The Enforcement Gap in India’s Draft National Electricity Data Sharing Framework, 2026
A Clause-by-Clause Read of India’s Draft National Electricity Data Sharing Framework, 2026
09.07.2026
Authored by: Mr. Kunal Veer Chopra (Senior Associate)
The Ministry of Power circulated the draft on 22 June 2026 and has asked for comments by 21 July 2026. Twenty-four stakeholder categories were on the distribution list, from Ministry of Electronics and Information Technology (MeitY) and the Central Electricity Authority (CEA) to Federation of Indian Chambers of Commerce and Industry (FICCI), Confederation of Indian Industry (CII), and Promoting Regular & Assisted Migration for Youth and Skilled Professionals (PRAYAS) Energy Group.
India’s power sector produces enormous volumes of data every day, on generation, transmission, distribution, outages, tariffs, and markets. It sits in silos across generating companies, Load Despatch Centres, transmission and distribution licensees, and electricity regulators, in inconsistent formats, with no common rule for who can access what. The draft names this problem directly, fragmented datasets, inconsistent formats, no unified access standard. The document turns out to be a well-built answer to a problem it has also chosen, in its own drafting, not to fully solve.
What the draft gets right
The architecture is sound. Section 1 makes the National Electricity Data Centre (NEDC) and National Electricity Data Portal mandatory infrastructure, required to be established, even though using them is not. Section 6.1 sorts data into two tiers, Public and Access Controlled, replacing what would otherwise be a maze of ad hoc categories. Section 7.3 requires every data issuer to maintain five fields of metadata for each dataset, description, schema, source, update cycle, and classification. Section 6.3 names seven specific de-identification techniques, anonymisation, pseudonymisation, tokenisation, aggregation, value banding, spatial displacement, and suppression, each defined with enough precision to survive the Digital Personal Data Protection Act, 2023 (DPDP Act).compliance review. Section 3 carves cyber defence protocols, real-time strategic telemetry, and power exchange bids ahead of market clearing out of scope entirely. Annexure D lists 66 recommended public datasets, from daily coal stock positions at thermal stations to state-wise AT&C losses to Distribution Company (DISCOM) wise smart metering rollout, and is the most useful thing in the document, it tells every utility, in writing, what the government thinks belongs in the public domain.
None of that is the problem. The problem sits in how the draft moves from stating a duty to enforcing one.
A duty with no deadline attached to it
Section 7.3 is unambiguous, every data issuer is required to discover and publish metadata for each dataset. That is a real obligation, not a suggestion. Section 7.6 then sets out how compliance is supposed to happen, and every operative verb changes, every Data Issuer “may publish” a complete metadata catalogue within 12 months, and “may ensure” NEDC discoverability within 18 months. New datasets created afterward “may be added” to the inventory within 90 working days. The obligation in Section 7.3 exists. The only clause that gives it a timeline makes meeting that timeline optional. A data issuer can satisfy the letter of Section 7.3 by holding metadata privately and never publishing it on the schedule Section 7.6 lays out, because Section 7.6 never actually requires that schedule to be met.
The same pattern runs through the rest of the operative framework. Section 5.1.1, a data issuer “may appoint” a Data Governance Officer (DGO), though once appointed, the DGO’s own duties are written as mandatory. Section 5.1.2, a data issuer “may” review its own classifications annually. Section 5.1.3, it “may levy reasonable access fees,” and the entire list of access-friendly concessions, free public viewing, reduced academic rates, government fee waivers, sits under a clause that introduces all of them as things that “may be factored in.” Even Section 5.3’s grievance mechanism opens by stating that a two-level redressal process “may be established,” meaning the existence of a complaints process, not just its independence, is itself discretionary.
Compare that to the sections where the Ministry did write unhedged obligations. Section 11, cybersecurity, uses mandatory language throughout with no exceptions, the NEDC and all data issuers must comply with government cybersecurity guidance, testing must be conducted before any hosting infrastructure goes live, and that infrastructure cannot be made live until vulnerabilities are remediated. Section 9 on inter-sector coordination is similarly firm where it binds the NEDC to other government bodies, cross-sector requests are subject to the same classification rules as domestic ones, and the NEDC must coordinate with sectoral data bodies and adopt India Energy Stack standards where they exist. The pattern is consistent, where a clause protects infrastructure security or binds one government body to another, it is written to bind. Where a clause would put something in front of the public, a researcher, or a competitor’s product team, it is written to invite.
The classification loophole
Section 6 states that the classification framework applies only to data that a data issuer has itself chosen to designate as shareable. Before any tier, fee rule, or grievance process applies, the utility decides whether a given dataset is shareable at all. A DISCOM that does not want its outage data scrutinised simply never designates it, and no clause in the draft lets a requester challenge that non-designation. Annexure A, the classification matrix that would otherwise anchor these decisions, is explicitly labelled indicative in Section 6.2 and in its own heading. For the 66 datasets the Ministry itself recommends in Annexure D, the fix is straightforward, build in a presumption that these specific datasets are shareable, with the burden on the issuer to justify withholding one, rather than a burden on the requester to prove it should exist.
Grievances heard by the accused
Section 5.3 sets a genuine timeline once a grievance mechanism exists, Level 1, the DGO, decides within 14 working days, Level 2, one level above the DGO, decides within a further 14 working days on escalation. Both levels sit inside the same organisation whose decision is being challenged. An officer one rank above the DGO is not a natural check on that DGO’s own refusal to designate a dataset, particularly where the refusal reflects institutional preference rather than individual error. The right to approach a court or statutory authority survives the mechanism, but litigation is not a realistic remedy for a university researcher denied a feeder-level dataset for a single paper. An independent appellate layer, at the NEDC, the CEA, or the relevant Electricity Regulatory Commission, would give this process actual teeth, starting with making the mechanism itself mandatory rather than something that may be established.
Fees, access, and who actually pays
Section 5.1.3 permits reasonable access fees with no definition of reasonable, no cap, and no named body to check one. Every concession that would keep fees from becoming a barrier, free public viewing, reduced academic rates, waivers for government and statutory bodies, sits inside the same discretionary list. A utility could comply with the letter of the framework while pricing every serious researcher or startup out of the data Annexure D says should be public.
Access itself, per Section 5.2 and Annexure C, is restricted to registered Indian entities completing KYC verification through a PAN, CIN, or DIN. That is defensible for infrastructure-sensitive datasets, and there is precedent for it in adjacent digital public infrastructure. It sits awkwardly, though, next to a framework whose own Section 4(e) states an objective of interoperability with the India Datasets platform at data.gov.in, an explicitly open, non-jurisdiction-limited standard. A tiered exception giving foreign academic institutions access to Tier 2 data through the Secure Data Environments the framework already contemplates in Section 7.2(g) would close that gap without touching the KYC requirement for anything genuinely sensitive.
On cost, Section 10 says Electricity Regulatory Commissions should enable passthrough of implementation costs into the Annual Revenue Requirement, after prudence checks. That is a real regulatory gate, not an automatic pass-through, and it is worth stating precisely, consumers may end up funding this infrastructure, but ERCs retain the authority to disallow costs they find imprudent. The sharper question for comments is not whether consumers might pay, but what they get in return if a utility builds a portal it is never obligated to populate on any enforceable timeline.
What the final version needs
The architecture, the privacy safeguards, and the ambition to interoperate with transport, climate, and financial-sector data are genuinely well built. The enforcement is not, and the gap between the two is not vague drafting, it is a specific, locatable pattern, Section 7.3 states a duty, Section 7.6 removes its deadline, and the only clauses written to bind without exception are the ones protecting infrastructure security and inter-government coordination, not public access. Four changes would close that gap, convert Section 7.6’s timeline from discretionary to binding, at minimum for government-owned utilities and regulated licensees, so that Section 7.3’s duty finally has an enforceable date attached to it, a presumption of shareability for the datasets already named in Annexure D, with the burden on the issuer to justify withholding one, a mandatory, independent appellate layer outside the data issuer’s own organisation, since even the grievance mechanism’s existence is currently optional under Section 5.3, and a named regulatory body with authority to define and review what counts as a reasonable fee under Section 5.1.3.
Without those four changes, this becomes a well-drafted document describing a data ecosystem nobody is required to build on any date that matters.

