India | Japan | Italy | Spain | France | German | UAE
Dear Reader,
The Legal Department at UJA is delighted to impart certain legal knowledge as construed under the Legal Chronicle to keep the readers aware of the recent updates and developments that revolve around various aspects of the law. Our goal is to enable our readers to develop a sense of familiarity with the complexities of Indian as well as international law.
In this edition of Legal Chronicle, we focus on Data Breach Response in India, providing an insight on the CERT-IN Directions under the IT Act and the Digital Personal Data Protection (DPDP) Act, 2023. With the rising frequency of cyber incidents and data breaches, it is crucial for organizations to understand their legal obligations. While the DPDP Act establishes comprehensive personal data protection rules, its operational mechanisms for breach reporting are yet new. Until then, CERT-IN Directions remain the go-to framework, mandating immediate reporting, preservation of logs and technical cooperation. This edition also highlights practical compliance steps, including incident detection, forensic investigation and preparation for future DPDP requirements, ensuring that organizations are both legally compliant today and prepared for tomorrow.
We hope that this edition creates a sense of enthusiasm for our readers and successfully delivers the plethora of legal knowledge as intended. In case you have any feedback or need us to include any information to make this issue more informative, please feel free to write to us at legal@uja.in.
In today’s digital era, data has emerged as one of the most valuable assets for businesses and individuals alike. With the rapid adoption of digital technologies, organizations in India are generating, processing and storing massive volumes of personal and sensitive data. While this digital transformation has enabled efficiency and innovation, it has also brought significant risks in the form of cyber threats, data breaches and unauthorized access.
Recent years have witnessed a surge in cybersecurity incidents across various sectors, ranging from ransomware attacks on critical infrastructure to breaches of customer databases in corporate organizations. These incidents not only compromise sensitive information but also erode trust, damage reputations and expose organizations to regulatory scrutiny.
Against this backdrop, regulatory frameworks in India are evolving to strengthen data protection and cybersecurity. On one hand, CERT-IN (Indian Computer Emergency Response Team) Directions, issued under the IT Act, provide operational guidelines for reporting and responding to cybersecurity incidents. On the other hand, the Digital Personal Data Protection (DPDP) Act, 2023, establishes statutory obligations for the protection of personal data and notification of breaches.
CERT-IN Directions under the IT Act provide the primary framework for responding to cybersecurity incidents in India. Issued under Section 70B of the Information Technology Act, 2000, these directions grant CERT-IN the authority to require organizations to report, investigate and mitigate cyber incidents. The guidelines apply broadly to service providers, intermediaries, data centres, corporates and individuals, ensuring a wide net of coverage across the digital ecosystem. They focus on incidents such as malware attacks, ransomware, unauthorized access and other security breaches, outlining immediate reporting obligations and technical cooperation requirements to protect critical information infrastructure and maintain national cyber resilience.
The Digital Personal Data Protection (DPDP) Act, 2023 is India’s landmark legislation aimed at protecting the privacy and rights of individuals’ digital personal data. It applies to data fiduciaries and processors who collect, store or process personal data, establishing clear obligations for responsible data handling. Key provisions include breach notification requirements, accountability measures and penalties for non-compliance.
However, while the Act is in force, the detailed rules and operational mechanisms for breach reporting would require time to be in implementation, meaning that for now, organizations primarily rely on CERT-IN Directions for practical compliance with cybersecurity incident reporting.
From a practical standpoint, CERT-IN Directions are currently the primary compliance requirement for organizations in India. Entities must detect and report cybersecurity incidents promptly, typically within six hours of becoming aware of the incident, preserve logs, provide technical details and cooperate fully with CERT-IN.
While the DPDP Act, 2023, establishes personal data protection obligations, its compliance framework is still prospective and at a nascent stage. Organizations should use this period to prepare internal processes for DPDP compliance, but in the meantime, CERT-IN reporting remains mandatory.
A comparative look at CERT-IN Directions and the DPDP Act, 2023, highlights the distinct purposes, scope and current applicability of these frameworks. CERT-IN Directions, issued under the IT Act, focus on operational cybersecurity incident reporting and are legally binding today, requiring organizations to report incidents promptly, preserve logs and provide technical details to the national cyber authority. In contrast, the DPDP Act is designed to protect personal data and uphold the rights of data principals, establishing breach notification obligations and penalties. However, the DPDP Act’s operational mechanisms, including timelines, forms and thresholds for reporting breaches, are new, making its compliance largely preparatory at this stage. Practically, this means that while organizations should develop processes aligned with the DPDP Act, CERT-IN compliance is the practice now.
In the current Indian regulatory landscape, an effective data breach response begins with immediate detection and containment of affected systems to prevent further compromise. Organizations must then report the incident to CERT-IN within the mandated timeframe, preserving all relevant logs and technical evidence for investigation. Concurrently, a forensic analysis and remediation plan should be initiated to identify the root cause and implement corrective measures. While the DPDP Act obligations are not yet fully operational, organizations are advised to proactively assess whether personal data is involved, document affected data categories and prepare for eventual notifications once the rules are enforced. Clear internal and external communication is essential, including updates to management, stakeholders and potentially affected individuals, followed by thorough documentation and post-incident review to strengthen future preparedness and compliance readiness.
FREQUENTLY ASKED QUESTIONS
The Indian Computer Emergency Response Team (CERT-In) is the national nodal agency established under Section 70B of the Information Technology Act, 2000. It is responsible for responding to cybersecurity incidents, issuing guidelines and ensuring the safety of India’s internet infrastructure.
Any individual, organization, government department or critical infrastructure operator can report cybersecurity incidents to CERT-In.
Yes. CERT-In has the authority to issue mandatory directions to service providers, intermediaries, data centers and government bodies. These include requirements for incident reporting within six hours, maintaining logs and ensuring compliance with prescribed cybersecurity practices.
To report a cybersecurity incident, fill out the incident reporting format using CERT-In’s Incident Reporting Template and send it to incident@cert-in.org.in (primary) and info@cert-in.org.in (CC). It must include details such as organization Name, Type of Incident, Date/time of detection, Systems/Data affected, Impact Actions taken, Logs preserved, Contact person name, phone and email.
In conclusion, India’s data protection and cybersecurity landscape is in a transitional phase. While the Digital Personal Data Protection (DPDP) Act, 2023 has laid the foundation for a comprehensive personal data protection regime, its operational provisions for breach reporting are still awaited. Until those rules are notified and enforced, CERT-IN Directions under the IT Act remain the binding framework governing how organizations must detect, report and respond to data breaches.
Organizations should therefore continue to prioritize CERT-IN compliance while simultaneously building internal mechanisms and governance structures that align with the upcoming DPDP requirements. Adopting this dual approach not only ensures current legal compliance but also prepares businesses for a seamless transition into the evolving regulatory environment. Ultimately, proactive planning, timely reporting and a culture of cybersecurity awareness will be key to maintaining compliance and protecting both organizational integrity and individual data rights in the digital age.
This document is intended to provide general information and is not intended to be substituted for any legal or professional advice. This document is meant exclusively for informational purposes and not for advertising or solicitation. UJA has made significant efforts to ensure that the information contained in this document is accurate and reliable. However, the information herein is provided “as is” without warranty of any kind. UJA hereby disclaims all responsibility and liability, whether stated or implied, for the accuracy, validity, adequacy, reliability or completeness of any information provided under this document. In no event shall UJA be held liable for any losses or damages whatsoever incurred as a result of using this document.
The UJA’s team specializes in offering a wide range of legal solutions, ensuring comprehensive support for both businesses and individuals.
Our Comprehensive Services Include:
UJA supports businesses in navigating complex regulations, global markets, and GI laws. Operating across France, Germany, Japan, Spain, and more, we specialize in market entry, expansion, and offering tailored solutions for growth. With over 29 years of experience and a team of 170+ experts, we have helped more than 1000 clients from SMEs to MNCs achieve their goals. Headquartered in Pune, we have offices across India – Bengaluru, Gurugram, Mumbai and International Offices in Japan, Italy and France with the representation in Germany, Spain & the UAE.