India's Dual Reporting Regime: Why It Confuses Everyone
When a security incident strikes, the instinct is to focus on containment. But within hours, a second clock is ticking — the regulatory notification clock. In India, two distinct legal frameworks impose breach notification obligations, and they do not always fire together. Understanding which one applies — and when — is a core competency for any CISO, DPO, or compliance team operating in the Indian regulatory landscape.
Regime 1: CERT-In — The IT Infrastructure Angle
The CERT-In Direction of April 2022 (issued under Section 70B(6) of the Information Technology Act, 2000) mandates that any body corporate, intermediary, government organisation, or data centre operator in India must report 20 categories of cyber incidents to the Computer Emergency Response Team within six hours of becoming aware. This is one of the strictest mandatory incident reporting windows globally.
The 20 specified incident types include ransomware attacks, data breaches, unauthorised access to IT systems, targeted scanning, compromised critical systems, DDoS attacks, attacks on critical infrastructure, malicious code propagation, phishing, identity theft, and attacks exploiting vulnerabilities. If your incident falls into any of these categories, the 6-hour clock starts from the moment your team becomes aware — not when the breach is confirmed or contained.
Regime 2: Data Protection Board — The Personal Data Angle
The Digital Personal Data Protection Act 2023 (DPDP Act), Section 8(6) places a separate obligation on Data Fiduciaries — entities that determine the purpose and means of processing personal data. When a personal data breach is "likely to adversely affect the rights or interests" of Data Principals (the individuals whose data was breached), the Data Fiduciary must notify the Data Protection Board and the affected Data Principals within such time as may be prescribed by the DPB.
Unlike CERT-In, the DPDP Act does not specify a fixed notification hour in the statute itself — the exact window is to be set by the Data Protection Board through Rules. Additionally, Section 8(3) requires Data Fiduciaries to maintain internal breach records regardless of whether notification is mandated. Data Processors who experience a breach must notify their Data Fiduciary immediately; the regulatory obligation then sits with the Fiduciary.
Why Both Can Apply — The Ransomware Example
Consider a ransomware attack on a bank's customer database. This incident simultaneously triggers both regimes: CERT-In is triggered because ransomware is an explicitly named incident type (Regime 1), and the DPB is triggered because the encrypted/exfiltrated database contains customer personal data whose breach adversely affects Data Principals' interests (Regime 2). The CISO must file the CERT-In report within 6 hours of awareness while the DPO initiates the DPB notification process — and both are parallel, not sequential, obligations.
| Dimension | CERT-In Direction 2022 | DPDP Act 2023 §8(6) |
|---|---|---|
| Legal basis | IT Act §70B(6) | DPDP Act 2023 §8(6) |
| Who must notify | Body corporate, intermediary, government entity, data centre operator | Data Fiduciary (anyone determining purpose & means of processing personal data) |
| Timeline | 6 hours from awareness | As prescribed by DPB (Rules pending) |
| Notified to | CERT-In (incident.cert-in.org.in) | Data Protection Board + affected Data Principals |
| Trigger | 20 specified incident types (infrastructure angle) | Breach "likely to adversely affect" DP rights (personal data angle) |
| Covered by | Any organisation with Indian IT presence | Only entities processing personal data of Indian residents |