CERT-In Six-Hour Cyber Incident Reporting Rules: Mandatory Breach Notification Framework for Indian Businesses

India's cybersecurity reporting framework has undergone a fundamental transformation with the enforcement of the Indian Computer Emergency Response Team (CERT-In) Directions of April 2022, as further strengthened by the Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules notified in 2025. The centrepiece of the current framework is the mandatory six-hour reporting window: organisations that experience specified categories of cyber security incidents must report the incident to CERT-In within six hours of becoming aware of it. This timeline is among the strictest globally, significantly shorter than the 72-hour window mandated by the European Union's General Data Protection Regulation (GDPR) and the 72-hour requirement under India's own DPDP Act for notifying the Data Protection Board. Understanding how these overlapping obligations interact is essential for every organisation that handles digital infrastructure or personal data in India.

Which Incidents Must Be Reported Within Six Hours

The CERT-In Directions specify 20 categories of cyber security incidents that trigger the mandatory six-hour reporting obligation. These include targeted scanning and probing of critical networks or systems, compromise of critical systems or information, unauthorised access to IT systems or data, website defacement, malicious code attacks such as spreading of virus, worm, trojan, bots, spyware, ransomware, and cryptominers, attacks on servers including database, mail, and DNS servers and network devices such as routers, attacks on critical infrastructure and cloud computing systems, attacks or suspicious activities affecting systems related to big data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, and additive manufacturing, data breaches or data leaks, attacks on Internet of Things devices and associated systems, attacks or malicious activity affecting digital payment systems, and fake mobile apps. The six-hour clock begins from the moment the organisation becomes aware of the incident, not from the time the incident actually occurred. This distinction is important because many cyber attacks go undetected for days or weeks before discovery.

Who Must Report: Scope of Covered Entities

The reporting obligation applies broadly to all service providers, intermediaries, data centres, body corporates, and government organisations. This includes companies of all sizes, cloud service providers, managed security service providers, virtual private server (VPS) providers, virtual private network (VPN) service providers, and any entity that provides digital infrastructure or services. There is no small business exemption: even startups and small enterprises that experience a covered incident must report within six hours. VPN service providers, VPS providers, and cloud service providers face additional obligations beyond incident reporting. They must maintain logs of all subscribers and customers for a rolling period of five years, even after the cancellation of the subscription or the account. These logs must include validated customer names, period of subscription, IP addresses assigned, email addresses and IP addresses used at the time of registration, purpose of using the services, validated addresses and contact numbers, and the ownership pattern of the subscribing entity. This log retention requirement has been controversial, with privacy advocates arguing that it undermines the purpose of VPN services.

Interaction with the DPDP Act Breach Notification Requirements

The DPDP Act, 2023 introduces a separate breach notification obligation for data fiduciaries (entities that determine the purpose and means of processing personal data). Under the DPDP Act, a data fiduciary must notify the Data Protection Board of India of any personal data breach without unreasonable delay, followed by a detailed report within 72 hours. The data fiduciary must also notify the affected data principals (individuals whose data was breached). The DPDP Act's penalties for non-compliance are substantial: up to 250 crore rupees for breaches caused by inadequate security safeguards and up to 200 crore rupees for failure to notify the Data Protection Board. For organisations that experience a cyber incident involving personal data, both the CERT-In six-hour reporting and the DPDP Act breach notification obligations are triggered simultaneously. The practical implication is that the incident response team must prepare two separate notifications within different timeframes and to different authorities: a CERT-In report within six hours and a Data Protection Board notification within 72 hours. The content requirements for the two notifications differ, with the CERT-In report focusing on technical details of the incident and the DPDP notification focusing on the impact on personal data and affected individuals.

Penalties for Non-Compliance

Non-compliance with the CERT-In Directions can attract penalties under Section 70B of the Information Technology Act, 2000, which empowers CERT-In to issue directives and take action against non-compliant entities. CERT-In may issue formal directives to affected entities requiring specific remedial actions, and continued non-compliance can result in fines and imprisonment of up to one year for responsible officers. For data breaches specifically, the DPDP Act penalties of up to 250 crore rupees represent the most significant financial exposure. The combination of CERT-In's operational enforcement powers and the DPDP Act's financial penalties creates a dual compliance framework that organisations must navigate carefully. Law enforcement agencies, including state cyber crime cells and the National Cyber Crime Reporting Portal, may also initiate separate investigations into the underlying criminal offences associated with the breach, such as hacking, data theft, and identity fraud under the Bharatiya Nyaya Sanhita and the Information Technology Act.

Building an Effective Incident Response Framework

Every organisation operating in India should have a documented cyber incident response plan that accounts for both the CERT-In and DPDP Act notification requirements. The plan should designate a nodal officer responsible for CERT-In communications, maintain pre-drafted notification templates that can be quickly populated with incident-specific details, establish an internal escalation protocol that triggers the six-hour clock from the moment any employee or system detects a potential incident, and include a communication plan for notifying affected data principals. Organisations should also ensure that their systems maintain the log retention required by the CERT-In Directions, including synchronising all ICT system clocks to the Network Time Protocol (NTP) server of the National Informatics Centre or the National Physical Laboratory, as mandated by the Directions. Regular tabletop exercises simulating a cyber incident can help identify gaps in the response plan and ensure that the organisation can meet the six-hour reporting deadline under realistic conditions. Given the severity of the penalties and the compressed timelines, investing in incident response preparedness is no longer optional for any organisation with a digital footprint in India.