. Any entity acting as a Consent Manager, the registered intermediary defined in Section 2(g), must hold Data Protection Board registration under Section 6(9) from this date. The Rule 4 conditions, including Indian incorporation and the Rs 2 crore net worth test, take months to clear. The registration procedure sets out the sequence.
Most businesses have no registration obligation. A company managing consent for its own customers is a Data Fiduciary, not a Consent Manager. The distinction between the two determines which obligations apply.
The SDF question, still open. MeitY circulated a proposal in January 2026 to compress the Significant Data Fiduciary compliance window from 18 months to 12. If gazetted, SDF obligations under Section 10 would bind from November 2026 instead of May 2027. As of this page’s status date the compression has not been gazetted. Organisations likely to be classified as SDFs should plan for November 2026 anyway. A proposal from the ministry that drafted the Rules signals intent.
What Waits for May 2027
The 18-month general compliance window runs from the 13 November 2025 notification to 13 May 2027. Penalty enforcement by the Data Protection Board is expected from May 2027.
Enforcement is the activation of consequences, not the activation of obligations. When adjudication begins, the penalty tiers already fixed in the Act’s Schedule apply:
₹250 crore per instance for failure to take reasonable security safeguards under Section 8(5). ₹200 crore for failure to notify a breach under Section 8(6), and the same tier for violations of children’s data obligations under Section 9. ₹150 crore for breach of Significant Data Fiduciary obligations under Section 10. Consent violations under Section 6 fall in the residual tier, up to ₹50 crore per instance.
A single incident can breach multiple obligations, and the tiers stack. The penalties guide covers how exposure compounds.
How to Read the Phases
The DPDP regime commences in stages, and each stage is triggered by government notification rather than by a date written into the Act. That design has two consequences.
First, published dates beyond 13 November 2025 carry the word “expected” for a reason. The Consent Manager date sits in the Rules implementation schedule. The May 2027 enforcement expectation follows from the 18-month window. Both depend on notifications that the government controls and can move.
Second, waiting for certainty is a losing position. The sequence so far has held: the draft in January 2025, the notification in November 2025. The pattern rewards organisations that treat expected dates as real ones.
What This Means For You
Check three boxes against this page. If you operate or plan to operate a consent intermediary, your date is 13 November 2026 and your work starts with Rule 4 eligibility. If you could plausibly be classified an SDF, plan to November 2026 and let the gazette decide whether you needed the margin. If you are any other Data Fiduciary, the obligations already bind you and the Board’s enforcement powers arrive in under a year. Q3 2026 is the practical readiness point once implementation lead time is counted. Run the Gap Assessment to find out where you stand against the obligations that are already in force.
Know where you stand on DPDP compliance
Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, work through the 26-point compliance checklist, or model your penalty exposure.
Enforcement milestones, rule notifications, and deadline analysis.
One email when it matters, no more.
Resources
Continue Reading
Related DPDP Act 2023 guidance from the ConsentOS knowledge base.
DPDP Act 2023 Compliance Deadlines & Enforcement Dates (India)
Every DPDP Act date: Rules notified Nov 2025, Consent Manager registration Nov 2026, penalty enforcement May 2027. Plan your compliance timeline.
5 min read
Regulatory UpdatesWhat Is the DPDP Act 2023? Guide for Indian Business Compliance
India's Digital Personal Data Protection Act 2023 decoded: 7 obligations for every Data Fiduciary, 8 rights for Data Principals, penalties up to ₹250 crore.
6 min read
Regulatory UpdatesSDF Classification: The November 2026 DPDP Deadline in India
MeitY proposed in January 2026 to compress the Significant Data Fiduciary compliance window from 18 months to 12 months. If gazetted, large-volume data processors face a November 2026 deadline, not May 2027. Here is what SDF status means and how to know if it applies to your organisation.
9 min read
Consent ManagementDPDP Consent Manager Registration: Who Needs It and How to Apply
Most companies do not need to register. Who does, the 13 November 2026 deadline, the Rs 2 crore net worth test, and what Sections 6(7) to 6(9) require.
12 min read