Legal & Regulatory Alert (Late 2025 - January 2026)

24 February 2026

Skrine’s India Desk has been established to support Indian companies doing business in Malaysia and Malaysian companies investing into India, at a time when commercial ties between the two countries are growing rapidly. As part of this initiative, we will be issuing regular legal and regulatory alerts to keep clients informed of key developments in Indian law that affect cross-border investments, operations and risk management. These alerts are intended to give companies a clear and practical view of what is changing and why it matters.
 
Here are the latest key developments affecting Indian companies and Malaysian companies doing business in India:
 
A.  TAX AND INVESTMENT STRUCTURING
 
The Supreme Court of India has ruled that capital gains from Tiger Global’s sale of its Flipkart shares through Mauritius-based companies were taxable in India because those entities lacked real commercial substance and were used mainly to obtain tax treaty benefits.
 
The Court confirmed that India’s tax authorities are entitled to look beyond the legal structure of a transaction and examine whether a foreign holding company is a genuine operating business or merely a conduit created for tax savings.
 
The Supreme Court found that having a so-called Tax Residency Certificate is not enough proof of having a legitimate business in Mauritius and inspectors could challenge the deal by proving funds were routed via Mauritius only to avoid tax.
 
The ruling significantly changes the risk profile of investments structured through the tax haven of Mauritius and increases the importance of substance, commercial purpose and proper tax structuring for foreign investors exiting Indian assets.
 
B.  SECTOR-SPECIFIC AND FINANCIAL REGULATION
 
India’s Parliament has approved a major bill to raise the foreign direct investment (FDI) limit in the insurance sector from 74% to 100%, marking one of the most significant liberalisation steps for the country’s financial services industry in recent years.
 
The reform is intended to bring more capital, technology and international expertise into a sector that remains under-penetrated relative to India’s economy. Greater foreign participation is expected to support product innovation, digital distribution and wider insurance coverage across India’s population.
 
For foreign financial groups, this creates a clearer path to full control acquisitions and greenfield entry into India’s insurance market. It also increases exit and restructuring options for existing joint ventures, as foreign partners are no longer capped below full ownership.
 
At the same time, insurance remains a regulated industry, and investors must continue to comply with capital, solvency, governance and licensing rules set by the Insurance Regulatory and Development Authority of India. Any transaction will therefore still require regulatory approval and careful structuring.
 
C.  DATA PROTECTION AND TECHNOLOGY
 
India has brought into effect the Digital Personal Data Protection Rules, 2025 (DPDP Rules). The DPDP Rules enforce the Digital Personal Data Protection Act, 2023 (DPDP Act) and regulate how companies may collect, use, store and transfer personal data.
 
Companies will be required to give clear notices to individuals, obtain valid consent for data processing, implement appropriate security safeguards and delete personal data once it is no longer needed. The rules also introduce structured processes for handling complaints, managing consent and reporting data breaches.
 
These obligations apply not only to Indian companies but also to foreign companies that handle personal data relating to people in India, including customer data, employee records and online user information. This means many Malaysian and regional businesses with Indian operations or digital platforms will fall within the scope of the regime.
 
The data protection framework will be implemented in phases to ensure that the companies have adequate time and can plan accordingly to ensure compliance.
 
Non-compliance can expose companies to regulatory enforcement and financial penalties, making data governance, cybersecurity and contractual protections with IT vendors and cloud providers a growing legal and commercial risk in India.
 
D.  NEW LABOUR CODES
 
India has implemented its four consolidated Labour Codes, which came into effect on 21 November 2025, replacing 29 separate labour laws with a unified legal framework covering wages, industrial relations, social security and workplace safety. These codes aim to modernise India’s employment rules and provide a more predictable regulatory regime for employers.
 
Under the new framework, standardised definitions of wages and expanded social security coverage — including for gig and platform workers — have widened the scope of statutory obligations. This increases the importance of labour cost analysis and workforce liabilities, as contributions to provident fund, gratuity and other benefits are now driven by uniform definitions rather than fragmented historic standards.
 
The reforms are particularly significant for mergers and acquisitions. Labour diligence is no longer a narrow compliance exercise but a core driver of valuation and deal structuring. Buyers must now model future labour costs under the codes, including expanded workforce coverage and higher exit costs, and may need to adjust purchase price mechanisms, indemnities and escrows to reflect forward-looking liabilities that could not be ignored under the legacy regime.
 
From an operational perspective, many of the codes’ provisions are still being phased in and are subject to state-level rule notifications, creating a dual regulatory environment in the interim. Meanwhile, broader employer impacts include tighter penalties for safety and workplace violations, widened worker classifications, and a recalibration of labour costs that may influence workforce structuring, integration planning and post-transaction workforce strategies.
 
E.   DIRECTOR KYC FILING REQUIREMENT SIMPLIFIED
 
From 31 March 2026, every individual holding a Director Identification Number (DIN) need only carry out the Know Your Customer (KYC) filing once-every-three-years, moving away from the present annual filing requirement. Routine KYC filings will now be made through a single web-based form, reducing paperwork and administrative burden.
 
Directors must still update their details within 30 days if there is any change to their contact information, and failure to comply can result in DIN deactivation. Companies should update their compliance calendars to reflect the new filing cycle.
 
F.   HOW CAN THE INDIA DESK ASSIST YOU? 
 
Skrine’s India Desk aims to support Indian companies in Malaysia and Malaysian companies in India. We advise on investments, contracts, regulatory compliance and disputes. We work closely with leading Indian law firms and consultants to give clients clear and practical advice. Please contact us if you would like to discuss how these developments affect your business.
 
This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact Skrine’s India Desk (indiadesk@skrine.com).
This article/alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.