Our Expert in India
No results available
Understanding what is the CERT‑In breach reporting in India is now a baseline compliance requirement for every organisation that operates digital infrastructure on Indian soil. The Indian Computer Emergency Response Team (CERT‑In), functioning under the Ministry of Electronics and Information Technology, mandates that any entity that notices or becomes aware of a qualifying cybersecurity incident must report it within six hours, one of the shortest mandatory notification windows anywhere in the world. With the CERT‑In Directions of 2022 now fully embedded in enforcement practice, and the Digital Personal Data Protection (DPDP) Act adding a parallel layer of data‑breach notification duties, CISOs and general counsel face a multi‑regulator reporting landscape that demands documented, rehearsed response procedures.
This guide sets out the legal basis, the reportable incidents list, the operational six‑hour checklist and the cross‑regulator mapping that in‑house teams need to build a defensible compliance posture.
CERT‑In breach reporting is the mandatory obligation on service providers, intermediaries, data centres, body corporates and government organisations to notify CERT‑In whenever they detect, or are made aware of, a cybersecurity incident that falls within a defined list of reportable events. The obligation is rooted in the Directions issued by CERT‑In under section 70B of the Information Technology Act, 2000, published in the Gazette of India as G.S.R. 20(E). Those Directions require that the report be filed within six hours of the entity first noticing the incident, not within six hours of completing an investigation.
The practical effect is that the clock starts the moment a Security Operations Centre analyst, a managed‑service provider alert, or an automated detection tool flags an anomaly that could constitute a reportable event. Industry observers expect that as enforcement matures through 2026, regulators will scrutinise the gap between initial alert timestamps and actual filing with increasing precision.
The six‑hour reporting rule India imposes is aggressive by international standards. The European Union’s NIS 2 Directive allows an initial “early warning” within 24 hours; the United States SEC cyber‑incident disclosure rule gives registrants four business days. India’s six‑hour window demands a pre‑rehearsed, near‑automatic response. The following hour‑by‑hour checklist maps the operational steps to the CERT‑In incident reporting form fields that must be completed.
The CERT‑In Directions require every entity to designate a Point of Contact who shall interface with CERT‑In. This PoC must be an employee of the organisation (not an outsourced vendor) and must be available around the clock. For cyber security incident reporting India purposes, the PoC is typically the CISO, Head of IT Security, or a person of equivalent seniority. The PoC’s name, phone number and e‑mail address must be communicated to CERT‑In proactively as part of standing compliance.
The official CERT‑In incident reporting form (certinirform.pdf) asks for the following core data points. Preparing a pre‑populated template with standing organisational details reduces drafting time during an incident:
Cyber security incident reporting India obligations rest on three interlocking statutory pillars. Understanding which instrument applies, and when more than one applies simultaneously, is critical to building a legally defensible response.
The Information Technology Act, 2000 provides the foundational mandate. Section 70B establishes CERT‑In as the national agency for incident response and empowers it to issue directions relating to information security practices, procedures, prevention, response and reporting of cyber incidents. Failure to comply with directions issued under section 70B is an offence under section 70B(7), which provides for imprisonment of up to one year, a fine of up to one lakh rupees, or both.
CERT‑In Directions (G.S.R. 20(E), 2022) operationalise section 70B. They prescribe the six‑hour reporting window, enumerate the categories of reportable incidents, require mandatory log retention for 180 days, mandate NTP synchronisation of all ICT systems, and impose VPN‑provider record‑keeping obligations. These Directions apply to service providers, intermediaries, data centres, body corporates and government organisations.
The Digital Personal Data Protection Act, 2023 adds a data‑breach‑specific notification layer. Where a cybersecurity incident involves personal data, the Data Fiduciary (controller) is required to notify both the Data Protection Board and each affected Data Principal “without delay.” The DPDP Act applies alongside, not instead of, CERT‑In obligations, meaning a single ransomware attack that exfiltrates personal data can trigger both a CERT‑In report and a DPDP breach notification.
The CERT‑In Directions cast a wide net: any entity that notices a reportable incident must report. The DPDP Act, by contrast, places notification duties specifically on the Data Fiduciary (controller). A Data Processor (processor) that detects a breach involving personal data must inform its Data Fiduciary, who then carries the statutory obligation to notify the Data Protection Board and affected Data Principals. The conservative compliance approach is to contractually require processors to alert the fiduciary immediately, ideally within one to two hours, so the fiduciary has enough runway to meet the CERT‑In six‑hour deadline as well.
The CERT‑In Directions enumerate specific categories of reportable cyber incidents. The table below annotates each category with a practical example and the primary evidence an organisation should collect before filing. This annotated list of reportable cyber incidents (CERT‑In list) is not exhaustive, the Directions include a residual category allowing CERT‑In to call for reports on any incident it considers necessary.
| Incident Category | Example | Key Evidence to Collect |
|---|---|---|
| Targeted scanning or probing of critical networks or systems | Sustained port‑scanning of a power‑grid SCADA network | Firewall logs, source IPs, scan frequency data |
| Compromise of critical systems or information | Attacker gains administrative access to a banking core system | Access logs, privilege‑escalation artefacts, affected asset inventory |
| Unauthorised access to IT systems or data | Credential‑stuffing attack succeeds on a SaaS platform | Authentication logs, compromised credential list, session data |
| Defacement of websites or intrusion into servers | Government portal homepage replaced with attacker message | Web‑server logs, cached page snapshots, malware samples |
| Malicious code attacks (e.g., spreading of virus, worm, trojan, ransomware) | Ransomware encrypts file servers across multiple office locations | Malware samples, file hashes, ransom notes, lateral‑movement logs |
| Attacks on servers, databases or infrastructure | SQL injection exfiltrates customer database | WAF logs, query logs, extracted data volume estimate |
| Identity theft, spoofing and phishing attacks | Spear‑phishing campaign targeting C‑suite with spoofed domain | Phishing e‑mails (headers and body), spoofed domain records |
| Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks | Volumetric DDoS takes an e‑commerce platform offline | Traffic flow data, source‑IP distribution, mitigation logs |
| Attacks on critical infrastructure, SCADA and operational technology systems | Malware targets an oil refinery’s OT network | OT network logs, firmware integrity checks, ICS alert data |
| Data breaches and data leaks | Misconfigured cloud bucket exposes millions of records | Access logs, data classification, volume of exposed records |
| Attacks on Internet of Things devices and associated systems | Botnet compromises smart‑city sensor network | Device logs, C2 server IPs, firmware versions |
| Unauthorised access to social media accounts | Corporate Twitter account hijacked for crypto scam | Login activity logs, IP addresses, platform support tickets |
| Attacks or incidents affecting cloud computing systems, servers, software or applications | Supply‑chain attack via compromised SaaS plugin | Vendor patch notes, affected tenant list, API call logs |
If an incident does not neatly fit one of the enumerated categories but could have a material impact on Indian users or infrastructure, the recommended conservative approach is to report it. CERT‑In has indicated that under‑reporting carries greater enforcement risk than over‑reporting.
The mandatory reporting requirement to CERT‑In applies broadly. The Directions specifically name the following categories of obligated entities:
In practice, this coverage is near‑universal: any entity running networked digital operations in India is likely captured. Early indications suggest that CERT‑In views the obligation as applying to all organisations with an Indian nexus, including foreign entities whose systems process Indian user data or are integrated with Indian infrastructure.
If a managed‑service provider or cloud vendor detects a reportable incident on infrastructure it manages for an Indian client, both the vendor and the client may have independent reporting obligations. The CERT‑In Directions do not excuse the service provider from reporting merely because the client is also filing. Organisations should update vendor contracts and SLAs to require immediate mutual notification, ideally within one to two hours, so both parties can meet the six‑hour window. This contractual discipline also supports compliance with the RBI’s new banking rules in India, which impose additional vendor‑management requirements on regulated financial entities.
A single cybersecurity incident can trigger notifications to multiple regulators. The table below maps each regulator, the event that triggers its notification requirement and the practical action to take. Coordination of these parallel obligations is essential to avoid both duplicated effort and missed deadlines.
| Regulator | When Notification Is Required | Action to Take |
|---|---|---|
| CERT‑In | Any reportable cybersecurity incident (see list above) | File incident report within 6 hours via certinirform.pdf / online portal |
| Data Protection Board (DPDP Act) | Personal data breach affecting Data Principals | Notify the Board and each affected Data Principal “without delay”; prepare a separate breach notification with personal‑data‑specific details |
| Reserve Bank of India (RBI) | Cyber incidents affecting banks, NBFCs, payment system operators or intermediaries | Report to RBI (CSITE portal or designated e‑mail) within timelines specified in RBI’s cyber security framework circulars; coordinate with CERT‑In report |
| Securities and Exchange Board of India (SEBI) | Cyber incidents at stock exchanges, depositories, listed entities or registered intermediaries | Notify SEBI per SEBI’s Cyber Security and Cyber Resilience framework; may also trigger stock‑exchange disclosure obligations |
| Insurance Regulatory and Development Authority of India (IRDAI) | Cyber incidents affecting insurers or insurance intermediaries | Report per IRDAI’s Information and Cyber Security Guidelines; provide incident summary and remediation plan |
The recommended sequence is: file with CERT‑In first (it has the shortest deadline), then immediately prepare the DPDP notification if personal data is affected, and file with sector regulators in parallel. Where an entity is regulated by both CERT‑In and the RBI (for example, a payments bank), maintaining a unified incident log that serves both reporting formats reduces duplication. For banks navigating the overlap, a detailed analysis of the RBI new banking rules 2026 is essential.
Non‑compliance with CERT‑In Directions carries statutory consequences under section 70B(7) of the Information Technology Act: imprisonment of up to one year, a fine of up to one lakh rupees, or both. While these headline penalties may appear modest, the real risk is compounding: a single incident can attract enforcement actions from CERT‑In, the Data Protection Board (which can impose penalties of up to ₹250 crore under the DPDP Act for breaches of its provisions), and sector regulators whose sanctions include licence conditions, monetary penalties and public censure.
Industry observers note that CERT‑In’s enforcement posture has matured considerably since the Directions first took effect. Early indications suggest a shift from advisory notices to formal non‑compliance proceedings, particularly where an entity knew of an incident and failed to report it, or where log‑retention failures frustrated post‑incident analysis. The likely practical effect is that organisations without a documented, rehearsed six‑hour response plan face significantly greater enforcement exposure in 2026 than in prior years.
Organisations facing severe incidents, particularly those that could trigger insolvency proceedings or force the closure of a company, should engage board‑level oversight and notify cyber‑insurance carriers immediately.
Below is a ready‑reference template mapping the key CERT‑In incident reporting form fields to the internal information sources that should feed them. Use this as a pre‑incident preparation tool: fill in all standing fields now and store the template where the incident response team can access it within minutes.
| CERT‑In Form Field | Internal Source / Pre‑Populated Data | Collected During Incident |
|---|---|---|
| Organisation name, sector, address | Pre‑populated from company records | , |
| PoC name, designation, phone, e‑mail | Pre‑populated; update quarterly | , |
| Incident type / classification | Reference the reportable events table above | Classify during Hour 0–1 |
| Date and time of occurrence | , | From first detection alert or log entry |
| Date and time of detection / notice | , | SOC alert timestamp (anchors 6‑hour clock) |
| Affected systems (IPs, hostnames, OS) | Asset inventory (pre‑maintained) | Narrow to affected subset during triage |
| Description of incident | , | Draft narrative during Hour 3–6 |
| Impact assessment | , | Preliminary scope from triage (Hour 1–3) |
| Indicators of compromise | , | Malicious IPs, domains, hashes from analysis |
| Remedial actions taken | , | Containment steps executed in Hour 0–1 |
The official CERT‑In incident reporting form (certinirform.pdf) can be accessed directly from the CERT‑In website. Organisations should also prepare a parallel internal legal memo template that records the decision‑making rationale for classifying an event as reportable, the legal basis for any notifications triggered and any privilege‑related instructions issued to the response team.
For organisations that also need to protect intellectual property assets as part of post‑breach remediation, understanding the cost and process of trademark registration in India can be relevant where brand impersonation or domain spoofing is involved.
The question of what is the CERT‑In breach reporting in India is no longer academic, it is an operational imperative with criminal‑law consequences. Every CISO and general counsel should take three immediate steps. First, run a tabletop exercise simulating the full six‑hour reporting timeline, testing whether your team can contain, triage, draft and file within the window. Second, update all vendor contracts and SLAs to require immediate mutual notification of cybersecurity incidents, giving your organisation enough lead time to meet its own filing obligations. Third, brief the board and notify your cyber‑insurance carrier proactively, so that when an incident occurs, escalation paths are clear and coverage is not jeopardised by late reporting.
Organisations seeking tailored guidance on CERT‑In readiness, DPDP compliance and cross‑regulator coordination can connect with specialist TMT counsel through the Global Law Experts lawyer directory.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Siddharth Mahajan at Athena Legal Advocates & Solicitors, a member of the Global Law Experts network.
posted 1 hour ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
posted 6 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message