Filing a complaint at cybercrime.gov.in — what the portal is, and what it is not
The National Cyber Crime Reporting Portal (cybercrime.gov.in) is the front office of the Indian Cybercrime Coordination Centre (I4C) scheme under the Ministry of Home Affairs. A complaint lodged on the portal is not, in itself, a First Information Report under Section 173 of the BNSS [Section 154 CrPC] — it is an intake instrument that routes the matter to the State police having territorial jurisdiction. The legal weight of the eventual prosecution rests on the IT Act offences (Sections 65, 66, 66B–F, 67–67B, 72, 72A) read with the Bharatiya Nyaya Sanhita overlay (Sections 318, 319, 336), the extraterritorial reach of Section 75 of the IT Act, and the FIR-registration jurisprudence laid down in Lalita Kumari and Shreya Singhal.
The portal at cybercrime.gov.in is administratively important and doctrinally modest. It was operationalised in 2019 under the Indian Cybercrime Coordination Centre scheme of the Ministry of Home Affairs to create a single intake channel for cybercrime complaints that, until then, had to be filed at the nearest police station — a forum mismatch the IT Act, 2000 itself had foreseen when it observed, in its own terms, that the Code of Criminal Procedure provisions on territorial jurisdiction "do not offer much help given the intrinsic nature of cybercrimes, which are committed over a network and which are basically technical in character." The portal is the State's procedural answer to that mismatch. It is not, however, a statutory substitute for the FIR-registration regime under Section 173 of the Bharatiya Nagarik Suraksha Sanhita, 2023 [Section 154 of the CrPC, 1973]. A complainant who treats portal-registration as the end of the legal process — and many do — will discover the gap when the matter goes cold and the question becomes which police station's FIR the trial court will eventually try.
The statutory architecture — IT Act offences and the BNS overlay
The substantive offences that the portal channels into the criminal-justice system are spread across Chapter XI of the Information Technology Act, 2000. Section 65 of the IT Act, 2000 punishes tampering with computer source code where the code is required by law to be kept or maintained — a cognizable, non-bailable offence under Section 77B of the amended Act. Section 66, in its post-2008 form, attaches criminal liability to any of the ten acts listed in Section 43 of the IT Act (unauthorised access, downloads, virus introduction, denial of service, data theft and so on) when committed "dishonestly or fraudulently" within the meanings borrowed from Sections 24 and 25 of the Indian Penal Code [now Sections 2(7) and 2(11) of the Bharatiya Nyaya Sanhita, 2023].
The 66-series of provisions — inserted by the Information Technology (Amendment) Act, 2008 — addresses the most commonly invoked cyber-offences. Section 66B punishes dishonest receiving or retaining of stolen computer resources or communication devices; Section 66C punishes identity theft through the fraudulent use of an electronic signature, password, or unique identification feature; Section 66D punishes cheating by personation through a computer resource or communication device; Section 66E punishes the capture, publication or transmission of images of a person's private area in violation of privacy; Section 66F punishes cyber terrorism and is the only IT Act offence carrying a life sentence. Section 66A, which once criminalised "grossly offensive" online communication, was struck down as unconstitutional in Shreya Singhal v Union of India, AIR 2015 SC 1523, on grounds of overbreadth and chilling effect on speech protected under Article 19(1)(a) of the Constitution.
Sections 67, 67A and 67B of the IT Act regulate obscene, sexually explicit and child-sexual-abuse material in electronic form, with escalating punishments on first and subsequent conviction; Section 72 punishes breach of confidentiality by a person who has secured access to electronic records in pursuance of any power under the Act; and Section 72A penalises disclosure of personal information in breach of a lawful contract by an intermediary or service provider (a provision now read alongside the Digital Personal Data Protection Act, 2023, which has superseded much of the Section 43A body-corporate data-protection regime).
Cyber-fraud complaints almost invariably attract a Bharatiya Nyaya Sanhita overlay. Section 318 of the Bharatiya Nyaya Sanhita, 2023 [Section 420 of the IPC] punishes cheating; Section 319 BNS [Section 416 IPC] punishes cheating by personation; Section 336 BNS [Sections 463, 465 IPC] punishes forgery. The 2017 ruling in Sharat Babu Digumarti v Govt of NCT of Delhi, (2017) 2 SCC 18, settled an important question on the IT-Act/IPC interface — the Supreme Court held that where an offence is specifically dealt with by the IT Act, the IT Act's special-law character governs and the general IPC provisions cannot be added as a parallel head of prosecution on the same set of facts. The doctrine has migrated to the BNS in 2026 without textual change. The practical effect at intake is that the investigating officer must triangulate carefully — IT Act offences for the electronic-medium element, BNS offences for the cheating, personation or forgery underlying it, and the Sharat Babu Digumarti caution against piling on duplicative IPC heads where an IT Act provision squarely covers the act.
What the portal is — I4C, the Ministry of Home Affairs scheme
The Indian Cybercrime Coordination Centre is a Ministry of Home Affairs scheme, not a statutory authority. Its mandate is coordination among State police forces, capacity building, threat analysis and the operation of two integrated platforms — the National Cyber Crime Reporting Portal (cybercrime.gov.in) for substantive cyber-offence intake, and the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) — its 1930 helpline — for the narrower category of financial-fraud reporting where the golden-hour rule applies (treated separately in the companion piece). The portal accepts two categories of complaint: complaints reportable to the police anonymously concerning crimes against women and children, where the complainant's identity is shielded under the portal's design; and the broader category of cybercrime complaints which require basic identity disclosure.
The portal is, in legal taxonomy, an electronic intake-and-routing system. A complaint that satisfies the system's content and evidence requirements is acknowledged, given a unique reference number, and routed to the State police having territorial jurisdiction — typically the State of the complainant's residence, although the IT Act's Section 75 extraterritoriality (discussed below) permits the routing to take fact-sensitive turns. The State police are then expected to consider the complaint for FIR registration under Section 173 BNSS. This routing function is the portal's principal legal contribution; it is not itself a registration of a cognizable offence.
Portal complaint is not an FIR — the Section 173 BNSS distinction
The doctrinal point most often missed by complainants is that the act of filing a complaint on cybercrime.gov.in does not, in law, amount to the registration of a First Information Report under Section 173 of the Bharatiya Nagarik Suraksha Sanhita, 2023 [Section 154 of the Code of Criminal Procedure, 1973]. The FIR is the statutory document — recorded in the General Diary of the police station and signed by the informant — that triggers cognizable-offence investigation under Sections 175 and 176 BNSS [Sections 156 and 157 CrPC]. The portal complaint is the antecedent intake. The Supreme Court in Lalita Kumari v Govt of UP, (2014) 2 SCC 1, held that registration of an FIR under Section 154 CrPC is mandatory if the information discloses commission of a cognizable offence, and no preliminary inquiry is permissible in such a case (subject to a narrow set of carve-outs the Court enumerated — matrimonial disputes, commercial offences, medical negligence cases, corruption matters and cases with an inordinate delay in reporting). The same mandate now operates under Section 173 BNSS, with the addition of Section 173(3) BNSS which expressly permits a preliminary inquiry by an officer not below the rank of Deputy Superintendent of Police in cases punishable with 3 to 7 years' imprisonment.
The practical sequence is therefore — portal complaint files at cybercrime.gov.in, routed to the jurisdictional State police, the State police evaluate whether the information discloses a cognizable IT Act or BNS offence, and if so the police are bound by Lalita Kumari and Section 173 BNSS to register the FIR. The portal acknowledgement is not the FIR; the FIR copy obtained from the police station is. A complainant whose portal complaint has been pending without FIR registration for an unreasonable period has two parallel remedies — an application under Section 175(3) BNSS [Section 156(3) CrPC] to the jurisdictional Magistrate directing the police to register and investigate, or a writ petition under Article 226 of the Constitution before the High Court invoking the supervisory jurisdiction recognised in Lalita Kumari. The portal does not displace either remedy; it sits alongside them.
A separate but related point concerns the standing of the portal complaint as evidence. The portal-generated reference number and acknowledgement are admissible as electronic records under the Bharatiya Sakshya Adhiniyam, 2023 [Sections 65A and 65B of the Indian Evidence Act, 1872] subject to the Section 63 BSA [Section 65B IEA] certification regime. The complainant's narrative on the portal is, however, not a statement under Section 161 BNSS [Section 161 CrPC] — that recording happens after the FIR, before the investigating officer.
Jurisdiction — Section 75 IT Act and the BNSS scheme
Territorial jurisdiction is the source of the most litigation in cybercrime matters, precisely because the underlying acts are committed over a network and can be initiated, executed and consummated in three different States or three different countries. The IT Act, 2000, in Section 75, provides for extraterritorial application — the Act "shall apply to any offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India." The provision is drafted broadly and, on its face, asserts personal jurisdiction over non-Indian nationals committing acts abroad that touch Indian infrastructure. Section 1(2) of the IT Act echoes the same reach.
The Bharatiya Nagarik Suraksha Sanhita, 2023 supplies the procedural overlay. Section 197 BNSS [Section 178 CrPC] permits trial at any place where the consequence of the offence has ensued, where the offence was committed or where the property forming the subject-matter of the offence is found — a flexible test that has accommodated cybercrime's network character better than the rigid Section 177 CrPC [Section 196 BNSS] residual rule. The Supreme Court's reading of these provisions in cyber-financial-fraud matters has consistently leaned toward the place where the victim received the deceptive electronic communication or suffered the loss, which is usually the State of the complainant's residence — a reading that places the FIR-registration burden squarely on the local police and prevents the network-character of the offence from becoming a jurisdictional escape route for the accused.
The portal's routing engine reflects this jurisprudence. A complaint filed by a Delhi resident defrauded by a remote actor operating servers in West Bengal will, in the ordinary course, be routed to a Delhi police district for FIR consideration. Where the matter has an interstate or cross-border dimension that exceeds a single State's investigative capacity, the I4C operates the Joint Cyber Coordination Teams (JCCTs) — a coordination overlay that does not replace the State police's primary jurisdiction but assists with technical investigation, data preservation requests and inter-State liaison.
Evidence and the Section 63 BSA certification regime
The single largest evidentiary issue in IT Act prosecutions is the admissibility of electronic records — server logs, transaction records, chat histories, IP-address trails, mobile data, intermediary records preserved on lawful request. Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 [Section 65B of the Indian Evidence Act, 1872] requires a certificate from the person in charge of the device producing the electronic record, attesting to the conditions of production, the device's regular operation and the integrity of the output. The Supreme Court in Anvar P V v P K Basheer, (2014) 10 SCC 473, held the certificate to be a mandatory pre-condition to admissibility of secondary electronic evidence; Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal, (2020) 7 SCC 1, settled the residual questions and confirmed the mandatory character of the certification in unequivocal terms.
The portal's intake design does some, but not all, of the certification work. The portal's own logs of complaint filing are produced under the I4C's certification chain. The complainant's underlying evidence — bank statements, screenshots, transaction SMSes, intermediary takedown notices — must be produced with a Section 63 BSA certificate at the trial stage by the person in charge of the originating device or the institutional custodian. The complainant who anticipates trial would do well, at the intake stage itself, to preserve original devices, retain mobile-network records via the police's preservation request to the intermediary under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and identify the eventual certifying officer.
Intermediary liability and takedown — Section 79 read with the 2021 Rules
The substantive cybercrime offence is committed by the actor — the fraudster, the impersonator, the publisher of obscene material. The platform on which the offence is consummated is, in most cases, an intermediary protected by the safe-harbour regime of Section 79 of the IT Act, 2000, as read down in Shreya Singhal. The Supreme Court held that an intermediary's safe harbour falls only on receipt of "actual knowledge" through a court order or a government notification under Section 79(3)(b) — not on a private complaint or a complainant's own takedown notice. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, supply the operational framework, requiring intermediaries to designate a grievance officer, respond within prescribed timelines, and act on takedown demands routed through the appropriate channels.
A complainant whose portal complaint involves content hosted on an intermediary — a defamatory post, a non-consensual intimate image, an impersonating account — will find the takedown remedy more responsive than the criminal-prosecution remedy in the short term. The intermediary grievance mechanism is independent of the FIR process; both can be pursued in parallel. The criminal investigation, however, will frequently require the intermediary to retain logs and disclose subscriber information, which the investigating officer secures by a Section 91 BNSS [Section 91 CrPC] notice or, in transnational cases, through the Ministry of Home Affairs' Mutual Legal Assistance Treaty (MLAT) channel.
Where the doctrine sits today — open questions, persistent tensions
Three doctrinal tensions persist in the post-2019 portal-centric architecture. The first is the gap between portal-acknowledgement and FIR-registration. The portal's intake design encourages complainants to treat the unique reference number as the end of the legal road; the law treats it as the beginning. A complainant who has not followed up with the routed police station, or who has not pursued the Section 175(3) BNSS remedy when the police have failed to register an FIR despite cognizable allegations, will often find — months later — that the limitation clock under Section 514 BNSS [Section 468 CrPC] has consumed the case. The IT Act, 2000 itself does not prescribe a limitation period; Section 81 of the IT Act gives the Act overriding effect, but the Section 514 BNSS limitation is not inconsistent with the Act and therefore continues to apply to IT Act offences that fall within its bands.
The second tension is jurisdictional. Section 75 IT Act's extraterritorial reach is doctrinally wide on paper but enforceability-light in practice. A complaint involving servers and actors abroad routes through the MLAT system, which is slow and discretionary. The portal's existence has not solved this; what it has solved is the intra-India coordination problem. The cross-border problem remains a treaty-and-comity problem, and the IT Act's broad jurisdictional claim cannot, on its own, deliver an extradition.
The third tension is the IT Act / BNS overlap clarified by Sharat Babu Digumarti. The post-Sharat Babu Digumarti trend in High Courts has been to scrutinise FIRs that pile on IPC cheating and forgery sections where an IT Act provision squarely covers the act, and to insist that the special-law character of the IT Act be respected. The BNS-era FIRs replicate the IPC structure with renumbered sections, and the High Courts are still working out how aggressively to apply Sharat Babu Digumarti at the FIR-quashing stage under Section 528 BNSS [Section 482 CrPC]. Complainants and investigating officers should expect, in the coming years, a steady stream of Sharat Babu Digumarti-based quashing petitions in cases where the BNS overlay has been mechanically added without doctrinal justification.
The portal is, on balance, a procedural advance. It reduces friction at intake, builds a national dataset on cyber-offence patterns, and provides a routing engine that has solved the most acute version of the territorial-jurisdiction problem. What it does not do — and was never designed to do — is replace the statutory FIR-registration regime under Section 173 BNSS, the Lalita Kumari mandate, the Shreya Singhal Section 79 read-down, the Sharat Babu Digumarti special-law principle, or the Section 63 BSA evidence regime. The complainant who understands the portal as an intake-and-routing instrument situated within this larger architecture will use it correctly; the complainant who treats it as a one-stop legal remedy will be disappointed by the gap between the acknowledgement screen and the trial court.