The National Cyber Security Coordinator sits inside the National Security Council Secretariat. This office is the Designated Authority for India's Trusted Sources regime in telecom, the National Cyber Security Reference Framework, and the architecture on critical information infrastructure. It issues no Press Notes. Notifies through no Gazette. Runs no public consultation process. Companies mapping the regulatory landscape through DPIIT or CBIC encounter this domain only after an outcome has settled. How is sectoral national security policy actually composed inside this architecture?
The institutional apparatus that composes sectoral national security policy in India sits within the National Security Council Secretariat. The NSCS is the executive arm of the National Security Council, operating under the Prime Minister's Office and headed by the National Security Adviser. Within the NSCS, the Office of the National Cyber Security Coordinator has become the sharpest instrument for sectoral policy formation in domains where cyber security, critical information infrastructure, telecom supply chain integrity, and emerging technology security intersect. Understanding this office is no longer optional for companies operating in telecom equipment, data centres, cloud infrastructure, IT hardware, and electronics manufacturing with sectoral security exposure.
The sharpest institutional signal of the NCSC's acquired authority came on 16 December 2020, when the Cabinet Committee on Security approved the National Security Directive on Telecommunication Sector. The "National Security Directive" is a new instrument class, distinct from Cabinet decisions, ministry notifications, or statutory rules; the naming itself institutionalises the standing channel for future directives on critical infrastructure, data policy, and emerging technology security.
Under the 2020 Directive, the NCSC is the Designated Authority for determining whether a vendor qualifies as a Trusted Source and a telecom product as a Trusted Product. Designations are approved by the National Security Committee on Telecom, chaired by the Deputy National Security Adviser, with two industry members and an independent expert. The Directive came into operation 180 days after approval; the Trusted Telecom Portal launched on 15 June 2021. From that date, Indian telecom service providers may connect only new devices designated as Trusted Products from Trusted Sources. Those Trusted Sources that meet the Department of Telecommunications' Preferential Market Access criteria are further certified as "Indian Trusted Sources," the designation that creates positive procurement incentives for indigenous manufacturing.
The operational register of this office is where it becomes most invisible to companies mapping the regulatory landscape through economic ministries. Its policy outputs take the form of national security directives approved by the Cabinet Committee on Security, Designated Authority determinations on the Trusted Telecom Portal, cyber security reference frameworks, and advisories routed through sectoral regulators and CERT-In. The architecture does not operate through the instruments companies typically search for; a company looking for its cyber security policy in the DPIIT Press Note archive or for Trusted Sources decisions in the Gazette is looking in the wrong archive.
How, then, are inputs received? Three channels.
The Strategic Policy Group, chaired by the Cabinet Secretary, coordinates inter-ministerial inputs on sectoral security questions. Companies do not engage the SPG directly; they ensure that their position is reflected in the submissions of the relevant line ministry or sectoral regulator that participates in SPG deliberations. The institutional work is to understand which ministry's note will carry the question upward, and to engage that ministry months before the policy instrument is finalised.
The National Security Advisory Board's expert group apparatus, through its subordinate bodies, commissions and debates technical and policy inputs on telecom, IT, and emerging technology. Access is structured; it is neither a public consultation nor a direct industry lobby channel. Companies reach this apparatus through industry associations, think-tank partnerships, and the periodic submissions NSAB commissions from recognised domain experts.
Direct engagement with the NCSC's office and the NSCT through structured sectoral interactions is the channel most operationally invisible from outside. The NCSC attends or routes representatives to sectoral roundtables, technical committees, and cyber drills convened by industry associations. The NSCT itself carries two industry seats at any given time, rotated periodically; these seats are institutional representations, not individual-company seats, and the sectoral associations are where the nominations are composed.
A company that engages only the line ministries is engaging half the architecture; by the time a national security directive surfaces in standard regulatory channels, the question has already been settled. The sharpest operators treat NCSC engagement as a standing workstream, built over years rather than activated in response to an emerging directive; they participate in cyber drills and sectoral reviews, make substantive technical submissions when forthcoming frameworks are signalled, and recognise that the timeline for this engagement is institutional, not project-linked.