Intersection with CERT-In Rules and Cybersecurity Breach Notifications under the DPDP Act, 2023

Posted On - 16 October, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act in India) introduces mandatory personal data breach notification requirements, compelling Data Fiduciaries to inform both the Data Protection Board of India (DPB) and affected individuals. In parallel, the Indian Computer Emergency Response Team (CERT-In), under its 2022 Directions, requires entities to report cybersecurity incidents within 6 hours of detection.

This dual framework creates overlapping but distinct obligations: CERT-In focuses on national cybersecurity and incident response, while DPDP focuses on individual rights and accountability. Together, they impose stringent timelines, detailed reporting duties, and operational challenges for businesses across all sectors.

Introduction: Two Regulatory Regimes, One Incident

In the digital economy, data breaches are inevitable. How regulators handle them determines both consumer trust and national security resilience.

India’s dual framework divides responsibilities:

  • CERT-In: National incident coordinator ensuring cyber resilience, technical support, and centralised reporting.
  • DPDP Board: Adjudicatory authority ensuring individuals are informed and fiduciaries are penalised if negligent.
  • For businesses, this means a single incident may trigger multiple mandatory notifications, requiring rapid, coordinated responses.

CERT-In Rules: The Cybersecurity Lens

Statutory Basis

  • CERT-In operates under the Information Technology Act, 2000.
  • In April 2022, CERT-In issued binding Directions for all entities.

Key Obligations

  1. Breach Reporting Timeline: Incidents must be reported within 6 hours of detection.
  2. Scope of Reportable Incidents: Includes unauthorised access, identity theft, malware attacks, data breaches, DDoS, and more.
  3. Logs and Records: Entities must maintain logs for 180 days and share them when directed.
  4. KYC Data Storage: VPNs, cloud providers, and data centres must retain subscriber data for 5 years.

Enforcement Focus

  • National security, cybersecurity readiness, and coordinated response.
  • Less emphasis on individual rights, more on systemic resilience.

DPDP Act: The Privacy Lens

Statutory Basis: DPDP Act, 2023, Section on personal data breach notification.

Key Obligations

  1. Breach Notification to DPB: Fiduciaries must inform the Board promptly of personal data breaches.
  2. Notification to Data Principals: Fiduciaries must inform affected individuals to enable harm mitigation.
  3. Content of Notification:
    • Nature of data breached.
    • Likely harm caused.
    • Remedial steps taken.
    • Rights and grievance mechanisms available.

Enforcement Focus

  • Accountability of fiduciaries.
  • Protection of Data Principal rights.
  • Monetary penalties for failure to notify (up to ₹200 crore).

Overlaps and Conflicts

1. Timelines

  • CERT-In: 6 hours from detection.
  • DPDP: “Promptly” (likely to be defined in rules, expected to be 24–72 hours).
  • Conflict: CERT-In’s stringent 6-hour window vs. DPDP’s pragmatic but less defined timeline.

2. Recipients

  • CERT-In: Government cybersecurity authority.
  • DPDP: Independent Board + affected individuals.
  • Overlap: Businesses must notify both regulators plus consumers.

3. Content of Notification

  • CERT-In: Technical incident details, system logs, forensic reports.
  • DPDP: Consumer-facing details, rights, and remedies.
  • Overlap: Two very different notification styles required for the same event.

4. Consequences of Non-Compliance

  • CERT-In: Potential criminal liability under IT Act.
  • DPDP: Monetary penalties up to ₹200 crore.

Practical Breach Workflow

To manage dual obligations, businesses should follow a structured response plan:

Step 1: Detection

  • Security systems detect suspicious activity.
  • Incident response team activated.

Step 2: Internal Escalation

  • Inform CISO, DPO (if SDF), and senior management.
  • Begin forensic investigation.

Step 3: CERT-In Notification (within 6 hours)

  • File report with CERT-In.
  • Provide technical details (IP logs, attack vector, malware samples).

Step 4: Containment and Assessment

  • Identify scope of personal data affected.
  • Assess risks to Data Principals.

Step 5: DPB Notification

  • Notify the Data Protection Board.
  • Provide details of breach, risks, and remedial measures.

Step 6: Data Principal Notification

  • Inform affected individuals with plain-language notices.
  • Provide guidance on remedial steps (e.g., password resets, fraud monitoring).

Step 7: Remediation and Audit

  • Patch vulnerabilities.
  • Update security policies.
  • Document response for audits and potential DPB inquiry.

Illustrative Case Studies

Case 1: Healthcare Ransomware Attack

  • Incident: Hospital records encrypted by ransomware.
  • CERT-In: Notified within 6 hours with forensic logs.
  • DPDP: Patients informed that health records may be exposed; DPB notified.
  • Outcome: DPB imposes ₹100 crore penalty for inadequate safeguards.

Case 2: Fintech Data Leak

  • Incident: Cloud misconfiguration exposes KYC data.
  • CERT-In: Alerted with technical logs.
  • DPDP: Customers notified to monitor bank accounts; DPB informed.
  • Outcome: ₹150 crore penalty for failure to encrypt KYC records.

Case 3: E-Commerce Platform Hack

  • Incident: Hacker steals payment data of 1 million users.
  • CERT-In: Receives report within 6 hours.
  • DPDP: Users notified of fraud risk; DPB investigation launched.
  • Outcome: ₹75 crore penalty + corrective orders.

Sectoral Implications

Banking and Fintech

  • Dual reporting burdens (RBI + CERT-In + DPB).
  • Breaches involving KYC and payments are high-risk.

Healthcare and Health-Tech

  • Sensitive health data triggers heavy penalties under DPDP.
  • Hospitals often lack CERT-In compliant IT teams.

E-Commerce and Retail

  • Frequent phishing and credential stuffing attacks.
  • High consumer grievance volumes expected post-breach.

IT/ITES and Cloud Providers

  • Must comply with CERT-In’s subscriber KYC retention plus DPDP obligations.
  • Outsourced processors may still trigger fiduciary liability.

Telecom and ISPs

  • Breaches of subscriber records affect millions.
  • CERT-In + TRAI + DPB create a three-layer compliance regime.

Global Comparisons

GDPR (EU): Breach notification within 72 hours. Notification to Supervisory Authority + affected individuals.

Singapore PDPA: Notify regulator and individuals if breach affects >500 people or involves sensitive data.

U.S. State Breach Laws: Timeline varies (30–90 days). State Attorneys General and affected individuals notified.

India’s CERT-In 6-hour deadline is one of the strictest globally, making compliance especially challenging.

Compliance Strategies

  1. Integrated Incident Response Plan: Single playbook covering CERT-In and DPDP obligations.
  2. Escalation Matrix: Define roles of CISO, DPO, compliance, and legal teams.
  3. Notification Templates: Pre-drafted CERT-In reports and consumer notices.
  4. Forensic Readiness: Maintain system logs as required by CERT-In.
  5. Regular Drills: Conduct breach simulations involving CERT-In + DPB reporting.
  6. Vendor Management: Ensure cloud providers, processors, and partners comply with CERT-In and DPDP.

Risks of Non-Compliance

  • Regulatory Penalties: Up to ₹200 crore under DPDP; criminal liability under IT Act.
  • Reputational Damage: Publicised breaches erode consumer trust.
  • Operational Disruption: Failure to notify may result in processing restrictions.
  • Contractual Liability: Breaches may trigger indemnity claims from business partners.

Conclusion & Key Takeaways

The intersection of CERT-In’s cybersecurity regime and DPDP’s privacy obligations creates one of the world’s most demanding breach notification frameworks.

Key takeaways:

  • CERT-In requires technical breach reports within 6 hours.
  • DPDP requires Board + Data Principal notification in clear, consumer-friendly terms.
  • Businesses must build integrated, regulator-ready incident response systems.
  • High-risk sectors (banking, healthcare, e-commerce, telecom) must prepare for dual reporting burdens.

In practice, compliance with CERT-In and DPDP is not just about avoiding penalties, it is about demonstrating resilience and building trust in India’s digital economy.

Co–Authored by :- Aurelia Menezes