The Central Electricity Authority (CEA) has notified the draft CEA (Cyber Security in Power Sector) Regulations, 2025.
As per the draft, the Computer Security Incident Response Team – Power (CSIRT–Power) will serve as the central agency for reporting, responding to, and analysing cyber incidents in the power sector. The regulations require each entity to designate a Chief Information Security Officer (CISO) and an alternate CISO from senior management, with defined roles under India’s regulatory framework. In the case of state load despatch centres that are part of larger entities, a separate CISO must be appointed. Entities must ensure physical isolation of operational technology systems from information technology networks, or justify and risk-assess any interconnection as per approved procedures. The CISO is responsible for reporting incidents within six hours to CSIRT–Power, implementing security control measures as outlined in the cyber security plan, and conducting quarterly compliance reviews. A cyber security audit must also be carried out annually, covering previous audit findings.