Your Network Diagram Is Now a Compliance Document

DPDP Act and Network Segmentation: Why Switching Architecture Is Now a Compliance Topic

Compliance used to stop at the firewall and the policy binder. The switches underneath, the VLANs, the routing, and the question of which system could reach which were treated as an engineering concern, not a legal one. India's Digital Personal Data Protection Rules have quietly moved that line. Rule 6 of the 2025 Rules requires every organisation handling personal data to apply specific security safeguards, and two of them, control of access to computer resources and the monitoring to detect unauthorised access, are delivered in your switching architecture, not in a document. 

For a CISO, this is an uncomfortable shift, because the network layer is the one most security programmes treat as settled. You bought switches once, you segmented loosely if at all, and you moved your attention to endpoints and identity. Rule 6 reopens that decision. A flat network, where any device can reach any system, is now hard to reconcile with a law that demands access be restricted to the authorised. The diagram on your wall has become evidence. Here is what the law actually asks of the network, and how segmentation answers it. 

Is Network Architecture Really a Compliance Issue Now? 

Yes, directly. Rule 6 of the DPDP Rules 2025 sets out a minimum set of reasonable security safeguards that organisations must apply to personal data, and failure to maintain them carries a penalty of up to ?250 crore per incident (DPDP Rule 6). Among those safeguards are access controls that restrict access to authorised personnel, monitoring through logs of access and processing, retention of those logs, and measures to detect, investigate and remediate unauthorised access. 

Read those requirements as a network engineer, and they describe segmentation and visibility, not paperwork. Restricting which systems and users can reach data is what segmentation does. Logging who accessed what is what your network and identity infrastructure produce. Detecting and containing unauthorised access depends on whether your architecture confines an intruder or lets them roam. The law does not name VLANs or group tags, but it asks for exactly what they deliver. That is why switching architecture has become a compliance topic, whether or not your network team has noticed. 

What Does the DPDP Act Require of Your Network? 

Rule 6 lists safeguards, and several land squarely on the network layer. It helps to see which obligation each part of your infrastructure satisfies:

The pattern is plain. The network is not a bystander to DPDP compliance; it is where a third of Rule 6 is actually implemented (DPDP Rule 6). A compliance programme that hardens applications and identity but leaves the network flat has met the law in part and skipped the layer that controls reach. 

How Does Segmentation Map to "Reasonable Security Safeguards"? 

Segmentation is the network expression of access control, which is the safeguard Rule 6 names first. A segmented network divides systems into zones and permits only the traffic that should flow between them, so a payroll database, a customer record store and a guest Wi-Fi network are not reachable from one another by default. That is precisely "restrict access to authorised personnel" rendered in switching, rather than in a policy nobody enforces. 

The second mapping is containment. Rule 6 expects you to detect and limit unauthorised access, and segmentation is what decides how far an intrusion spreads. On a flat network, a single compromised laptop can reach every system, so one breach is a breach of everything. On a segmented network, the same intrusion hits a boundary and stops, so the incident is confined to one zone. The law rewards the architecture that contains, because containment is the difference between an incident and a catastrophe. Could you argue, today, that access to your personal-data systems is genuinely restricted at the network level, or only at the login screen? 

Why Is a Flat Network Now a Liability? 

Because it is the opposite of what the law asks, and it makes every breach worse on the two axes that matter to a regulator. A flat network provides no access control between systems, so it fails the first safeguard at the architectural level, however good your passwords are. And it offers no containment, so when a breach happens, it reaches everything, which turns a small incident into a large reportable one. 

That second point has teeth. The DPDP regime requires you to notify breaches, and the penalty attaches to failures of safeguards up to ?250 crore per incident. A breach that a flat network lets spread across your whole estate is a bigger breach to disclose, harder to argue you had reasonable safeguards against, and more exposed to penalty. Segmentation shrinks the blast radius, and a smaller blast radius is a smaller disclosure, a stronger compliance position and a lower penalty risk. The flat network you tolerated as a convenience has become a measurable liability with a number attached to it. 

What Does Compliant Network Segmentation Look Like? 

It runs deeper than the handful of VLANs most networks already have. Basic VLAN separation is a start, but it is coarse and tied to network location, which is why modern segmentation moves to identity. Cisco TrustSec and SD-Access let you assign access based on what a device or user is, not where it plugs in, so a finance system is reachable only by finance roles regardless of the port, and the policy follows the user across the network (Cisco SD-Access segmentation). 

Two layers matter for compliance. Macro-segmentation separates whole environments, keeping guest, corporate and sensitive systems in distinct virtual networks. Micro-segmentation works inside a zone, controlling which specific roles may communicate, so a compromised device cannot move sideways even within its own segment. The switching layer also produces the logs Rule 6 wants, recording who authenticated and what they reached. Built this way, the network does not merely permit compliance; it generates the access control and the evidence the law asks you to demonstrate. 

Does Segmentation Reduce Penalty and Breach-Notification Exposure? 

It improves your position on both, though no architecture is a guarantee. A regulator assessing whether you maintained reasonable safeguards will look at what you actually had in place, and a documented, identity-based segmentation scheme with logging is a concrete answer rather than a promise. It shows access was controlled at the network level and that you could detect and trace it, which is the language Rule 6 uses. 

Containment then limits the incident itself. A breach confined to one segment affects fewer data principals, which means a smaller notification, a narrower investigation and a more defensible account of the damage. The organisation that segmented can say the intrusion reached one zone and was contained; the organisation that did not must explain why a single foothold exposed everything. Faced with the same attacker, those two organisations face very different conversations with the Data Protection Board. Which conversation would you rather have prepared for? 

Where Should a CISO Start? 

With a map, not a redesign. You cannot segment around personal data until you know where it lives and how it flows, so the first step is to identify which systems hold or process personal data and what currently talks to them. That data-flow map is the foundation of both the compliance case and the segmentation design, and most organisations find the reality differs sharply from the documentation. 

From there, the work is incremental: define zones around your sensitive systems, move from location-based VLANs toward identity-based policy, switch on the logging the law requires, and tighten the boundaries in priority order rather than all at once. The network you already own can usually deliver much of this through its existing capabilities once they are turned on and configured to a plan. The deadline gives you a clock: the DPDP Rules carry an eighteen-month runway to May 2027, which is enough time to do this deliberately and not enough to leave it to the end. Start with the systems that would hurt most if exposed. 

Turning Architecture Into Evidence 

The gap most organisations face is not knowing that segmentation matters, but translating a legal requirement into a network design and then into something they can show an auditor. That translation, from Rule 6 to a working, logged, identity-based segmentation scheme, is where security and networking expertise have to meet, and few teams hold both in depth. 

Proactive Data Systems has spent 35 years building and running networks for Indian enterprises across more than 1,500 customers, as a Cisco Preferred Partner in Networking, Security, Collaboration, Cloud and AI, and Services. We map where your personal data lives, design segmentation around it with TrustSec and SD-Access, turn on the logging and monitoring Rule 6 expects, and document the controls so your architecture becomes evidence rather than exposure. Networking and security sit in the same team, with CCIE-led design and a 24x7 NOC in India, so the compliance control and the network that enforces it are built as one thing. 

Unsure whether your network would satisfy a DPDP access-control question? Ask Proactive for a segmentation and compliance assessment. It produces the data-flow map, the gaps and the plan, and it is where a defensible network architecture begins.

Disclaimer: This article is general information, not legal advice. DPDP obligations depend on your organisation's facts and processing activities. Confirm current requirements against the official DPDP Rules and consult your legal and compliance advisers before acting.