By Dev Rao | Updated March 2026
What Is India's Digital Identity Stack for Business?
India operates one of the world's most advanced digital identity ecosystems, collectively known as India Stack. For businesses — and particularly foreign companies setting up or operating in India — three components are essential: Aadhaar (biometric identity for 1.31 billion Indians, used for KYC verification), DigiLocker (government-backed digital document repository), and e-Sign/DSC (electronic and digital signature infrastructure for regulatory filings). These systems are not optional conveniences — they are deeply embedded into India's regulatory and commercial infrastructure.
Every interaction with Indian regulators — from MCA company filings to GST registration to income tax returns — requires some form of digital identity verification. Foreign companies registering in India will encounter Digital Signature Certificates (DSCs) on Day 1, as DIN applications and SPICe+ incorporation forms require DSC authentication. Understanding which identity tools apply to foreign nationals versus Indian residents, and how they interact, is critical for smooth regulatory compliance.
The legal framework spans multiple statutes: the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the Information Technology Act, 2000 (Sections 3A and 5 for electronic signatures), and the Information Technology (Certifying Authorities) Rules, 2000 for DSC issuance.
Legal Basis
The digital identity framework for business rests on these legislative foundations:
- Aadhaar Act, 2016 (as amended 2019) — Section 8 governs authentication (consent-based, for KYC). Section 4 establishes Aadhaar issuance to every resident (not citizens only). The 2019 amendment (Aadhaar and Other Laws (Amendment) Act) permits offline verification and voluntary use by private entities for KYC, with written consent.
- Information Technology Act, 2000 — Section 3A — Defines electronic signatures and their legal validity. An e-signature must uniquely identify the signatory, indicate approval, and ensure reliability and integrity of the signed document.
- IT Act, 2000 — Section 5 — Grants legal recognition to electronic signatures, equating them to handwritten signatures for all purposes except those specifically excluded under Section 1(4) (negotiable instruments, powers of attorney, trusts, wills).
- Gazette Notification No. GSR 61(E), January 28, 2015 — Inserted Aadhaar e-Sign into Schedule II of the IT Act as a valid electronic signature technique.
- Information Technology (Certifying Authorities) Rules, 2000 — Governs issuance of Digital Signature Certificates (Class 2 and Class 3, now consolidated to Class 3) by licensed Certifying Authorities under the Controller of Certifying Authorities (CCA).
- RBI Master Direction on KYC, 2016 (updated 2023) — Permits Aadhaar-based e-KYC and offline verification for bank account opening, NBFC onboarding, and payment system access.
- DigiLocker Framework — Established under the Digital India initiative by MeitY. Documents stored in DigiLocker are legally valid under the IT Act and treated equivalent to original documents under Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries) Rules.
Aadhaar for Business KYC
Aadhaar is India's 12-digit unique identity number issued by the Unique Identification Authority of India (UIDAI) to every resident. Over 1.31 billion Indians (95% of the population) possess an Aadhaar. For businesses, Aadhaar's relevance is primarily in Know Your Customer (KYC) verification of Indian employees, directors, customers, and vendors.
e-KYC vs. Offline Verification
| Feature | Aadhaar e-KYC | Aadhaar Offline Verification |
|---|---|---|
| Authentication method | OTP or biometric via UIDAI servers | XML file or QR code (no UIDAI server call) |
| Data received | Name, address, photo, date of birth (real-time from UIDAI) | Same data, but from a digitally signed XML downloaded by the Aadhaar holder |
| Consent requirement | Explicit consent of Aadhaar holder (Section 8, Aadhaar Act) | Voluntary sharing by Aadhaar holder |
| Who can use it | Government agencies, regulated entities (banks, telecom, insurance) with UIDAI agreement | Any entity — no UIDAI agreement required (post-2019 amendment) |
| Data storage rules | No storage of Aadhaar number or biometrics beyond the transaction. Must use Aadhaar Data Vault for reference | No storage of core biometric data. Masked Aadhaar number permitted |
| Legal basis | Section 8, Aadhaar Act + RBI/SEBI/IRDAI regulations | Aadhaar (Authentication and Offline Verification) Regulations, 2021 |
Limitations on Aadhaar Use by Businesses
Following the Supreme Court judgment in K.S. Puttaswamy v. Union of India (2018), private companies cannot mandate Aadhaar for service delivery. The 2019 amendment permits voluntary Aadhaar use for KYC by private entities, but only with:
- Written, informed consent of the Aadhaar holder
- An alternative KYC method for those who choose not to share Aadhaar
- Compliance with data storage restrictions (no retention of Aadhaar number or biometrics beyond the transaction; use of Aadhaar Data Vault for tokenized reference)
Penalties for unauthorized Aadhaar data use: imprisonment up to 3 years and fine up to INR 10 lakh under Sections 37-40 of the Aadhaar Act.
DigiLocker: Digital Document Verification
DigiLocker is a government-run cloud platform that allows Indian citizens and businesses to store, access, and share digital documents. It serves as a bridge between document issuers (government departments, universities, regulatory bodies) and document verifiers (banks, employers, regulators).
Two Types of DigiLocker Documents
| Document Type | Source | Legal Status | Examples |
|---|---|---|---|
| Issued Documents | Pulled directly from the issuing authority's database via API | Legally equivalent to originals under IT Act | PAN card, driving license, vehicle registration, CBSE marksheet, Aadhaar, Class 10/12 certificates |
| Uploaded Documents | Scanned and uploaded by the user | Self-attested copies (not equivalent to originals) | Rental agreements, utility bills, custom documents |
DigiLocker for Business Verification
Through DigiLocker and its business counterpart EntityLocker, companies can access and verify:
- GSTIN certificate — Verified GST registration directly from the GSTN database
- Udyam Registration — MSME registration certificate from the Udyam portal
- Company Master Data — MCA-verified company information (CIN, directors, registered address)
- PAN verification — Real-time PAN status check via NSDL/Protean integration
DigiLocker API integration allows businesses to automate KYC and onboarding workflows. Over 280 issuer organizations are connected to DigiLocker, and documents fetched via API are digitally signed by the issuing authority, making them tamper-proof and legally admissible.
e-Sign vs. Digital Signature Certificate (DSC)
India recognizes two distinct categories of electronic signatures for business and regulatory purposes. Understanding the difference is critical because regulatory filings require specific signature types:
| Feature | Aadhaar e-Sign | Digital Signature Certificate (DSC) |
|---|---|---|
| Legal basis | IT Act Section 3A + Gazette Notification GSR 61(E) 2015 | IT Act Section 3 + IT (Certifying Authorities) Rules, 2000 |
| Authentication | Aadhaar OTP or biometric (via UIDAI) | USB token with private key (hardware-based) |
| Who can use | Any Aadhaar holder (Indian residents only) | Anyone — Indian citizens, NRIs, foreign nationals |
| Validity period | Transaction-specific (one-time use per signing) | 1-3 years (renewable) |
| Cost | INR 5-15 per signature (API-based pricing) | INR 2,000-4,000 for 2-year Class 3 certificate |
| Accepted for MCA filing | No (not accepted on MCA V3 portal) | Yes — mandatory for all MCA/ROC filings |
| Accepted for GST filing | Yes (Aadhaar e-Sign supported) | Yes |
| Accepted for income tax filing | Yes (for individuals; companies must use DSC) | Yes — mandatory for companies and tax audit cases |
| Court admissibility | Same presumptive value as wet-ink signature under IT Act + Indian Evidence Act | Same presumptive value as wet-ink signature |
| Foreign national eligibility | No — requires Aadhaar (available only to Indian residents) | Yes — Class 3 DSC available to foreign nationals with passport |
Class 2 vs. Class 3 DSC (Now Unified)
Historically, India issued two classes of DSC: Class 2 (identity verified against a pre-verified database) and Class 3 (identity verified through physical or video presence before a Registration Authority). Since 2023, all DSCs are now issued as Class 3 under unified norms, providing the highest level of identity assurance. Class 3 DSCs are universally accepted across MCA, DGFT, GST, e-procurement, and all other government portals.
DSC for Foreign Directors and Shareholders
Foreign nationals acting as directors, shareholders, or authorized signatories in Indian companies must obtain a Class 3 DSC. The process:
- Select a licensed Certifying Authority (CA): eMudhra, Capricorn CA, Vsign, NSDL, or Sify (all supervised by the Controller of Certifying Authorities under the IT Act)
- Submit documents: Valid passport (mandatory), overseas address proof (utility bill/bank statement), Indian visa or residence permit (if applicable), board resolution or authorization letter
- Identity verification: Video KYC or online verification — physical presence in India is not required
- Receive DSC: Typically 1-2 working days. The certificate is loaded on a USB crypto token shipped to the foreign address
Cost: INR 2,000-4,000 for a 2-year validity Class 3 DSC. Documents must be notarized or apostilled per the Hague Convention or attested by the Indian Embassy/Consulate.
PAN-Aadhaar Linking
The PAN-Aadhaar linking requirement affects Indian employees and Indian-resident directors of foreign companies:
- Deadline: December 31, 2025. PANs not linked to Aadhaar become inoperative from January 1, 2026
- Late linking fee: INR 1,000
- Consequences of inoperative PAN: Cannot file ITRs, receive tax refunds, or complete PAN-required transactions (bank account opening, securities trading, property registration above INR 10 lakh)
- Exemptions: Foreign nationals (non-residents who are not Indian citizens) are exempt from PAN-Aadhaar linking, even if they hold a PAN. NRIs holding Indian passports are also exempt. The exemption applies because Aadhaar is issued only to residents, not to all PAN holders
How This Affects Foreign Companies in India
The digital identity ecosystem creates specific implications at each stage of a foreign company's India operations:
Company Registration Stage
- Every director (including foreign directors) must obtain a Class 3 DSC before filing SPICe+ incorporation forms or DIN applications with the MCA
- Aadhaar is not required for foreign directors (it is issued only to Indian residents). However, the Indian resident director must provide Aadhaar as part of KYC for MCA registration
- The resident director requirement means at least one director will need Aadhaar-linked identity verification
Ongoing Compliance Stage
- All annual returns (MGT-7) and financial statements (AOC-4) filed with MCA require DSC authentication — the foreign director's DSC must be valid and registered on the MCA V3 portal
- GST registration supports both DSC and Aadhaar e-Sign for Indian authorized signatories
- Company tax returns must be signed with DSC (Aadhaar e-Sign is not accepted for company filings)
Employee Onboarding
- Indian employees will present Aadhaar for KYC during onboarding. Your HR system must handle Aadhaar data in compliance with the Aadhaar Act (no storage of Aadhaar number or biometrics; use Aadhaar Data Vault for tokenized reference)
- DigiLocker integration can streamline document verification — employees can share verified education certificates, PAN, and address proof directly from DigiLocker
Common Mistakes
- Assuming foreign directors need Aadhaar. Aadhaar is issued only to Indian residents (anyone who has resided in India for 182+ days in the preceding 12 months). Foreign directors based outside India cannot get Aadhaar and do not need it. They need a DSC, not Aadhaar. Confusing the two delays company registration by weeks.
- Letting the DSC expire without renewal. A Class 3 DSC is valid for 1-3 years. If a foreign director's DSC expires, all MCA filings requiring that director's signature are blocked until renewal. This has caused missed filing deadlines and late fees of INR 100 per day for several foreign-owned companies. Set calendar reminders 60 days before expiry.
- Storing Aadhaar numbers in employee databases. The Aadhaar Act prohibits storage of Aadhaar numbers beyond the specific transaction. Companies that store raw Aadhaar numbers in HRMS systems (SAP, Workday, Oracle HCM) violate Section 29 of the Aadhaar Act. Use Aadhaar Data Vault for tokenized reference. Penalty: imprisonment up to 3 years + INR 10 lakh fine.
- Using Aadhaar e-Sign for MCA filings. The MCA V3 portal does not accept Aadhaar e-Sign — only DSC. Companies that set up e-Sign workflows for all regulatory filings discover this when SPICe+ or AOC-4 filings are rejected. Use DSC for MCA, DSC or e-Sign for GST, and DSC for company tax returns.
- Not apostilling DSC application documents. Foreign nationals applying for DSC must submit notarized or apostilled copies of their passport and address proof. Documents attested by a local notary public (without apostille) are rejected by Indian Certifying Authorities. Use the apostille process for Hague Convention countries or Indian Embassy attestation for non-Hague countries.
Practical Example
Luminos Pte Ltd, a Singapore-based fintech company, is incorporating a wholly-owned subsidiary in India (Luminos India Pvt Ltd). The company has two Singapore-based directors (Ms. Chen and Mr. Tanaka) and one Indian resident director (Mr. Sharma).
Digital identity requirements:
- Ms. Chen and Mr. Tanaka: Each needs a Class 3 DSC from a licensed CA. They submit apostilled passports and Singapore address proof via eMudhra, complete video KYC, and receive USB tokens shipped to Singapore within 5 business days. Cost: INR 3,500 each (2-year validity). Total: INR 7,000
- Mr. Sharma: Provides Aadhaar for MCA KYC verification and obtains a Class 3 DSC. His Aadhaar is linked to PAN (completed before the December 2025 deadline). Cost: INR 2,500 for DSC
- SPICe+ filing: All three directors sign the incorporation form using DSC. Ms. Chen and Mr. Tanaka's DSCs are registered on the MCA V3 portal using their passport numbers as the identifier
- Post-incorporation: Luminos India opens a bank account, submitting Mr. Sharma's Aadhaar e-KYC (with OTP consent) and DigiLocker-fetched Certificate of Incorporation and PAN card. The bank verifies these digitally signed documents in real-time
- Employee onboarding: Luminos India hires 15 Indian employees. HR verifies identity via Aadhaar offline XML (with employee consent), fetches education certificates from DigiLocker API, and stores only tokenized Aadhaar references in the HRMS — never the 12-digit Aadhaar number
Total digital identity setup cost: INR 12,000. Time: 7 business days (DSC procurement + MCA registration). Without understanding these requirements upfront, companies typically lose 3-4 weeks troubleshooting rejected filings and incorrect document formats.
Key Takeaways
- India's digital identity stack (Aadhaar, DigiLocker, e-Sign/DSC) is embedded into every regulatory interaction — from company incorporation to tax filing to employee onboarding
- Foreign directors need a Class 3 DSC (INR 2,000-4,000, 2-year validity) with apostilled documents — not Aadhaar, which is available only to Indian residents
- Aadhaar-based e-KYC is permitted for business use with written consent, but storage of Aadhaar numbers is prohibited (penalty: 3 years imprisonment + INR 10 lakh fine)
- DigiLocker provides legally valid, digitally signed government documents for instant KYC and compliance verification via API
- DSC is mandatory for all MCA filings; Aadhaar e-Sign is accepted for GST but not for MCA or company tax returns
- PAN-Aadhaar linking is mandatory for Indian residents (deadline: December 31, 2025) but foreign nationals are exempt
Setting up digital identity infrastructure for your India operations? Beacon Filing provides India entry strategy services including DSC procurement coordination, MCA portal registration, and regulatory filing support for foreign companies.