India’s CERT-In Mandates 6-Hour Breach Reporting Window — And Global Tech Firms Are Scrambling
When a cyberattack hits, the average enterprise security team spends the first hour simply confirming that something is wrong. India’s CERT-In is now demanding a full incident report within six. That gap — between the reality of breach response and the speed of regulatory obligation — is where a $2.1 billion compliance crisis is taking shape.

India’s Computer Emergency Response Team began enforcing its landmark cybersecurity directive in 2022, but the full weight of that enforcement is now landing on multinational technology companies operating across the subcontinent. For firms like Google, Meta, and Amazon, the message from New Delhi is unambiguous: report fast, retain everything, or face consequences that extend well beyond a fine.
What the Rule Actually Requires
Issued under Section 70B of the Information Technology Act, the CERT-In directive compels all entities operating in India — including foreign companies with Indian users, infrastructure, or employees — to report a defined list of cybersecurity incidents within six hours of detection. The scope is deliberately broad. Covered incidents include data breaches, unauthorized system access, ransomware attacks, identity theft, and distributed denial-of-service events, among others.
Beyond the reporting window itself, the directive mandates 180 days of log retention, requires organizations to synchronize system clocks with government-designated time servers, and prohibits VPN providers from offering anonymous services without maintaining subscriber records. That last provision triggered significant controversy: several providers — including NordVPN and ExpressVPN — withdrew their Indian server infrastructure entirely rather than comply.
The penalty for non-compliance is ₹1 crore per violation, approximately $120,000 USD at current exchange rates. More consequentially, CERT-In retains the authority to recommend service suspension for persistent violators — a threat that carries far greater financial weight than any fixed fine for companies generating billions in Indian market revenue.
Why Six Hours Is Harder Than It Sounds

For cybersecurity professionals who have managed breach response, the six-hour window is not a bureaucratic inconvenience — it is an operational transformation. Industry-standard incident response frameworks typically allocate the first several hours to triage, containment, and internal escalation before any external notification is considered. Most regulators have historically reflected that reality.
CERT-In does not. The directive requires notification to begin while many organizations are still determining the nature and scope of what has occurred. This creates immediate pressure on detection infrastructure, on-call staffing models, and the internal communication chains connecting security operations centers to legal and compliance teams.
For multinational firms, the complexity compounds further. A breach affecting Indian user data may originate in infrastructure hosted in Singapore, managed by a team in Dublin, and governed by a legal entity incorporated in Delaware. Mapping that incident to India’s reporting obligations — and doing so within 360 minutes — requires pre-built workflows that most organizations have not yet constructed.
The $2.1 Billion Compliance Burden
Industry analysts tracking the cost of India cybersecurity compliance have placed the aggregate infrastructure investment required across the global tech sector at $2.1 billion. That figure encompasses real-time monitoring system upgrades, dedicated incident response personnel for the Indian regulatory context, legal and compliance advisory costs, and the technical work of integrating CERT-In’s reporting portal into existing security operations pipelines.
For large enterprises, the investment is substantial but absorbable. For mid-sized technology firms with meaningful Indian operations — SaaS providers, fintech platforms, cloud infrastructure vendors — the per-company cost of building compliant reporting infrastructure can represent a significant share of their regional operating budget. Compliance at this speed and specificity is not a policy checkbox; it is an engineering project.
The VPN sector offers the starkest illustration of what non-compliance looks like in practice. Rather than invest in the subscriber logging infrastructure the directive demands, multiple providers chose market exit. That decision, while commercially rational for smaller operators, is simply not available to companies whose Indian operations are central to their global business model.
How India’s Rule Compares Globally
India’s six-hour window is among the most aggressive breach reporting timelines of any major regulatory regime. The European Union’s General Data Protection Regulation sets a 72-hour notification standard. The U.S. Securities and Exchange Commission requires public companies to disclose material cybersecurity incidents within four business days of determining materiality — a threshold that can itself take weeks to establish.
CERT-In’s approach reflects a deliberate policy choice: prioritize speed of government awareness over organizational readiness. The rationale, articulated by Indian officials during the directive’s rollout, centers on national security and the government’s ability to coordinate responses to large-scale cyber incidents before they propagate. Whether that rationale justifies the operational burden it imposes remains a live debate among compliance officers and cyber regulation analysts in policy forums worldwide.
What is not in dispute is that India’s 1.4 billion-person market, its rapidly expanding digital economy, and its growing strategic importance to global technology supply chains make regulatory exit an untenable option for most major players.
What Compliance Teams Should Be Building Now
Organizations operating in India that have not yet operationalized CERT-In compliance should treat the following as immediate priorities.
**Detection-to-notification pipelines.** The six-hour clock starts at detection, not at confirmation. Security operations centers need automated alerting that initiates the reporting workflow the moment a qualifying incident is identified — not after internal review is complete.
**Pre-approved incident report templates.** CERT-In’s reporting portal requires structured submissions. Pre-built templates that compliance teams can populate under time pressure reduce the risk of incomplete filings, which carry their own regulatory exposure.
**Cross-jurisdictional escalation protocols.** For multinationals, the chain from a security engineer identifying an anomaly to a compliance officer filing with CERT-In must be documented, tested, and fast. Six hours does not accommodate improvisation.
**Legal entity mapping.** Organizations should confirm which Indian legal entities, subsidiaries, or operational presences fall within the directive’s scope, and ensure each has a designated point of contact for CERT-In communications.
The Regulatory Trajectory Is One-Way
India’s CERT-In directive is not an outlier — it is a leading indicator. As governments worldwide conclude that voluntary cybersecurity standards have failed to produce adequate resilience, mandatory breach reporting with short timelines and meaningful penalties is becoming the default regulatory posture. India moved faster and more aggressively than most, but the direction of travel is consistent with what compliance officers are seeing from regulators in the EU, the UK, Australia, and the United States.
For multinational technology firms, the strategic question is no longer whether to invest in real-time breach reporting infrastructure. It is whether to build that infrastructure jurisdiction by jurisdiction — at escalating cost and complexity — or to architect a global compliance capability capable of satisfying the most demanding standard in any market where the company operates.
India has set that standard. The clock, quite literally, is already running.
Send free SMS worldwide
Reach any mobile number in 200+ countries from your browser. No signup, no app.
Send a free SMS →


