REGULATORY

FRAMEWORK FOR
STARTUPS IN
INDIA

•Alok Kashyap  
•Madhur Raj N
•Naresh Reddy
•Vishnupriya Hymavathi B 
 Startups and MSME are vital economic drivers, delivering efficiency and productivity.
They are the primary source of job creation and vehicle for entrepreneurship giving
employment and social stability.

Governments’ craft effective regulatory and policy frameworks to support the start-ups.
These frameworks are in the form of special assistance: tax exemptions and incentives,
specific laws and regulations providing government support, training and information to
start-ups, initial grants, research grants, financial support and adopt policies for promoting
their establishment.

R EG U LATI O N S A N D
P O L I CI ES Governments with the aim of increasing the number of start-ups, provide knowledge
centres and training on how startups’ can proceed with regulatory process in order to obtain
S U P P O RT I N G initial registration for their businesses.
S TA RTU PS

In India, a start-up can choose from five different types of legal entities to conduct business.
These include Sole Proprietorship, Partnership Firm, Limited Liability Partnership (LLP),
Private Limited Company and Public Limited Company. 

The choice of the business entity is dependent on various factors such as taxation, owner
liability, compliance burden, investment and funding and exit strategy.
 DEFINITION OF
“STARTUP”

• According to notification that the Government of India (GOI) issued

on (Feb-2019), when an enterprise meets the following conditions, it
will be treated as “startup”.

• It has been incorporated/registered for not more than 10 years in

any of the following forms

• A private limited company under the Companies Act,2013

(including one person companies)

• A partnership firm under the Partnership Act, 1932

• A Limited Liability Partnership (LLP) under the LLP Act,

2008.

• Its turnover has not exceeded INR 100 crore for any of the
financial years since incorporation/registration.

• It is working towards the innovation, development, or

improvement of products or processes or services or it is
scalable business  model with high potential for employment
generation and wealth creation.

• An entity will cease to be treated as startup on completion of 10 years

from its date of incorporation/registration or if its turnover for any
previous year exceeds INR 100 crore. 

• Also, an entity which is formed by splitting of an existing business

shall not be considered as “startup”

Vision
Potential scalable Product
Consideration of big enough
market.
Market Analysis and revenue
target
Research on Production
creation.
Seeding
1. Identifying Potential
Trademarks, patents design
rights, copyrights, database
rights
2.Decision on whether be
LLP, Partnership, Private
Limited Company, Sole
Proprietor?
3. What kind of Funding
required?
4. Any Potential requirement
of inhouse maintenance
activities?
1 2
L E G A L C H A L L E N G E S AT VA R I O U S S TA R T U P S TA G E S
Postulate
Clear Target Selection post 1,
2, 3 years of starting the
company.
Founding member
identification and balanced
ownership
1.Concepting rights
pertaining to naming, trading
etc
2.Registering the new entity
with local governing bodies
and global for international
transactions.
3.Building the Financial
Structure, Shareholder
scheme, etc
Dawn
Commitment to the Product
by founding members
Able to develop the
Product/Service with
committed members.
Having consensus within the
founding members about
share holder agreement.
Startup
1. Seed Funding Agreement
2. Initial Signing
Agreements
3. Shareholders agreement
signed
4. Processing the
agreements on IP rights
and Patents.
5. Consideration of right
Insurance Policies, Eg
Covering Omissions,
Employer liability, etc
6. Employee and consultant
Contracts
7. Corporate formalities
3 4
Market Fit
First signs of Market Fit
Able to Capture and attract.
Initial Product/Service out in
the market
1.Regulations fors
Manufacturing, Agents, Sales,
Distribution, Joint Venture,etc
2. Legal needs for resolving
disputes which arises during
initial phase.
3. Regulations around
creation of advisory boards.
4. Compliance with
local/global and applicable
regulatory authority
Growth Value and Establish
Showing clear growth. Achieved great growth that
Measurable growth in the can be expected to continue
market. strong.
Attract significant funding. Continue to grow and
culturally grow.
Founders may exit with out
business impact
1. Scaling
1. Strengthening trade
regulations with
Purchase or aquisition of
other entities as company
manufacturing, agents, grows.
sales, distribution, etc IP Renewals
2. Compliance with International IP filing
regulatory issues, Eg: Exit agreements for the
Data Protection, founders through share or
Consumer Legislation, asset sale.
Industry regulation. Warranties and Due diligence.
3. Agreements for
enhancing next series of
funding.
4. International
development, establishing
local entities overseas,
franchising,
5 6
 • There are several rules and regulations framed by government agencies
that create obstacles for business.1
• Licenses in India can be categorized into three categories:
• General licenses, which are applicable to all business nation wide 
• Sector business licenses, which are applicable to businesses operating
in a specific sector 
COMPLIANCE • District/municipal licenses which are applicable to
BASED ON SELF- businesses/operating activities
REGULATION • In order to make compliance for Start-ups friendly and flexible,
simplifications are required in the regulatory regime. 
• Accordingly, the process of conducting inspections shall be made more
meaningful and simpler. Start-ups shall be allowed to self-certify
compliance with labour laws2 and environment laws.3
• This reduces the regulatory burden on Start-ups thereby allowing them
to focus on their core business and keep compliance cost low. 4
 • Complex and tedious winding-up formalities is yet another deterrent for start-up
founders. Fear of failure and associated problems with insolvency operate as a
dampener for new-age entrepreneurs. Among the major problems are the lock-in of
capital, unusual delays in resolution, and ultimate erosion of capital.
• From the legal standpoint, there are basically three ways to shut down a startup:
• Fast Track Exit Mode
• Court or Tribunal Route
• Voluntary Closure
• The Fast Track Exit Mode is the best suited for startups as it allows companies to
FASTER EXIT expedite shutdown at a lower cost and a shorter time period. In order to apply for a
fast-track exit, a company should (a) not have any assets and liabilities (b) not have
FOR STARTUPS had any business operation for the past year. If these two conditions are met, the
company can be struck off the registrar of the Registrar of Companies (RoC).
• Another quick way for a company to shut down is through Voluntary Closure;
however, this requires the shareholders and/or creditors of the company to be on the
same page with regards to the details of the closure.
• The traditional mode of closure via courts or tribunals is not the best suited for
startups as it involves several meetings with various stakeholders leading to
prolonged court proceedings.
• In addition to the above stated means, The Insolvency and Bankruptcy Bill, 2015 is a
new closure tool that entrepreneurs can use. Leveraging this bill requires startups to
have simple debt structures, where an insolvency professional is hired to liquidate the
assets of the company.
 • A pivotal component for growth of Startups is regular communication and collaboration within
the Startup community, both national as well international. An effective Startup ecosystem
can’t be created by the Startups alone. It is dependent on active participation of academia,
investors, industry and other stakeholders.
• To bolster the Start-up ecosystem in India, the Government is going the following to galvanize
the Startup ecosystem and to provide national and international visibility to the Startup
ecosystem in India:
• Organizing startup fests for showcasing innovation and providing a collaboration
platform 
• Launch of the Atal innovation mission (AIM) with the self-employment and talent
utilization (SETU) program 

MARKETING FOR •
•
Harnessing private sector expertise for incubator setup 
Building innovation centers at national institutes 
STARTUPS • Setting up research parks 
• Launching innovation-focused programs for students 
•  Annual incubator grand challenge 
• There are several complementary frameworks that are promoted by the GOI to accelerate
the startups revolution. To name a few are the "Make In India", "Digital India", and "Skill
India Program". 
• Various Ministeries and departments of are also complementing the startup revolution by
launching schemes of their own. SIP-EIT launched by Ministry of Electronics and
Information Technology, The Khadi and Village Industries commission under the ministry
of MSME are few among the hundreds of schemes.
 FISCAL TRANSPARENCY AND SIMPLIFIED ACCOUNTING
Beating the “valley of death” has been a pertinent issue that startups have faced. The GOI
has undertaken several initiatives in this regard by providing support through initial seed
funding, incubation support, and various subsidies; however, this support has not been
sufficient to bail out the startups. There is a need for startups to secure funding from private
players and maybe even from the public at large.​

In order to provide funding support to Startups, GOI has set up a fund. The Fund will be in
the nature of "Fund of Funds", which means that it will not invest directly into Startups but
shall participate in the capital of SEBI registered Venture Funds.​
The Fund of Funds for Startups (FFS) is being operated and managed by Small
Industries Development Bank of India (SIDBI). FFS funds the Alternative Investment
Funds (AIFs) which in turn invest twice the amount contributed by the FFS, into recognized
startups. 
Due to their high-risk nature, startups are not able to attract investment. It is therefore
important that suitable incentives are provided to investors for investing in the startup
ecosystem. With this objective, exemption shall be given to persons who have capital gains
during the year, if they have invested such capital gains in the Fund of Funds. This will
augment the funds available to various AIFs for investment in startups.

 With a view to stimulate the development of Startups in India and provide them a

competitive platform, the profits of eligible recognized startups are exempt from income-
tax for a block of 3 years out of 10 years since incorporation under Section 80IAC of the
Income Tax Act. To avail these benefits, a Startup must get a Certificate of Eligibility from
the Inter-Ministerial Board (IMB). 
 IPR Awareness: Outreach and Promotion

• Making IPR an integral part of the curriculum in all legal, technical, medical and management
educational institutions, NIFTs, NIDs, AYUSH Educational Institutes, Agricultural Universities,
centres of skill development and the like

Generation of IPRs

• Introduce multi-disciplinary IP courses/ modules in all major training institutes such as Judicial
Academies, National Academy of Administration, Police and Customs Academies, Institute for
Foreign Service Training, Forest Training Institutes.
• Facilitate Industry Associations, Inventor and Creators Associations and IP Support Institutions to
raise awareness of IP issues and for Teaching, Training and Skill Building. 
• IPR generation for ICT technologies, including those relating to cyber security for India, will be
encouraged.
• Provide special incentives for creation of IPRs in green technologies and manufacture of energy
efficient equipment.
STRENGTHENING Strong Legal and Legislative Framework
INTELLECTUAL • Assistance to smaller firms for protection of their IPRs internationally will be enhanced, such as
PROPERTY RIGHTS DeitY’s Support for International Patent Protection in Electronics and IT (SIPEIT

Administration and Management of IPR

• Facilitate Industry Associations, Inventor and Creators Associations and IP Support Institutions to
raise awareness of IP issues and for Teaching, Training and Skill Building.
• Utilizing Technology Acquisition and Development Fund under the Manufacturing Policy for
licensing or procuring patented technologies;
• Examine availability of Standard Essential Patents (SEPs) on fair, reasonable and non-discriminatory
(FRAND) terms

Commercialization of IPR

• Creating mechanisms to help MSMEs and research institutions to validate pilots and scale up
through market testing
• Providing seed funding for marketing activities such as participating in trade fairs, industry standards
bodies and other forums;; 

S T R E N G T H E N I N G S TA R T U P
FRAMEWORK :
C O M PA N I E S / E N T R E P R E N E U R
Simplification and Handholding: There is a greater need for established
businesses to handhold the startups and encourage them through
mentorship, incubation, and financial support, crafting their role in the
existing ecosystem of business.
Ease of Doing Business: The major reason for migration of startups is
because of better enabling environment such as tax concessions, well
developed infrastructure, ease of doing business, exit policy, etc. Hence,
financial incentives and excellent infrastructure facilities must be deployed
to retain startups and to lure the best talent from across the world to start
businesses in India.
Building a Startup Culture: There is a need to focus on developing a
culture of entrepreneurship. The mindset of youths is still toward fixed-
tenure employment rather than venturing out in startups. Business failures
should act as lessons for new entrepreneurs, and thus it is important to
bring forward failure case studies of startups as a reference point to avoid
known potholes.
Reforms at State level: Regulatory reforms especially at the state level,
remains poor. There is need to implement reforms that adopt best practices
around the world and thus enable the state to attract investors to the
maximum possible extent.
 DATA PROTECTION AND PRIVACY

IN Current Data Protection Law: IT Act 2008, Section 43 : Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation,
to the person so affected.
EU model provides a comprehensive data protection law for processing of personal data.
US, privacy protection is essentially a “liberty protection” i.e. protection of the personal space from government.
India must find the right balance by factor out the pitfalls of other global approaches to take advantage of a data driven ecosystem but with all
reasonable restrictions.
Data protection framework in India must be based on the following seven principles.
1. Technology agnostics: The law must be technology agnostic. Must be flexible to take into account changing technologies and standards of compliance
2. Holistic application: The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for
certain legitimate state aims
3. Informed consent: Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful.
4. Data minimization: Data that is processed ought to be minimal and necessary for the purposes such data is sought and other compatible purpose.
5. Controller accountability: The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may
have shared the data
6. Structured enforcement: Enforcement must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately
decentralized enforcement mechanisms
7. Deterrent penalties: Penalties on wrongful processing must be adequate to ensure deterrence

Refer Appendix for more details.

 DATA PROTECTION AND PRIVACY

• For effective implementation of the data protection regime, It is required that Govt and all
the stakeholders
• Align their polices with the requirements of Data Protection
• Encourage adoption of Privacy by design principles
• Explore the possible Consent requirements at time of data collection.
• Government to provide Supervisory Authorities/Partners to provide more proactive support
on following.
• Protecting against the insider threat; Lessons learned from recent data breaches; How to nurture a Data
security culture; Drivers and compelling reasons to implement data classification; How to overcome Protection
common challenges and pitfalls with data classification; Selecting the right data classification
approach getting the perfect blend; Examples of organisations who have successful implemented data
classification; Overcoming challenges to implement data classification
• Attractive Financial Aid to Cybersecurity Startups
• Tax Holiday for 10 years for Cybersecurity Startups.
• Govt Designated data privacy officers, privacy attorneys or legal counsel dedicated to data privacy
issues.
• Providing Automated Software Framework which evaluate compliance score based on sample inputs.
• Bring awareness in public with required training/programs.
 • All startups require both business law and startup law for
streamlining their function
• While both laws may sound similar, business law and startup
law are quite different, and they don’t have the same path:
startup law is broader, more specialized, and more hands-on
with the business.
• Build awareness among the entrepreneur regarding the startup
laws from Tier-II and Tier-III cities. States and Centre needs
to be aligned regarding startup policy, Incubation support,
CONCLUSION financial support, tax incentives, simplification of rules etc.
• Most of the startup focus is in the domain of IT. The startup
spectrum needs to broaden to include healtcare, agriculture,
etc. Build Startup collaboration program with countries which
have strong startup ecosystem like Singapore, Malaysia, Israel
etc.
• Promote entrepreneurship for women and other diverse
groups. Strengthen the Laws to include diversity.
THANK YOU!
 D A T A P R O T E C T I O N A N D P R I VA C Y

Since GDPR came into force in 2018 across EMEA, India, is taking steps to enact a data protection framework which incorporates many elements of the GDPR. Additionally, COVID-19 introduced home
working on a scale that we’ve never experienced before. This has created new opportunities which cybercriminals are now exploiting, and new threats are emerging – both inside and external to the
organization. India is no different from other countries and has certainly seen an increasing level of threat as cybercriminals have taken advantage of the speed that organizations are digitizing their
businesses and the expanded threat surface that a distributed workforce creates.

Today, India is a vibrant economic powerhouse, an attractive country for outsourcing and it has many well-educated technology workers which attracts US technology vendors and global call centers to
the country. Likewise, it has a huge domestic economy and a thriving financial services sector. Already familiar with, and adhering to, regulations such as GDPR and CCPA when servicing overseas
customers in the US and Europe, India is now starting to look seriously at privacy and data protection frameworks and ensuring that such frameworks are enforced, not just because it enables the nation to
trade with overseas customers but because it is good business practice to protect data and have the customers’ best interests at heart. However, today India doesn’t have any dedicated laws on
cybersecurity, so the detailed nuances around legal cybersecurity.

Breaches are driving regulatory change across India:

To date India has experienced its fair share of incidents as a) Facebook hack, whereby more than 500 million Facebook users were found available on a website for hackers including those of Indian
consumers b) to a massive database breach that occurred in MobiKwik servers, whereby Indian card holder data was leaked and hundreds of thousands of its users’ details surfaced on the dark web. c)
Indian telecommunications company, Tata Communications, suffered a data breach and the cybercriminals claimed they had sold access to Tata’s servers to hackers. d) BigBasket, the popular Indian
online grocery vendor, which faced a data breach that affected the data of over 20 million customers. e) India's national airline Air India announced a cyber-attack on its data processor’s data servers has
affected about 4.5 million customers around the world.

The internal threat environment: Insider data breaches are catching organizations out

It is worth noting that not all breaches are a result of external malicious activity; one area that is still causing considerable concern from a compliance perspective is the threat of an insider data breach. In
fact, according to a recent Forrester report by analyst Heidi Shey entitled: “The State of Data Security and Privacy, 2020”, among breaches in the past 12 months, 46% involved insiders like employees
and third-party partners - the majority of which were simple errors. This is consistent with what Forrester witnessed in 2018: “News headlines of insiders stealing trade secrets from companies like
Hershey, Philips, and Tesla lead us to assume that insider threats are based on malicious intent, but the reality is that inadvertent misuse of data and lost devices cause a concerning proportion of incidents
and breaches. From a compliance perspective, insider breaches are perhaps even more damaging, as organizations have more control here than with external threats.”

Personal information such as email, IDs, full names, and IP addresses were compromised and offered for sale on the dark web. In fact, according to India publication, THE WEEK, India saw a 37%
increase in cyber-attacks in the first quarter of 2020 compared to 2019 which is consistent in 2021. India has also been featuring in the top countries that have been falling prey to data breaches over
the years with no substantial action being taken to effect major change. Additionally, Indian companies allowing employees to work from home have not sufficiently prepared them to deal with protecting
themselves from unauthorized access or usage. These companies have become an easy target for cybercriminals, causing cybersecurity breaches to massively increase. So, as you can see, data breaches in
India are happening frequently, but often these are not reported, which can lead to a sense of complacency. However, organizations who don’t act and act fast, could face the huge financial and
reputational damages that a breach can cause and the longtail ramifications such as a loss in customer trust. It is therefore timely that the India Personal Data Protection Bill(PDP) is being introduced,
which will supersede the Information Technology Act, 2000 and this Bill is currently being ratified by Parliament 2021 Winter Session. The draft has gone through many changes since it was first
submitted in July 2018.

The PDP Bill proposes the concepts of a ‘data fiduciary’ and a ‘data processor’. A ‘data fiduciary’ and a ‘data processor’ are equivalent to the concept of controller and processor under the GDPR. The
PDP Bill will not only apply to persons in India but also to persons outside India in relation to business conducted in India, the offering of goods or services to individuals in India, or the profiling of
individuals in India.

The compliance costs for companies (especially startups) are high and achieving data protection with innovation has its own challenges.

This study has explored the data protection issues and concerns being faced by startups working with emerging technologies. We found a series of common themes, which indicate that there are
opportunities for startups to do more regarding their Data Protection(PDP) obligations. This includes being more proactive and recognising the existing mechanisms which might assist them in undertaking
these tasks. It also appears there is a role for the Supervisory Authorities to provide more support, in terms of raising awareness, providing guidance, and in exploring the possibilities for other, more
innovative support mechanisms; regulatory sandboxes representing a recent example. Moreover, and often less-discussed in a startup context, there appears the need for more scrutiny: Monitoring,
intervening and taking actions to both prevent harm and deter. Timely interactions and intervention are required to ensure that startups are given the best opportunities to innovate within the boundaries of
data protection regulations. We argue that such actions will assist in a more responsible use of personal data.

A summary of themes from on Data Protection for startups. 

 LEGAL CONTRACTS – MANDATES IN STARTUPS

Non-Disclosure Agreement Privacy & Policy

Agreement

Service Agreement
Lease Agreement

Shareholders Agreement
Investor Agreement
Contracts & Agreements

Consultant Agreement
Employment Contract

Memorandum of Understanding
 LEGAL CONTRACTS – MANDATES IN STARTUPS

SHAREHOLDER TYPES OF AGREEMENTS / CONTRACTS

Non-Disclosure Agreement , Shareholders Agreement

INTERNAL
STAKEHOLDERS Employment Contract, Investor Agreement

Privacy & Policy Agreement, Memorandum of Understanding

EXTERNAL
STAKEHOLDERS
Consultant Agreement, Service Agreement, Lease Agreement
 COMPANY PARTNERSHIP LLP

Compulsory Not compulsory. Compulsory registration

Registration registration required required with the ROC.
with the ROC.

Is a separate legal Not a separate legal entity. Is a separate legal entity.

Legal Status entity.

Limited to the extent of Unlimited. Can be Limited. To the extent of

Liability unpaid capital. extended to the personal the contribution to the
assets LLP.
CHOICE OF ENTITY
No. of shareholder, Minimum:2, 2-20 partners Minimum: 2,
F O R S TA RT U P : partners Maximum: 50 Maximum: no upper limit.
C O M PA N Y, Can be shareholder Cannot be shareholder Can be partner.
Foreign nationals as
PA RT N E R S H I P O R shareholder/partner
LLP Annual Return To be filed with ROC No returns to be filed. To be filed with ROC.
Own fund in case of Public fund cannot be Public fund cannot be
Pvt ltd company. raised. raised.
Source of funding Public ltd company can
raise funds from IPO.

Very procedural. By agreement of the Less procedural compared

Voluntary or by order partners, insolvency or by to company. Voluntary or
Dissolution of NCLT court order. by order of NCLT.
DATA PROTECTION AND PRIVACY

• Breaches are driving regulatory change across India:

• Facebook hack 500 million Facebook users were found available on a website for hackers
• Data of 10 crore MobiKwik users for sale on dark web
• Tata Communications, suffered a data breach and the cybercriminals sold access to hackers
• BigBasket, the popular Indian online grocery vendor data breach affected 20 million customers
• India's national airline Air India announced a cyber-attack affected about 4.5 million customers
• Insider Threats : 46% involved insiders like employees and third-party partners
• THE WEEK, India saw a 37% increase in cyber-attacks in the first quarter of 2020 compared to
2019 which is consistent in 2021.
• India Personal Data Protection Bill(PDP) is being introduced, which will supersede the Information
Technology Act, 2000 and this Bill is currently being ratified by Parliament 2021 Winter Session.
• The compliance costs for companies (especially startups) are high and achieving data protection
with innovation has many challenges. Refer Appendix for research.
 APPENDIX: DATA PROTECTION AND PRIVACY

• Heidi is a principal analyst at Forrester serving security and risk

professionals. Q&A guide delve deeper into today’s most critical
security risks and how to keep data protection and privacy top-of-
mind.
• Uncertainty. Financial distress, fear of layoffs, and disgruntlement toward
employers create a perfect environment for insider threats. 
• Know your data, mainly what it is that you have and its location. 
• Empower individuals with guidance about cybersecurity awareness, privacy,
and appropriate data handling that is relevant to their current situation and
environment.
• Protect your data regardless of where and how your employees need to
access that data
• Protect your data wherever it needs to go
• No one gives us that guide to say ‘actually, you need to do this, this, and this.