Large passenger data breaches, ransomware attacks, and politically motivated Distributed Denial of Service attacks show that aviation faces cyber dangers to safety, national security, and consumer confidence. This article examines India's aviation cybersecurity governance, evaluates legal culpability in cyber incidents, and proposes worldwide best practices-based reforms. This study uses doctrinal and analytical legal methods. This study compares ICAO, EU, and US international frameworks, notably NIS2 and GDPR, to aviation and cybersecurity statutes, regulations, policy papers, and judicial interpretations. The findings reveal that India has fundamental cyber and data protection laws but no aviation-specific cybersecurity policies, unambiguous liability allocation, or strong enforcement. Institutional fragmentation and resource constraints increase these risks. Comparing India to other nations shows it violates worldwide laws, emphasising the need for accountability, supervision, and cyber risk management changes in the aviation sector. India can improve resilience, foster a proactive security culture, and assure passenger trust and operational safety in the digital age by following ICAO regulations and EU and US best practices.

Agrawal, A. (2024, December 7). Cybersecurity incidents tracked by CERT-In quadrupled in last 5 years. Hindustan Times. https://www.hindustantimes.com/india-news/cybersecurity-incidents-tracked-by-cert-in-quadrupled-in-last-4-years-101733512342858.html

Aircraft Act, 1934 (India). No. 22 of 1934, as amended. Retrieved from http://www.indiacode.nic.in/

Asian News International. (2022, May 25). SpiceJet faces ransomware attack; flights impacted. The Economic Times. https://economictimes.indiatimes.com/industry/transportation/airlines-/-aviation/spicejet-faces-ransomware-attack-flights-impacted/articleshow/91780385.cms

Asian News International. (2023, March 14). Parliamentary committee recommends separate budget for cyber security system in aviation sector. ThePrint. https://theprint.in/india/parliamentary-committee-recommends-separate-budget-for-cyber-security-system-in-aviation-sector/1442660/

CERT-In. (2022). Directions under sub-section (6) of section 70B of the IT Act, 2000 (No. 20(3)/2022-CERT-In). Ministry of Electronics and Information Technology, Government of India.

Chande, R. (2023). Cyber crime in aviation industry: The sky’s the limit? Legal Service India. https://www.legalserviceindia.com/legal/article-11873-cyber-crime-in-aviation-industry-the-sky-s-the-limit-.html

CXOtoday News Desk. (2025, March 4). CyberPeace unveils critical report on over 80,000 cyber threats in India’s aviation sector. CXOtoday. https://cxotoday.com/press-release/cyberpeace-unveils-critical-report-on-over-80000-cyber-threats-in-indias-aviation-sector/

Duggal, P. (2019). Cyber security law (2nd ed.). New Delhi: Saakshar Law Publications.

ETCISO. (2023, April 13). DDoS attacks strike Indian airports: Here’s how the threat was mitigated. ETCISO – Economic Times. https://ciso.economictimes.indiatimes.com/news/cybercrime-fraud/ddos-attacks-strike-indian-airports-heres-how-the-threat-was-mitigated/99461876

European Parliament and Council. (2016). Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems (NIS Directive). Official Journal of the European Union, L 194/1.

European Parliament and Council. (2022). Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Official Journal of the European Union, L 333/80.

FAA Reauthorization Act of 2018 (U.S.). Pub. L. No. 115–254, §506, 132 Stat. 3186 (2018). (U.S. federal law enacted Oct. 5, 2018.) Retrieved from GovInfo: https://www.govinfo.gov/content/pkg/PLAW-115publ254/pdf/PLAW-115publ254.pdf

Ghosh, S. (2021, May 30). Air India data breach highlights concerns around third-party risk and supply-chain security. CSO Online. https://www.csoonline.com/article/570797/air-india-data-breach-highlights-concerns-around-third-party-risk-and-supply-chain-security.html

Government of India. (2023). Digital Personal Data Protection Act, 2023 (No. 22 of 2023). Gazette of India: Extraordinary, Part II, Section 1 (August 11, 2023). https://indiankanoon.org/doc/185806268/

Hummel, R. (2023, April 25). 100% increase in DDoS attacks against India. NETSCOUT Blog. https://www.netscout.com/blog/asert/100-increase-ddos-attacks-against-india

Information Technology Act, 2000 (India). Act No. 21 of 2000, as amended by Act 10 of 2009. Ministry of Law and Justice, Government of India. https://www.meity.gov.in/content/information-technology-act

International Air Transport Association. (2021). Guidance on Aviation Cybersecurity. Montreal/Geneva: IATA.

International Civil Aviation Organization. (2017). Annex 17 to the Chicago Convention: Security (16th ed., Amendment 16). Montreal: ICAO.

International Civil Aviation Organization. (2019). Assembly Resolution A40-10: Addressing cybersecurity in civil aviation. Montreal: ICAO.

International Civil Aviation Organization. (2022). Aviation cybersecurity strategy and action plan. Montreal: ICAO.

International Civil Aviation Organization. (2025). Aviation Cybersecurity. Retrieved April 30, 2025, from https://www.icao.int/aviationcybersecurity/

Kapoor, M. (2022, May 28). SpiceJet ransomware attack: Questions raised about airline’s IT security. Business Today. https://www.businesstoday.in/latest/in-focus/story/spicejet-ransomware-attack-questions-raised-about-airlines-it-security-336873-2022-05-28

Klenka, M. (2021). Aviation cybersecurity: Legal aspects of cyber threats. Journal of Transportation Security, 14(3), 177–195. https://doi.org/10.1007/s12198-021-00232-8

Ministry of Communications & IT (India). (2011). Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (SPDI Rules) under IT Act 2000. Ministry of Communications and IT, Government of India.

Ministry of Communications (India). (2022). The Indian Telecommunication Bill, 2022 (Draft for consultation). New Delhi: Government of India.

Norton Rose Fulbright. (2020). Cybersecurity law in the aviation sector. https://www.nortonrosefulbright.com/en/knowledge/publications/fc813c25/cybersecurity-law-in-the-aviation-sector

Press Trust of India (PTI). (2025, January 2). India second most targeted nation in terms of cyber attacks: CloudSEK. The Economic Times. https://economictimes.indiatimes.com/tech/technology/india-second-most-targeted-nation-in-terms-of-cyber-attacks-cloudsek/articleshow/116890873.cms

PwC. (2018). Airline CEOs survey – Aviation perspectives. PricewaterhouseCoopers. https://www.pwc.in/assets/pdfs/publications/2018/airline-ceos-survey-aviation-perspectives.pdf

Resecurity. (2024, March 16). The aviation and aerospace sectors face skyrocketing cyber threats (Cyber Threat Intelligence Report). Resecurity Blog. https://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats

Singh, M. (2021, May 23). Air India passenger data breach reveals SITA hack worse than first thought. TechCrunch. https://techcrunch.com/2021/05/23/air-india-passenger-data-breach-reveals-sita-hack-worse-than-first-thought/

Singh, M., & Sharma, A. (2022, May 27). SpiceJet ransomware attack led to delayed flights; DGCA issues notice. The Indian Express. https://indianexpress.com/article/india/spicejet-ransomware-attack-delayed-flights-dgca-notice-7938021/

Singh, M., & Whittaker, Z. (2020, January 30). Breach at Indian airline SpiceJet affects 1.2 million passengers. TechCrunch. https://techcrunch.com/2020/01/30/spicejet-breach-millions-passengers/

Tripathi, N. L. M. (2025, July 20). Nearly half of technical posts in DGCA vacant. Hindustan Times. https://www.hindustantimes.com/india-news/nearly-half-of-technical-posts-in-dgca-vacant-101752951059224.html

U.S. Department of Homeland Security (DHS). (2022, October 19). DHS statement on TSA Security Directive Pipeline-2021-02D and aviation SDs [Press release]. Washington, DC: DHS.