India's CERT-In demands breach reports in 6 hours, 12x faster than the EU, and DPDP now adds a second 72-hour clock, making it the world's strictest regime.
When a company is breached in India, the clock that starts ticking is the most unforgiving in the world. India's national cyber agency, CERT-In, demands that incidents be reported within six hours of detection, twelve times faster than Europe's 72-hour standard, and a newly operational data-protection law is now stacking a second reporting clock on top. Together they make India's breach-disclosure regime the strictest, and most demanding, on the planet.
The six-hour rule: the world's tightest clock
Since CERT-In's April 2022 Directions took effect, every organisation operating in India, service providers, intermediaries, data centres, companies and government bodies alike, must report a cybersecurity incident within six hours of detecting it or being notified of it. The clock starts at detection, not at the end of an investigation. The list of reportable events is broad, running to roughly twenty categories: unauthorised access, data breaches, ransomware, DDoS attacks, website defacement and more. Non-compliance can mean up to a year's imprisonment and a fine under the Information Technology Act.
No other major jurisdiction comes close on speed. The EU's GDPR allows 72 hours to notify a supervisory authority. The United States, under CIRCIA, sets 72 hours for covered cyber incidents and 24 hours for ransomware payments. India's six-hour window is so far ahead that many multinationals now adopt it as their global default, the logic being that if you can report within six hours in India, you can report anywhere.
DPDP adds a second clock
Until recently, CERT-In's rule stood alone. That changed with the Digital Personal Data Protection (DPDP) Rules, notified on 13 November 2025, which operationalise India's first comprehensive privacy law. Under the DPDP framework, a company that suffers a personal-data breach must also notify the Data Protection Board of India and every affected individual. The duty is two-staged: an initial intimation to the Board "without delay," followed by a detailed report, covering root cause, the scope of data affected, remediation and steps to prevent recurrence, within 72 hours.
Crucially, the two regimes are parallel, not alternative. A single breach of personal data can now trigger both obligations at once: a six-hour CERT-In report focused on the cyber incident, and a DPDP report to the Board and to users focused on the personal data. India has, in effect, doubled its breach-reporting burden.
India versus the world
The contrast with other regimes is stark, not only on timing, but on philosophy and penalties:
- Timing. India: 6 hours (CERT-In) plus a 72-hour DPDP report. EU (GDPR): 72 hours. US (CIRCIA): 72 hours, or 24 hours for ransom payments.
- Scope. GDPR and the US rules centre on personal-data breaches or critical-infrastructure incidents; CERT-In casts a far wider net across roughly twenty categories and every type of entity.
- Penalties. DPDP fines reach ₹250 crore per violation for inadequate safeguards, a fixed figure that lands on a small startup as hard as on a large corporation. GDPR, by contrast, caps at 4% of global turnover, scaling with a company's size.
That fixed-penalty model is a divergence in itself: where Europe ties the punishment to a firm's revenue, India sets an absolute ceiling, which falls disproportionately on smaller players.
Why India went this way
India's approach reflects a more interventionist, state-forward posture on cyber governance, the same instinct visible in its fast-moving deepfake rules and its courts' aggressive personality-rights orders. With one of the world's largest and fastest-growing digital populations, and cyber-fraud losses mounting into tens of thousands of crores, the government has opted for speed and breadth over the slower, more calibrated timelines favoured in the West. For defenders, the upside is rapid national visibility into attacks; for businesses, the cost is a compliance burden that begins six hours after the worst moment of their year.
What it means for companies
For any organisation handling Indian users' data, domestic or foreign, since both laws apply extraterritorially, the practical reality is that incident-response plans must now be built around the six-hour clock, with a parallel DPDP track ready to run. The DPDP Rules phase in through to 2027, but the structure is set. Treating India's timeline as the global baseline, as many multinationals already do, is fast becoming the path of least resistance.
Frequently Asked Questions
How fast must a breach be reported in India?
CERT-In requires cybersecurity incidents to be reported within six hours of detection. Separately, the DPDP framework requires personal-data breaches to be intimated to the Data Protection Board without delay, with a detailed report within 72 hours.
How does that compare globally?
It is the strictest in the world. The EU's GDPR allows 72 hours, and the US generally 72 hours (24 for ransom payments). India's six-hour CERT-In window is roughly twelve times faster than the GDPR standard.
Do CERT-In and DPDP both apply to the same breach?
Yes. They are parallel obligations. A personal-data breach can trigger both a six-hour CERT-In report and a DPDP notification to the Board and affected individuals.