Introduction
India now operates one of the most demanding breach notification regimes in the world — and it is split across two distinct regulatory frameworks with dramatically different timelines. CERT-In's April 2022 directive requires organisations to report cybersecurity incidents within 6 hours of detection, while the DPDPA mandates notification to the Data Protection Board of India (DPBI) and affected Data Principals within 72 hours of becoming aware of a personal data breach. As the IAPP has noted, this dual regime creates significant operational complexity. Yet according to EY India's 2026 survey, only 4% of Indian firms have proactive breach notification systems in place — meaning the vast majority are unprepared to meet either deadline, let alone both.
Understanding CERT-In's 6-Hour Rule
CERT-In's Directions under Section 70B of the IT Act, issued in April 2022, fundamentally changed India's cybersecurity incident reporting landscape. The 6-hour window is measured from the time the organisation becomes aware of the incident — not from the time the breach actually occurred. This timeline is among the strictest globally, far tighter than the EU's GDPR's 72-hour notification requirement or the US SEC's 4-business-day rule for material cybersecurity incidents. Our comprehensive CERT-In compliance guide covers the full scope of these requirements.
- Reportable incidents — targeted scanning, unauthorised access, website defacement, malware deployment, data breaches, DDoS attacks, attacks on critical infrastructure, identity theft, and spoofing
- Reporting channel — incidents must be reported via email, phone, or fax to CERT-In using prescribed formats
- Log retention — organisations must maintain logs of all ICT systems for a rolling 180-day period and provide them to CERT-In upon request
- Synchronisation requirement — all ICT system clocks must be synchronised with NTP servers of NIC or NPL to ensure accurate incident timestamping
- VPN provider obligations — VPN service providers must maintain subscriber records, including validated names, addresses, and IP assignments, for at least 5 years
Understanding DPDPA's 72-Hour Window
The DPDPA's breach notification requirement serves a fundamentally different purpose from CERT-In's directive. While CERT-In focuses on the cybersecurity incident itself, the DPDPA is concerned with the impact of the breach on Data Principals — the individuals whose personal data has been compromised. The DPDP Rules specify that notification must be made to both the DPBI and the affected Data Principals, creating a dual notification obligation within the 72-hour window.
- Trigger event — the obligation is triggered when the Data Fiduciary becomes aware of a personal data breach, defined as any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of personal data
- Notification to DPBI — the Data Fiduciary must notify the Data Protection Board with details of the breach, categories and approximate number of Data Principals affected, likely consequences, and remedial measures taken
- Notification to Data Principals — affected individuals must be informed of the breach and its potential impact on them in clear, plain language, along with steps they can take to protect themselves
- Data Processor obligations — if the breach occurs at a Data Processor, they must notify the Data Fiduciary without undue delay, triggering the fiduciary's 72-hour clock
- Ongoing obligations — if additional information becomes available after the initial notification, supplementary notifications must be provided to both the DPBI and affected Data Principals
CERT-In vs. DPDPA: A Side-by-Side Comparison
Understanding the differences between the two regimes is essential for building a compliance strategy that satisfies both. While they share the common goal of ensuring timely incident response, they differ in scope, timeline, recipients, and penalties. As Baker McKenzie has noted, the overlapping nature of these requirements is unprecedented among major economies.
- Timeline — CERT-In requires 6 hours from awareness; DPDPA allows 72 hours from awareness. The 6-hour clock starts first and forces organisations to have detection and classification capabilities ready at all times
- Scope — CERT-In covers all cybersecurity incidents, including those that do not involve personal data. DPDPA covers only personal data breaches, even those that are not cybersecurity incidents (e.g., accidental email disclosure)
- Recipients — CERT-In notification goes to the government's cybersecurity agency. DPDPA notification goes to the DPBI and the affected Data Principals
- Content requirements — CERT-In requires technical incident details. DPDPA requires impact assessment on Data Principals, categories of data affected, and remedial measures in plain language
- Penalties — CERT-In non-compliance can attract penalties under the IT Act and potential criminal liability. DPDPA breach notification failure carries penalties up to ₹150 crore under Section 33
- Applicability — CERT-In applies to all entities with computer systems in India. DPDPA applies to all Data Fiduciaries processing digital personal data of Indian residents
The Penalty Landscape: What Is at Stake
The financial consequences of failing to meet either notification requirement are severe, and the penalties are cumulative — an organisation that fails on both fronts faces exposure under two separate statutory frameworks. According to DPO India, the ₹250 crore penalty for inadequate security safeguards can be triggered even without an actual data breach — meaning the mere absence of an automated notification system could constitute a violation. Combined with the DPDPA's ₹150 crore penalty for notification failure, a single incident could expose an organisation to over ₹400 crore in aggregate penalties, as detailed in our penalty risk framework analysis.
- CERT-In penalties — failure to report within 6 hours can result in imprisonment up to one year and/or fines under the IT Act, 2000. CERT-In can also issue binding directions requiring specific remedial actions
- DPDPA notification penalty — ₹150 crore for failure to notify the DPBI and affected Data Principals within the prescribed timeframe
- DPDPA security penalty — ₹250 crore for failure to implement reasonable security safeguards, which includes having inadequate breach detection and response mechanisms
- Reputational damage — the DPBI has the power to publicise its findings, meaning non-compliant organisations face public exposure in addition to financial penalties
- Regulatory cascade — for regulated industries, breach notification failures can trigger additional actions from sectoral regulators such as RBI, IRDAI, or SEBI
Building a Unified Breach Response Workflow
The only practical way to navigate India's dual breach notification regime is to build a unified workflow that triggers both notification streams from a single detection event. Trying to manage CERT-In and DPDPA compliance as separate processes will inevitably lead to missed deadlines, inconsistent reporting, and compliance gaps. Our comprehensive breach response plan guide provides a detailed framework, but the core principles are outlined below.
- Detection (Hour 0) — automated monitoring systems detect a potential security incident or data breach. Classification begins immediately to determine whether the incident involves personal data and what CERT-In reporting category applies
- Classification (Hour 0-2) — the incident response team classifies the event: is it a CERT-In reportable cybersecurity incident, a DPDPA-reportable personal data breach, or both? Most significant incidents will be both
- CERT-In notification (Hour 2-6) — using pre-formatted templates, the technical team submits the CERT-In incident report with available details. Initial reports can be supplemented later
- Impact assessment (Hour 6-24) — the data protection team assesses the impact on Data Principals: what categories of personal data were affected, how many individuals, and what are the likely consequences
- DPDPA notification preparation (Hour 24-48) — draft notifications to the DPBI and affected Data Principals, including remedial measures and plain-language explanations
- DPDPA notification submission (Hour 48-72) — submit the formal breach notification to the DPBI and issue notifications to affected Data Principals through appropriate channels
- Post-incident documentation (Week 1-2) — compile comprehensive incident records for both CERT-In and the DPBI, including root cause analysis, remedial actions, and preventive measures
Why Only 4% of Firms Are Ready
The EY India 2026 DPDP readiness survey finding that only 4% of Indian firms have proactive breach notification systems reveals a systemic preparedness gap. This statistic is particularly alarming given that CERT-In's 6-hour rule has been in effect since mid-2022 — meaning most organisations have had over three years to implement automated notification capabilities and have not done so. The reasons for this gap are structural: most Indian enterprises lack integrated security operations centres (SOCs) capable of real-time breach detection, few have pre-built notification templates and workflows, and even fewer have automated systems that can classify an incident as personal-data-affecting within the first hours.
- Detection gap — the average time to detect a data breach globally is 204 days (IBM Cost of a Data Breach Report 2025), making the 6-hour notification window from detection a challenging but achievable target — if detection itself happens at all
- Classification gap — most organisations cannot quickly determine whether a cybersecurity incident involves personal data, making it impossible to trigger the correct notification workflow within the required timeframe
- Template and process gap — without pre-approved notification templates and clear escalation paths, each breach becomes an ad-hoc crisis rather than a managed process
- Technology gap — manual breach detection and notification processes are fundamentally incompatible with 6-hour timelines. Automation is not optional — it is a prerequisite
Technology Requirements for Dual Compliance
Meeting both notification deadlines requires a technology stack that integrates security monitoring, data classification, incident management, and automated notification into a cohesive platform. Bolting together point solutions creates integration gaps that lead to delays. Organisations should evaluate their existing cybersecurity compliance infrastructure against these requirements and prioritise investments that close the most critical gaps. Achieving ISO 27001 compliance provides a strong foundation for building these capabilities.
- SIEM integration — Security Information and Event Management systems must be configured to detect data breach indicators and automatically trigger the incident response workflow
- Data classification engine — real-time data classification is essential to determine whether an incident involves personal data and what categories are affected
- Automated notification system — pre-built templates for both CERT-In and DPBI notifications that auto-populate with incident details and can be dispatched with minimal manual intervention
- Data Principal notification platform — scalable communication infrastructure to notify potentially millions of affected individuals via email, SMS, and in-app notifications within the 72-hour window
- Audit trail and evidence management — every action taken during the incident response must be logged with timestamps to demonstrate compliance with both timelines during subsequent audits
Practical Steps to Prepare Now
Organisations do not need to wait for a breach to start preparing. The DPDPA compliance checklist includes breach notification readiness, but organisations should take specific additional steps to address the dual-regime challenge. A gap assessment focused specifically on breach response capabilities will reveal the most critical areas for investment and help prioritise remediation efforts.
- Conduct a breach simulation — run tabletop exercises that test your ability to detect, classify, and report a breach within both the 6-hour CERT-In window and the 72-hour DPDPA window simultaneously
- Pre-approve notification templates — have legal, compliance, and communications teams pre-approve templates for both CERT-In and DPBI notifications so that drafting does not become a bottleneck during an actual incident
- Establish clear escalation paths — document who needs to be notified within the organisation at each stage of the response, including board-level notification for Significant Data Fiduciaries
- Deploy automated detection tools — invest in DLP solutions and SIEM platforms that can detect personal data exposure in real time
- Map your data landscape — use data discovery and mapping to know exactly where personal data resides, so you can quickly assess the scope of any breach
- Train your incident response team — ensure the team understands both frameworks, can classify incidents correctly, and knows the notification procedures for each regulator
How Kraver.ai Automates Dual Breach Compliance
Kraver.ai's breach notification automation is specifically designed to handle India's dual notification regime. Our platform integrates with your existing SIEM and security tools to detect breaches in real time, automatically classifies whether personal data is involved using our AI-powered data classification engine, and triggers parallel notification workflows for both CERT-In and the DPBI. Pre-approved templates auto-populate with incident details, enabling your team to submit the CERT-In report within the 6-hour window while simultaneously preparing the more detailed DPDPA notification. For Data Principal notifications, our platform supports scalable multi-channel communication that can reach millions of affected individuals within hours. Every action is logged with cryptographic timestamps, creating an immutable audit trail that demonstrates compliance with both deadlines — giving you the evidence you need if your response is ever scrutinised by regulators.