REGULATION OF

CERTIFYING
AUTHORITIES
CHAPTER VI
Section 17 to 34
Sec-17. Appointment of Controller
and other officers
(1) The Central Government may, by notification in the Official Gazette,
appoint a Controller of Certifying Authorities for the purposes of this
Act and may also by the same or subsequent notification appoint such
number of Deputy Controllers [, Assistant Controllers, other officers
and employees] as it deems fit.
https://cca.gov.in/organization_structure.html
(2) The Controller shall discharge his functions under this Act subject to
the general control and directions of the Central Government.
(3) The Deputy Controllers and Assistant Controllers shall perform the
functions assigned to them by the Controller under the general
superintendence and control of the Controller.
(4) The qualifications, experience and terms and conditions of service
of Controller, Deputy Controllers 1 [,Assistant Controllers, other officers
and employees] shall be such as may be prescribed by the Central
Government
Eligibility Criteria for Controller of CA

i) Bachelor’s Degree in Engineering/Technology and twenty (20) years experience out of

which five (05) years should be at senior management level in Information
Technology (IT) or related sectors;
ii) Or ii) Master’s Degree in Science/Engineering/Technology and eighteen (18) years
experience out of which five (05) years should be at senior management level in
Information Technology (IT) or related sectors;
iii) Or iii) Doctorate in Science/Engineering related sectors or equivalent and fifteen (15)
years experience out of which five (05) years should be at senior management level in
Information Technology (IT) related sectors;
iv) Or iv) Management Degree (MBA) with Bachelor’s Degree in Engineering Technology
or Bachelor’s Degree in Science and eighteen (18) years experience out of which five
(05) years should be at senior management level in Information Technology (IT) or
related sectors.
(5) The Head Office and Branch Office of the office of the Controller
shall be at such places as the Central Government may specify, and
these may be established at such places as the Central Government
may think fit.
(6) There shall be a seal of the Office of the Controller.
18. Functions of Controller
.The Controller may perform all or any of the following functions, namely:–
(a) exercising supervision over the activities of the Certifying Authorities;
(b) certifying public keys of the Certifying Authorities;
(c) laying down the standards to be maintained by the Certifying Authorities;
(d) specifying the qualifications and experience which employees of the
Certifying Authority should possess;
(e) specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
(f) specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a [electronic
signature] Certificate and the public key;
 Continued…
(g) specifying the form and content of a [electronic signature] Certificate and the key;
(h) specifying the form and manner in which accounts shall be maintained by the Certifying
Authorities;
(i) specifying the terms and conditions subject to which auditors may be appointed and the
remuneration to be paid to them;
(j) facilitating the establishment of any electronic system by a Certifying Authority either solely
or jointly with other Certifying Authorities and regulation of such systems;
(k) specifying the manner in which the Certifying Authorities shall conduct their dealings with
the subscribers;
(l) resolving any conflict of interests between the Certifying Authorities and the subscribers;
(m) laying down the duties of the Certifying Authorities;
(n) maintaining a data base containing the disclosure record of every Certifying Authority
containing such particulars as may be specified by regulations, which shall be accessible to
public.
19. Recognition of foreign Certifying Authorities

(1) Subject to such conditions and restrictions as may be specified by

regulations, the Controller may with the previous approval of the Central
Government, and by notification in the Official Gazette, recognise any foreign
Certifying Authority as a Certifying Authority for the purposes of this Act.
(2) Where any Certifying Authority is recognised under sub-section (1), the
[electronic signature] Certificate issued by such Certifying Authority shall be
valid for the purposes of this Act.
(3) The Controller may, if he is satisfied that any Certifying Authority has
contravened any of the conditions and restrictions subject to which it was
granted recognition under sub-section (1) he may, for reasons to be recorded
in writing, by notification in the Official Gazette, revoke such recognition.
 21. Licence to issue electronic signature Certificates

.—(1) Subject to the provisions of sub-section (2), any person may make an
application, to the Controller, for a licence to issue [electronic signature]
Certificates.
(2) No licence shall be issued under sub-section (1), unless the applicant
fulfils such requirements with respect to qualification, expertise,
manpower, financial resources and other infrastructure facilities, which are
necessary to issue [electronic signature] Certificates as may be prescribed
by the Central Government.
(3) A licence granted under this section shall— (a) be valid for such period
as may be prescribed by the Central Government; (b) not be transferable or
heritable; (c) be subject to such terms and conditions as may be specified
by the regulations
22. Application for licence.—

(1) Every application for issue of a licence shall be in such form as may
be prescribed by the Central Government. (2) Every application for
issue of a licence shall be accompanied by— (a) a certification practice
statement; (b) a statement including the procedures with respect to
identification of the applicant; (c) payment of such fees, not exceeding
twenty-five thousand rupees as may be prescribed by the Central
Government; (d) such other documents, as may be prescribed by the
Central Government.
23. Renewal of licence
• .—An application for renewal of a licence shall be—
• (a) in such form;
• (b) accompanied by such fees, not exceeding five thousand rupees, as
may be prescribed by the Central Government and shall be made not
less than forty-five days before the date of expiry of the period of
validity of the licence.
24. Procedure for grant or rejection
of licence
The Controller may, on receipt of an application under sub-section (1)
of section 21, after considering the documents accompanying the
application and such other factors, as he deems fit, grant the licence or
reject the application:
• Provided that no application shall be rejected under this section
unless the applicant has been given a reasonable opportunity of
presenting his case.
 Suspension of Licence (Section 25)

Grounds for Suspension or Revocation of Licence: The Controller (a

government official overseeing certifying authorities) can suspend or
revoke the license of a Certifying Authority (CA) if the following
conditions are met:
• False Statement: If the Certifying Authority has made a false or incorrect
statement during its application for a license or its renewal.
• Failure to Comply: If the Certifying Authority fails to follow the terms and
conditions set when the license was granted.
• Failure to Maintain Standards: If the Certifying Authority fails to maintain
required procedures and standards (as outlined in Section 30 of the Act).
• Violation of Provisions: If the Certifying Authority breaks any law, rule,
regulation, or order under the IT Act.
Opportunity to Defend:
Before the Controller revokes the license, the Certifying Authority must be
given a chance to explain itself and defend its actions. This is to ensure
fairness.
Suspension Pending Inquiry:
If the Controller believes there might be grounds for revoking the license,
he can suspend the license temporarily while an investigation or inquiry is
carried out.
Maximum Suspension Period:
A Certifying Authority's license cannot be suspended for more than ten
days unless the Certifying Authority has been given a reasonable
opportunity to show cause (i.e., to explain why the suspension should not
happen).
No Issuance of Electronic Signature Certificates During Suspension:
If a Certifying Authority's license is suspended, it is not allowed to issue
any electronic signature certificates during the period of suspension.
 Notice of Suspension or Revocation of
Licence (Section 26)
• Publication of Suspension or Revocation:
• When the Controller suspends or revokes the license of a Certifying Authority, the Controller
must publish a notice of the suspension or revocation.
• This notice must be published in the database maintained by the Controller.
• Publication in Multiple Repositories:
• If there are multiple repositories (places where records of digital certificates are kept), the
Controller must publish notices of the suspension or revocation in all such repositories.
• Web Accessibility:
• The database that contains the notice of suspension or revocation must be made available on
a website that is accessible 24/7 (round the clock). This ensures public access to the
information at any time.
• Publicity through Other Media:
• The Controller can also choose to publicize the notice of suspension or revocation using other
electronic or traditional media (like newspapers, social media, etc.), if he believes it is
necessary for further awareness.
27. Power to delegate.—The Controller may, in writing, authorise the
Deputy Controller, Assistant Controller or any officer to exercise any of the
powers of the Controller under this Chapter.
28. Power to investigate contraventions.—(1) The Controller or any
officer authorised by him in this behalf shall take up for investigation any
contravention of the provisions of this Act, rules or regulations made
thereunder.
(2) The Controller or any officer authorised by him in this behalf shall
exercise the like powers which are conferred on Income-tax authorities
under Chapter XIII of the Income-tax Act, 1961 (43 of 1961), and shall
exercise such powers, subject to such limitations laid down under that Act.
Access to Computers and Data (Section 29)

• Access to Computers and Data (for Investigation):

• The Controller (or anyone authorized by the Controller) can access a
computer system, apparatus, data, or any material connected to such a
system, if there is a reasonable cause to suspect that a violation of the IT Act
has occurred.
• This access is granted for the purpose of searching for information or data
related to the suspected violation.
Technical Assistance:
• The Controller or the authorized person can also order individuals
who are in charge of or are involved with operating the computer
system, data, or material, to provide any reasonable technical
assistance required to search and access the system or data.
• The assistance can include anything necessary to help the Controller
or authorized person carry out the investigation or search effectively.
30. Certifying Authority to follow
certain procedures
—Every Certifying Authority shall,—
(a) make use of hardware, software and procedures that are secure from
intrusion and misuse;
(b) provide a reasonable level of reliability in its services which are
reasonably suited to the performance of intended functions;
(c) adhere to security procedures to ensure that the secrecy and privacy of
the [electronic signatures] are assured;
4 be the repository of all electronic signature Certificates issued under this
Act; publish information regarding its practices, electronic signature
Certificates and current status of such certificates; and observe such other
standards as may be specified by regulations.
31. Certifying Authority to ensure compliance of the Act, etc.
—Every Certifying Authority shall ensure that every person employed
or otherwise engaged by it complies, in the course of his employment
or engagement, with the provisions of this Act, rules, regulations and
orders made thereunder.

32. Display of licence.—Every Certifying Authority shall display its

licence at a conspicuous place of the premises in which it carries on its
business.
33. Surrender of licence.—

(1) Every Certifying Authority whose licence is suspended or revoked

shall immediately after such suspension or revocation, surrender
the licence to the Controller.
(2) (2) Where any Certifying Authority fails to surrender a licence under
sub-section (1), the person in whose favour a licence is issued, shall
be guilty of an offence and shall be punished with imprisonment
which may extend up to six months or a fine which may extend up
to ten thousand rupees or with both.
Disclosure (Section 34)

• Required Disclosures by Certifying Authorities: Every Certifying

Authority (CA) is required to disclose certain information in a manner
specified by regulations. These disclosures include:
• Electronic Signature Certificate: The CA must disclose its electronic signature
certificate.
• Certification Practice Statement: The CA must disclose any relevant
certification practice statement that outlines how it operates and issues
certificates.
• Revocation or Suspension Notice: If the CA’s certificate is revoked or
suspended, it must disclose this notice of revocation or suspension.
• Adverse Events: Any other fact that could negatively impact the reliability of
an electronic signature certificate issued by the CA, or affect its ability to
perform its services, must also be disclosed.
• Disclosure in Case of Risk to System Integrity:
• If the Certifying Authority believes that any event or situation has
occurred that could damage the integrity of its computer system or
affect the conditions under which an electronic signature certificate
was issued, it must:
• Notify affected persons: The CA must make reasonable efforts to notify
anyone who may be affected by the event or situation.
• Follow Procedure: The CA must also follow the procedures specified in its
certification practice statement to handle the situation appropriately.