Key Takeaways
  • Since 2022, CERT-In's Directions require any cyber security incident to be reported within 6 hours of detection — a strict, size-blind rule with no severity threshold.
  • Failure to report can attract penalties under Section 70B of the IT Act, including imprisonment of up to one year for a first offence.
  • The Digital Personal Data Protection Act, 2023 adds a separate, parallel obligation to notify the Data Protection Board and affected individuals about personal data breaches, with penalties reaching into hundreds of crores.
  • India's reported cybersecurity incidents more than doubled between 2022 and 2024 — this isn't a rare, abstract scenario for most digitally-operating businesses.

Here's a question worth asking your own business right now, before it becomes urgent: if you noticed a cyber security incident tomorrow morning, would you know you had exactly six hours to report it?

Most business owners in India don't know this rule exists. It has been law since 2022.

The rule itself

Under directions issued by the Indian Computer Emergency Response Team (CERT-In) in 2022, under Section 70B of the Information Technology Act, 2000, a wide range of entities — service providers, intermediaries, data centres, body corporates, and government organisations — are required to report cyber security incidents to CERT-In within six hours of noticing them. There is no severity threshold. A data breach, a ransomware attack, unauthorised access, a defaced website — all of it is mandatorily reportable within the same six-hour window, regardless of how serious it turns out to be.

6 hours The reporting window under CERT-In's 2022 Directions — starting from the moment you notice the incident, not from when it actually occurred.
22.68 lakh Cybersecurity incidents reported in India in 2024, up from 10.29 lakh in 2022 — more than double in two years.

What happens if you miss it

Failure to report within the window can attract penalties under Section 70B of the IT Act — for a first-time offence, this can include imprisonment of up to one year, a fine of up to one lakh rupees, or both. For most small and medium business owners, the more immediate cost is simpler: not knowing the rule exists means not having a process ready when an incident actually happens, which is precisely when a clear head and a fast decision matter most.

"We found out about the six-hour rule from our lawyer, after the incident, not before it. By the time we understood what we were supposed to have done, we'd already missed the window."

A second clock, running in parallel

The Digital Personal Data Protection Act, 2023 adds a separate obligation on top of CERT-In's. If the incident involves personal data — customer records, employee information, payment details — you're also required to notify the Data Protection Board of India and, in many cases, the affected individuals directly. This runs on its own timeline, distinct from CERT-In's six hours, and carries its own, much larger financial penalties for failure to notify. The two obligations are not alternatives to each other; a single incident involving personal data can trigger both at once.

Why this isn't a "big company" problem

CERT-In's directions don't carve out an exemption for small businesses. A founder running a lean team, a consultant handling client data, a small e-commerce operation — all fall within scope if they operate as a body corporate handling digital systems, which describes most businesses with any online presence at all today.

What to actually put in place now, before an incident

  1. Know who in your business — even if it's just you — is responsible for noticing and acting on an incident, and how quickly that person would actually find out.
  2. Have a simple, written incident response step list ready — who to contact, what to document — so the six-hour clock isn't spent figuring out the process itself.
  3. Separately check whether your incident could involve personal data, which would also trigger the DPDP Act's notification requirements alongside CERT-In's.
  4. Ask whether your cyber insurance, if you have any, includes support for regulatory notification — this is a specific service some cyber policies provide and others don't.

None of this requires an enterprise-grade security team. It requires knowing the rule exists, and having a plan simple enough that six hours is actually enough time to use it.

This is general information about current regulatory reporting timelines, not legal advice for a specific incident — consult a qualified professional for guidance on your business's specific obligations.