An Article by Jayjit Biswas – Head IT Control BCM Tata Motors Digital. AI Labs.
India’s regulatory landscape for cybersecurity and personal data protection has entered a new era—one where speed, transparency and accountability are no longer optional but mandatory. Organisations today face a dual-compliance reality: cyber incidents must be reported to CERT-In within 6 hours, and personal data breaches must be notified under the Digital Personal Data Protection (DPDP) Act within 72 hours. On paper, the intent is clear: faster detection, quicker containment and stronger protection for individuals and national digital infrastructure.
Yet, for industries across India—large enterprises, mid-sized organisations and MSMEs—this dual reporting regime is anything but simple. What appears straightforward on the surface is, in practice, a complex operational, legal and technical challenge. The tempo of CERT-In’s 6-hour reporting requirement collides with the analytical depth expected in DPDP’s 72-hour notification, creating pressure on incident response teams who must balance urgency with accuracy.
The two regimes operate on different planes. CERT-In focuses on cybersecurity incidents: malware infections, DDoS attacks, unauthorised access, system breaches, server compromises, or critical service disruptions. DPDP focuses on personal data breaches: any unauthorised processing, accidental exposure, or compromise of personal data. A CERT-In incident may not always be a DPDP breach, and a DPDP breach may not meet CERT-In criteria. In the early hours of an incident, this distinction is rarely clear, creating confusion and hesitation.
For large enterprises, digital sprawl is a primary challenge. Multi-cloud deployments, outsourced IT, global delivery models, software supply chains and massive user bases create a vast and dynamic attack surface. While they may have SOCs, XDR platforms and incident response teams, the difficulty lies in correlating logs across complex ecosystems, identifying whether personal data is involved and coordinating with cross-functional teams—legal, cybersecurity, data protection, business continuity and operations. Six hours is brutally short for such coordination. Even determining “what happened” is often difficult within the window.
DPDP complicates matters further. While organisations get 72 hours, the DPDP Act expects more than just an alert—it requires clarity on the type of personal data affected, number of individuals impacted, assessed harm, mitigation measures and communication strategy. This requires mature data governance: data discovery, lineage, classification, DLP, privacy logs, vendor visibility and structured assessments. Many enterprises, even large ones, are still building these capabilities.
Mid-sized organisations experience a different challenge. They often depend on outsourced SOC services and managed service providers whose SLAs may not align to CERT-In’s 6-hour rule. They may detect a breach late—sometimes after several hours—leaving minimal time for analysis, approval and reporting. Additionally, many mid-sized companies lack experienced cybersecurity legal advisors who can interpret whether a specific incident meets CERT-In’s thresholds. The DPDP 72-hour requirement also demands data understanding, impact analysis and communication planning, something that mid-sized organisations typically have not institutionalised.
For MSMEs, the situation is even more difficult. CERT-In’s 6-hour requirement applies uniformly, regardless of size. Yet, most MSMEs do not have SOCs, SIEMs, forensic skills, cyber teams or even dedicated IT staff. Breach detection itself might take days. Log retention and synchronisation—mandatory for CERT-In compliance—are often absent. For DPDP, MSMEs rarely maintain structured records of what personal data they store, where it resides and how it flows through the organisation. As a result, even identifying whether the incident involves personal data may be challenging.
Across all segments, India’s industry faces several common pain points.
- The first is the absence of integrated breach response frameworks. Organisations often treat cybersecurity and privacy breaches separately, leading to duplicated effort, conflicting decisions and delays. A unified “Cyber + Privacy” incident response playbook is essential for meeting both CERT-In and DPDP timelines.
- The second challenge is vendor dependence. Cloud providers, SaaS tools, outsourced IT providers and managed security services are frequently the first to detect anomalies. If third-party partners do not share logs or confirm incidents quickly, organisations cannot meet regulatory deadlines. Unfortunately, many contracts lack CERT-In/DPDP-aligned breach notification SLAs.
- The third is lack of forensic readiness. CERT-In mandates system logs, application logs, firewall logs, IDS/IPS logs, VPN logs, time-synchronised records and long-term log retention. During incidents, many organisations find themselves unable to produce logs quickly. Without forensic readiness, CERT-In compliance is nearly impossible.
- Fourth is operational and psychological pressure. Teams feel torn between reporting early (risking incomplete or inaccurate details) and delaying reporting (risking regulatory non-compliance). Striking the right balance requires preparedness, not improvisation.
- Fifth, organisations fear reputational harm. Reporting a breach—even if contained—triggers internal escalations, potential board scrutiny and external regulatory communication. Many fear being judged harshly for incidents they are still investigating.
- Sixth, there is a significant skills gap. DPDP requires privacy officers, data protection specialists, legal experts and breach analysts. CERT-In compliance requires cyber forensic talent. India faces a shortage in both domains.
Despite these challenges, practical solutions exist.
Organisations—big and small—must develop an integrated breach notification playbook that consolidates CERT-In, DPDP and sectoral regulations (RBI, IRDAI, SEBI, TRAI). This ensures that a single workflow, a single decision tree and a single escalation matrix governs all breach responses.
Forensic readiness must be prioritised: log retention, SIEM integration, XDR telemetry, time synchronisation, automated incident correlation and documented evidence collection processes. Data governance must be strengthened through data discovery, classification, data flow mapping and privacy logs—so that organisations can rapidly determine whether an incident involves personal data.
Incident response teams must be cross-functional, incorporating cybersecurity, legal, privacy, business and communication officers. Organisations should prepare pre-approved templates for CERT-In and DPDP reporting, enabling teams to respond quickly without legal bottlenecks.
For small organisations and MSMEs, the way forward lies in shared SOC models, affordable managed detection services, simplified response frameworks and awareness programmes coordinated through industry associations.
India’s dual compliance regime is not a burden but an opportunity—a push towards maturity. CERT-In enforces urgency. DPDP enforces accountability. Together, they elevate India’s cyber resilience. The future will belong to organisations that embrace integrated preparedness, not reactive firefighting.
