Skip to main content
Regulatory Updates

DPDP Rules Notification Status: What Is in Force and What Is Pending

The DPDP Rules 2025 were notified on 13 November 2025. What is in force now, what starts in November 2026, and what waits for May 2027. Status as of July 2026.

8 min read
On This Page

Regulatory status questions deserve a status page, not a news archive. This page states what is notified, what is in force, and what remains pending under the DPDP Act 2023 and the DPDP Rules 2025.

Status as of July 2026. For deadline planning and the full date-by-date roadmap, see the DPDP compliance timeline.

The Status Table

InstrumentStatusDate
DPDP Act 2023In force. Presidential assent and Gazette publication11 August 2023
Draft DPDP RulesSuperseded by the final RulesPublished 3 January 2025
DPDP Rules 2025Notified. Binding law13 November 2025
Data Protection Board of IndiaEstablished under the Rules notificationFrom 13 November 2025
Consent Manager registrationPending. Mandatory from Phase II13 November 2026
SDF window compressionProposed by MeitY, not gazettedProposal circulated January 2026
Penalty enforcementPending. Expected at the end of the 18-month windowExpected May 2027

Each row is expanded below.

What Is in Force Today

The Act itself. The DPDP Act received Presidential assent on 11 August 2023. The obligations it creates for Data Fiduciaries exist now: valid notice under Section 5, consent that meets Section 6(1), withdrawal parity under Section 6(4), and the security safeguards duty under Section 8(5).

The Rules. The Digital Personal Data Protection Rules were notified on 13 November 2025, following the draft published on 3 January 2025. The notification converted procedure from proposal into law: the procedure behind the Section 8(6) breach notification duty, the Consent Manager eligibility conditions in Rule 4 and the First Schedule, and the operational detail behind notice and consent.

The Board. The Rules notification activated the constitution of the Data Protection Board of India, the adjudicatory authority that will hear complaints and impose penalties once enforcement begins.

The draft-to-final delta was procedural, not structural. An organisation that built against the January 2025 draft lost no work.

What Changes on 13 November 2026

Consent Manager registration becomes mandatory. Phase II of the Rules implementation closes the window for unregistered operation. Any entity acting as a Consent Manager, the registered intermediary defined in Section 2(g), must hold Data Protection Board registration under Section 6(9) from this date. The Rule 4 conditions, including Indian incorporation and the Rs 2 crore net worth test, take months to clear. The registration procedure sets out the sequence.

Most businesses have no registration obligation. A company managing consent for its own customers is a Data Fiduciary, not a Consent Manager. The distinction between the two determines which obligations apply.

The SDF question, still open. MeitY circulated a proposal in January 2026 to compress the Significant Data Fiduciary compliance window from 18 months to 12. If gazetted, SDF obligations under Section 10 would bind from November 2026 instead of May 2027. As of this page’s status date the compression has not been gazetted. Organisations likely to be classified as SDFs should plan for November 2026 anyway. A proposal from the ministry that drafted the Rules signals intent.

What Waits for May 2027

The 18-month general compliance window runs from the 13 November 2025 notification to 13 May 2027. Penalty enforcement by the Data Protection Board is expected from May 2027.

Enforcement is the activation of consequences, not the activation of obligations. When adjudication begins, the penalty tiers already fixed in the Act’s Schedule apply:

₹250 crore per instance for failure to take reasonable security safeguards under Section 8(5). ₹200 crore for failure to notify a breach under Section 8(6), and the same tier for violations of children’s data obligations under Section 9. ₹150 crore for breach of Significant Data Fiduciary obligations under Section 10. Consent violations under Section 6 fall in the residual tier, up to ₹50 crore per instance.

A single incident can breach multiple obligations, and the tiers stack. The penalties guide covers how exposure compounds.

How to Read the Phases

The DPDP regime commences in stages, and each stage is triggered by government notification rather than by a date written into the Act. That design has two consequences.

First, published dates beyond 13 November 2025 carry the word “expected” for a reason. The Consent Manager date sits in the Rules implementation schedule. The May 2027 enforcement expectation follows from the 18-month window. Both depend on notifications that the government controls and can move.

Second, waiting for certainty is a losing position. The sequence so far has held: the draft in January 2025, the notification in November 2025. The pattern rewards organisations that treat expected dates as real ones.

What This Means For You

Check three boxes against this page. If you operate or plan to operate a consent intermediary, your date is 13 November 2026 and your work starts with Rule 4 eligibility. If you could plausibly be classified an SDF, plan to November 2026 and let the gazette decide whether you needed the margin. If you are any other Data Fiduciary, the obligations already bind you and the Board’s enforcement powers arrive in under a year. Q3 2026 is the practical readiness point once implementation lead time is counted. Run the Gap Assessment to find out where you stand against the obligations that are already in force.

Know where you stand on DPDP compliance

Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, work through the 26-point compliance checklist, or model your penalty exposure.

Enforcement milestones, rule notifications, and deadline analysis.

One email when it matters, no more.