Navigating Digital Signature Rules for Software in India (2026)

Q: Is Aadhaar-based eSign valid for software licensing agreements?

Yes, Aadhaar eSign is legally recognized under Section 3A of the IT Act in India.

Q: What happens to my existing 3-year code signing certificate issued before 2026?

They remain valid until expiry, but new certificates are limited to 460 days.

Q: Do I need a digital signature for GST e-invoicing in software sales?

Yes, digital signatures are mandatory for compliance and audit purposes.

Navigating Digital Signature Rules for Software in India (2026)

If you’re building or distributing software in India, the regulatory landscape for digital authentication just underwent a massive architectural shift. Between the IT Amendment Rules 2026 and the new global mandates for code signing validity, the "set it and forget it" approach to Digital Signature Certificates (DSC) is officially dead.

For the tech wizards and compliance leads managing SaaS platforms or shipping binaries, here is the technical breakdown of the rules you need to navigate this year.

Quick Navigation:

460-Day Code Signing Ceiling

IT Amendment Rules 2026

India-EU Digital Bridge

Class 3 Standard

Section 3A Compliance

FAQs

The 460-Day Code Signing Ceiling

The most significant technical change for software developers in 2026 isn't just a local rule—it’s a global synchronization that the Controller of Certifying Authorities (CCA) in India has aligned with. As of March 1, 2026, the maximum validity for any new Code Signing Certificate (EV or OV) has been slashed from 39 months to exactly 460 days (approx. 15 months).

Why the aggressive reduction? Security researchers identified a 15-month window as the average "dwell time" for supply chain attacks. By forcing a rotation every 15 months, the window of exposure for a compromised private key is significantly narrowed. For your CI/CD pipelines, this means "automated certificate rotation" is no longer a luxury—it's a requirement to avoid build failures and "Unknown Publisher" warnings mid-release cycle.

IT Amendment Rules 2026: The AI & SGI Factor

On February 10, 2026, MeitY notified the latest amendments to the IT Rules. While much of the buzz is about social media, there is a specific hook for software providers: Synthetically Generated Information (SGI).

If your software uses AI to generate or modify media (audio, video, or images), you are now legally mandated to embed provenance metadata and digital watermarks. These are not just visual overlays; they must be tamper-resistant digital identifiers that trace the content back to your tool’s system. Rule 3(3) requires "reasonable and appropriate technical measures" to prevent the dissemination of unlawful SGI. If you're a SaaS founder, your backend must now support these digital fingerprints to maintain "Safe Harbour" protection.

The India-EU Digital Bridge

In a landmark move on January 27, 2026, India (MeitY) and the EU (DG CONNECT) signed an arrangement for the mutual recognition of Advanced Electronic Signatures and Seals. For Indian software exporters, this is a game-changer.

Previously, Indian DSCs often faced friction in European courts or procurement portals. The 2026 framework links the "Trusted Lists" of both regions. If you are signing software contracts or invoices for EU clients, a Class 3 DSC issued by an Indian CA (like eMudhra or Safescrypt) is now moving toward seamless legal equivalence in the EU, drastically reducing the need for localized signing infrastructure.

Class 3 or Bust: The Unified Standard

As of early 2026, the complexity of choosing between DSC classes has been eliminated. Class 3 is the only active class of certificate in India. Class 1 (email-only) and Class 2 (database-verified) have been fully phased out and merged into the Class 3 standard.

Verification: Video-KYC is now the mandatory baseline for all Class 3 issuances.

Storage: Private keys must be stored in FIPS 140-2 Level 2+ hardware modules (USB tokens) or compliant Cloud-HSMs for remote signing.

Algorithms: All signatures must use RSA with SHA-256 or ECDSA (NIST Curve P-256) as per the latest CCA Interoperability Guidelines v4.0.

Software Documentation and Section 3A

For B2B SaaS companies, the legal validity of electronic records is governed by Section 3 and 3A of the IT Act. In 2026, the "reliability" of a signature is judged by five criteria:

Unique link to the signatory.

Signatory control over the private key.

Detection of any alteration to the signature.

Detection of any alteration to the document.

Compliance with the Second Schedule.

Whether you are using Aadhaar eSign (via OTP) or a hardware-based DSC, ensure your software's audit logs capture the X.509 certificate metadata and the timestamp from a trusted Time Stamping Authority (TSA). Without a TSA-certified timestamp, a signature's validity can be challenged if the certificate expires after the document was signed.

Frequently Asked Questions (FAQs)

1. Is Aadhaar-based eSign valid for software licensing agreements?

Yes. Under Section 3A of the IT Act, Aadhaar eSign is a legally recognized electronic signature in India. It is highly scalable for user-facing agreements, though for high-value corporate filings (MCA/GST), a Class 3 DSC is typically required.

2. What happens to my existing 3-year code signing certificate issued before 2026?

Certificates issued before March 1, 2026, remain valid for their original term (up to 39 months). However, any renewal or new issuance after this date will be capped at the new 460-day limit.

3. Do I need a digital signature for GST e-invoicing in software sales?

Absolutely. For the 2026 fiscal year, all e-invoices must be digitally signed by the IRP (Invoice Registration Portal). However, for your internal records and vendor management, e-signing your own outgoing invoices ensures non-repudiation and audit-readiness during GST scrutiny.