At present, India does not have a dedicated law or regulation that governs cryptoassets. However, the term “virtual digital assets” (VDAs) has been broadly defined under section 2 (47A) of the (Indian) Income Tax Act, 1961 (Income Tax Act; the central legislation on income tax in India), to mean “any information or code or number or token (not being Indian currency or foreign currency), generated through cryptographic means or otherwise, by whatever name called, providing a digital representation of value exchanged with or without consideration, with the promise or representation of having inherent value, or functions as a store of value or a unit of account including its use in any financial transaction or investment, but not limited to investment scheme; and which can be transferred, stored or traded electronically”. This definition also includes non-fungible tokens (NFTs) or other tokens of a similar nature, and any other digital assets that may be notified by the government in the future. Recently, the Finance Act, 2025 further expanded the above definition to include any cryptoassets being a digital representation of value that relies on a cryptographically secured distribution ledger or similar technology to validate and secure transactions. This revision will come into effect from 1 April 2026.

In India, there is no dedicated law that regulates cryptoassets. That said, there have been proposals in the past to introduce legislations (namely, the Banning of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019 (2019 Crypto Bill) and the Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 (2021 Crypto Bill)) to ban all private cryptocurrencies in India and put in place a facilitative framework for creation of an official digital currency issued by the Reserve Bank of India (RBI). However, both the 2019 Crypto Bill and the 2021 Crypto Bill have not, to date, been tabled before the Indian Parliament.

Having said that, certain existing laws have been amended to regulate activities or provision of any services related to VDAs. These include:

• Prevention of Money Laundering Act, 2002 (PMLA) and Prevention of Money Laundering (Maintenance of Records Rules), 2005 (PML Rules) read with Financial Intelligence Unit – India’s (FIU-IND) Anti-Money Laundering (AML) and Countering Financing of Terrorism (CFT) Guidelines. The PMLA is the core legislative framework in India to combat money laundering activities. The PMLA, read with the PML Rules, imposes obligations on “reporting entities” to verify the identity of their clients, maintain records and furnish information to the FIU-IND, amongst other things. The Ministry of Finance issued a notification dated 7 March 2023 (PMLA Notification) pursuant to which it has categorised VDA service providers (VDASPs) as “reporting entity(ies)” under the PMLA. As a result, VDASPs are now required to fulfil the key obligations of a “reporting entity” envisaged under the PMLA and the PML Rules. See Question 7, below, for further information.
• CERT-In (Indian Computer Emergency Response Team) Guidelines. CERT-In is a national nodal agency established under the Information Technology Act, 2000 (IT Act) to deal with cyber security incidents. On 28 April 2022, CERT-In issued certain directions to service providers, intermediaries, bodies corporate, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and so on, relating to information security practices, procedures, prevention, response and reporting of cyber incidents for a “safe & trusted internet”. Apart from mandating the reporting of certain specified cyber incidents to CERT-In, these directions also mandate service providers, intermediaries and bodies corporate to maintain and retain logs of all their information and communications technology systems for a rolling period of 180 days within India. Subsequently, clarifications to these directions were issued by CERT-In by way of frequently asked questions (FAQs) on 18 May 2022. These FAQs clarified that the information and communications technology systems logs can be stored outside India as long as a copy is retained within India.
• Advertising Standards Council of India (ASCI) Advertising Guidelines (ASCI Guidelines). On 23 February 2022, the ASCI issued guidelines for the advertising and promotion of VDAs and related services, which are applicable to all VDA-related advertisements released on or after 1 April 2022. The ASCI Guidelines require advertisers and media owners to ensure that any previous advertisements that are in non-compliance with these guidelines do not appear in the public domain after 15 April 2022. The ASCI Guidelines, amongst other things, prescribe certain disclaimer-related requirements for all advertisements for VDA products and VDA exchanges, or for featuring VDAs, which vary depending on the medium of advertisement. The following disclaimer is to be used for all such advertisements: “Crypto products and NFTs are unregulated and can be highly risky. There may be no regulatory recourse for any loss from such transactions”. This disclaimer is to be made in a manner that it is prominent and unmissable by the average consumer and must also be in the dominant language of the advertisement, meeting the minimum requirements laid down under the ASCI Guidelines. Depending on the medium of the advertisement (e.g. print or static, video, audio, social media posts) the disclaimer will vary. For celebrities or prominent personalities who appear in VDA advertisements, the ASCI Guidelines prescribe the requisite due diligence to be undertaken for statements and claims made in such advertisements, to ensure that the consumer is not misled.
• Amendment to the Income Tax Act. The Government of India, through the Finance Act, 2022, amended the Income Tax Act to include the concept of VDAs (which, as highlighted in Question 1, above, includes NFTs). By virtue of this amendment, any income earned from the transfer of VDAs has been taxed at a flat rate of 30%. By way of another amendment to the Income Tax Act, the Finance Act, 2022 also introduced 1% withholding (at 1% of the consideration payable) on a person responsible for paying to any resident any sum by way of consideration for transfer of a VDA, with effect from 1 July 2022.
• Schedule III of the Companies Act, 2013. The Ministry of Corporate Affairs, through its notification dated 24 March 2021, mandated all companies to disclose details regarding their trade or investments in cryptocurrencies or virtual currencies in its financial statements from 1 April 2021. These details include disclosing any profit or loss made on transactions involving cryptocurrencies or virtual currencies, amount of cryptocurrencies or virtual currencies held, and any deposits or advances from any person for the purpose of trading or investing in cryptocurrencies or virtual currencies.

Indian law does not currently draw any distinction between different types of cryptoassets.

At present, there is no authorisation or licensing regime for cryptoasset issuers, providers or exchanges in India. That said, VDASPs are required to register themselves with the FIU-IND as “reporting entities” under the PMLA. As part of this registration process, VDASPs are required to furnish certain documents and details about their business and operations including, amongst other things, a detailed description of their corporate structure, copies of agreements entered into with service providers in relation to their crypto business, a cyber security audit certificate from a CERT-In empanelled auditor affirming its compliance with all applicable legal and regulatory frameworks, a “Partner Accreditation for Compliance and Trust” certificate from another FIU-IND-registered VDASP in all cases where the applicant VDASP has a relationship/agreement with the former (whether ongoing or intended). After submission of these documents, the FIU-IND conducts an in-person meeting with the applicant VDASP where such applicant, amongst other things, is required to make a live demonstration of their AML/CFT compliance processes to the FIU-IND.

As a registered “reporting entity”, VDASPs are required to, amongst other things, undertake enhanced due diligence prior to the commencement of any transaction, maintain records of transactions for a period of five years from the date of transaction, report suspicious transactions to the FIU-IND, and so on. See Question 7, below, for further information.

The promotion of cryptoassets to investors is not regulated in India, hence there is no requirement to publish white papers or provide other information for such financial promotion. That said, the promotion of cryptoassets (and any services provided in relation to cryptoassets) to consumers in the form of promotional advertisements and celebrity endorsements is regulated in India by the ASCI Guidelines, which prescribe, amongst other things, inclusion of a standard disclaimer in a clear, prominent and tailored manner warning consumers of the risks and lack of regulation in the crypto space in India, and additional due diligence with respect to celebrity endorsements to prevent consumers from being misled. See Question 2, above, for elaboration on this.

India does not have a specific legal or regulatory framework for cryptoasset custodians. However, under the PMLA and PML Rules, cryptoasset custodians are considered reporting entities and must comply with requirements related to the safekeeping, administration, or control of VDAs. This includes registering with the FIU-IND and adhering to AML and CFT obligations.

The PMLA Notification brought entities engaged in the following activities within the purview of the PMLA:

• exchanging VDAs with fiat currencies;
• exchanging one VDA with another VDA;
• transferring VDAs between two persons or legal entities;
• safekeeping or administrating VDAs or instruments enabling control over VDAs; and
• participating and providing financial services related to an offer and sale of a VDA.

Consequently, cryptocurrency exchanges dealing in VDAs are now likely to be categorised as a “reporting entity” under the PMLA. Under the PML Rules, a reporting entity is required to make the necessary disclosures and reporting to the authorities to aid measures designed to prevent money laundering and comply with the provisions of the PMLA. Some of the key obligations applicable to reporting entities include, amongst others:

• undertaking “Know Your Customer” (KYC) checks;
• conducting due diligence of customers;
• maintaining records of transactions undertaken by customers with or through the reporting entity; and
• monitoring customers’ transactions.

Additionally, it is also pertinent to note that the FIU-IND has issued AML & CFT Guidelines for “reporting entities” providing services related to VDAs on 8 January 2026 (FIU Guidelines). The FIU Guidelines consolidate the operational requirements earlier prescribed through multiple circulars and guidance documents issued by the FIU-IND from time to time, including the erstwhile AML & CFT Guidelines issued on 10 March 2023. These FIU Guidelines inter alia set out the steps that such regulated entities are expected to implement to discourage and identify money laundering, terrorist financing or proliferation financial activities. The FIU Guidelines are also applicable to offshore crypto exchanges providing services in the Indian market. This has been clarified by the Ministry of Finance through a press release issued on 28 December 2023. The FIU-IND has also issued compliance show cause notices to several offshore crypto exchanges that are allegedly not complying with the PMLA and has written to the Ministry of Electronics and Information Technology to block their URLs in India. Such action has been taken for alleged non-compliance with the PMLA.

As stated above, the legal and regulatory landscape in India pertaining to cryptoassets is limited. In the absence of specific legislation that delves into the nature of cryptoassets (i.e. whether a cryptoasset qualifies as a good, a service, etc.), related aspects thereto, such as ownership, assignment, securitisation and licensing requirements (if any) also remain unsettled.

India has no legal or regulatory regime that specifically governs and/or regulates DAOs.

Currently, the consolidated legislation pertaining to insolvency and bankruptcy in India (the Insolvency and Bankruptcy Code, 2016 (IBC)) captures two kinds of debt, namely, financial debts (i.e. debt disbursed against the consideration for the time value of money including money borrowed against payment of interest, any amount raised under any transaction having the commercial effect of a borrowing) and operational debts (i.e. debt/claim for payment of dues arising out of the provision of goods and services).

In the absence of any legal or regulatory clarity regarding the nature of cryptoassets, the provisions and processes for insolvency, generating recoveries and other remedies captured under the IBC may not be applicable to any transactions involving cryptoassets. That said, a specific categorisation or recognition of the nature of cryptoassets by the Indian legislature may be followed by incorporation of suitable provisions or clarifications in the IBC and its applicability to cryptoassets. For instance, in the event cryptoassets are classified or identified as “goods”, any debt or claim arising out of or relating to cryptoassets may be considered to be an “operational debt” under the IBC and, accordingly, the relevant provisions contained therein may be applicable.

Additionally, it may also be relevant to consider the lack of proper regulation over entities such as cryptocurrency exchanges in relation to the services provided by such entities, which also includes acting as a custodian for cryptoassets for their customers/users. Despite such exchanges following self-regulatory mechanisms, and having in place extensive grievance redressal mechanisms, the lack of stringent legal recognition of these exchanges and specific legal remedies puts the funds and cryptoassets of such users in a precarious position in the event such exchanges are faced with bankruptcy.

In India, the legality and enforceability of a contract is primarily governed under the Indian Contract Act, 1872 (ICA). The ICA, amongst other things, identifies the essentials of a valid and legally enforceable contract (under section 10 of the ICA), which includes a legitimate offer, proper acceptance, free consent of the contracting parties, lawful consideration and a lawful objective. Further, the IT Act, and amendments made to it have also bestowed legal validity to contracts that are formulated and expressed in electronic forms or by means of electronic records. Further, in Trimex International Fze v. Vedanta Aluminium Limited, the Hon’ble Supreme Court of India ruled on the validity of an unregistered and unsigned contract discussed by email, confirming the legal enforceability of contract via email.

Hence, it can be said that smart contracts in relation to cryptoassets executed between two freely consenting persons competent to enter into contractual relationships for a lawful object and lawful consideration are legally enforceable in India.

However, with regard to the consideration in such smart contracts, it may be pertinent to note that the ICA prescribes essentials of lawful consideration, which are: it is not forbidden by law, it does not undermine the requirements of any law if permitted, it is not fraudulent or involving injury to an individual or property, and it is not immoral or opposed to public policy. So, in the event there is any legislative intervention in the future deeming cryptoassets or certain kinds of cryptoassets to be illegal, it could consequently make smart contracts for such transactions illegal and therefore unenforceable.

The substantive and procedural criminal laws in India do not specifically carve out provisions in relation to crypto frauds. That said, victims of crypto fraud have taken recourse under existing offences that have been defined under the Bharatiya Nyaya Sanhita, 2023 (i.e. the substantive legislation in India pertaining to criminal offences), read with the relevant provisions of the IT Act.

Suitable amendments were made to the Income Tax Act, 1961 (ITA) to provide for taxability of transactions concerning cryptoassets. These amendments introduced the following:

• Flat tax on income earned on transfer of cryptoassets. Any profits/income earned from the sale/transfer of cryptoassets are taxable at a flat rate of 30%.
• Tax Deduction at Source (TDS) for sale transactions. Any person responsible for paying an Indian resident for the transfer of a VDA is required to deduct 1% of the payment as income tax and remit it to the government. However, no tax needs to be deducted in certain cases, specifically, if the payment is made by a “specified person” (as defined under the ITA based on the nature of income, certain thresholds of sales, turnover, etc. in a particular year from businesses carried on by such person) and the total value of such payments does not exceed INR 50,000 during the financial year, no tax deduction is required. Similarly, if the payment is made by someone other than a “specified person” and the total value of such payments does not exceed INR 10,000 during the financial year, the tax deduction is not applicable.
• Goods and Services Tax (GST) implications. While the extant GST laws have not carved out any specific taxation provisions in relation to cryptoassets, the fees charged by certain service providers for services related to cryptoassets (such as those offered by crypto exchanges) are subject to GST at a rate of 18%.

As the landscape of cryptocurrency and digital assets continues to evolve, businesses operating in this sector are facing heightened scrutiny regarding their obligations related to data privacy and cybersecurity. In response to the growing concerns around the security of digital financial systems, CERT-In issued a set of directives on 28 April 2022. These directives require virtual asset service providers (VASPs), including exchanges and custodian wallet providers, to adhere to a range of cybersecurity protocols. The guidelines focus on establishing robust information security practices, as well as frameworks for preventing, detecting, and responding to cyber incidents, all with the goal of ensuring a “safe and trusted internet”. Additionally, these directives mandate the preservation of essential information and records, including those obtained as a part of KYC processes, records of financial transactions, as well as the obligation to report cybersecurity incidents promptly (see Question 2, above, for further details).

On the data privacy and protection front, India has comprehensively overhauled its regulatory framework with the enactment of the Digital Personal Data Protection Act (“DPDP Act”). The DPDP Act establishes a standalone, principles-based regime governing the collection, processing and storage of digital personal data and marks a significant shift from the earlier reliance on sectoral guidance and rules under the Information Technology Act, 2000. The implementation of the DPDP Act is contemplated in a phased and staggered manner, with different provisions being brought into force in a duration of 18 months from its enforcement date (i.e. 14 November 2025).

The DPDP Act introduces obligations for lawful collection, processing and storage of personal data. As a general rule, personal data may be collected, processed and stored only on the basis of explicit consent of the individual (known as “data principal”), or where such processing falls within a statutorily recognised and identified legitimate use under the statute. The DPDP Act further codifies the principle of purpose limitation, requiring that personal data be processed only for clear, specific and lawful purposes which are communicated to the data principal, and not retained or used beyond what is necessary to achieve such purposes. These principles are operationalised through obligations relating to implementation of adequate consent mechanisms, clearly defining processing purposes, limiting collection and retention of personal data, enabling the exercise of data principal rights, putting in place adequate technical and organisational measures, and so on.

Once the DPDP Act is fully operationalised, it will require all entities, including cryptoasset businesses and other digital asset service providers, processing personal data within the territory of India, as well as outside India (where such processing is in connection with any activity related to the offering of goods or services to data principals in India), to comply with the DPDP Act.

India has no legal or regulatory regime that specifically regulates staking, yield farming or other decentralised finance (DeFi) activities.

In the current climate, the Indian government appears to be adopting a cautious and measured stance toward cryptocurrency, particularly regarding its potential integration into the formal financial system. This approach is driven by concerns that allowing cryptocurrencies to gain a more prominent foothold in India’s financial infrastructure could introduce significant systemic risks. These risks, according to experts, include the potential for increased financial instability, the undermining of traditional banking systems, and challenges in enforcing monetary policy. The decentralised nature of cryptocurrencies, which operate independently of central authorities, complicates the ability of regulators to monitor and control their use.

Furthermore, there is growing apprehension that widespread adoption of cryptocurrencies could expose the economy to volatile swings in value, given the erratic behaviour of many digital assets in global markets. Such volatility could, in turn, inadvertently undermine the stability and integrity of India’s financial sector.

In response to these concerns, the Indian government has indicated that it is actively working on a comprehensive regulatory framework for cryptoassets, although details remain in flux. Multiple consultations are underway, with key regulatory bodies like the RBI and the Securities and Exchange Board of India (SEBI) playing a central role in shaping policy. Both have raised alarms about the potential risks posed by cryptoassets, particularly with regard to financial stability, investor protection, and AML standards.

Alongside these national efforts, India is engaged in broader international discussions, such as those within the G20 and the Financial Action Task Force (FATF), that are working toward coordinated guidelines on areas such as financial stability, anti-money-laundering and counter-terror financing risks, and regulatory supervision of virtual asset service providers. These dialogues will likely influence India’s regulatory approach, especially as other major economies, including the European Union and the United States, refine their frameworks.

While no concrete national legislation has been passed yet, the ongoing consultations and discussions indicate the intent to move towards a more structured legal approach to cryptocurrency. However, the timeline for a comprehensive regulatory framework remains uncertain, as the government seeks to strike a balance between fostering innovation and safeguarding financial stability.

The authors acknowledge with thanks the contribution of Mr. Subham Das, Ms. Adishree Singh, and Ms. Ishi Rohatgi, to this chapter.