Navigating India’s New Cybersecurity Compliance Landscape

An Article by Jayjit Biswas – Head IT Control BCM Tata Motors Digital. AI Labs.

India’s digital regulatory environment is undergoing a seismic shift, particularly in the realms of cybersecurity and personal data protection. Organizations across the spectrum—from large enterprises to micro, small, and medium enterprises (MSMEs)—are grappling with a new reality characterized by speed, transparency, and accountability. This dual-compliance reality mandates that cyber incidents be reported to CERT-In within six hours, while personal data breaches must be notified under the Digital Personal Data Protection (DPDP) Act within 72 hours. The intentions are well articulated: faster detection, prompt containment, and fortified protection for individuals and national digital infrastructure.

The Complexity of Dual Reporting

While the intentions seem straightforward, the implementation proves to be anything but simple. The collision of CERT-In’s six-hour reporting requirement with the more analytical expectations of DPDP creates a pressure cooker environment for incident response teams. They must navigate the fine line between urgency and accuracy—a task that is often complex and fraught with challenges.

The CERT-In framework focuses on cybersecurity incidents, such as malware infections and server breaches, while the DPDP framework zeroes in on breaches of personal data, encompassing scenarios like unauthorized processing or accidental exposure. The distinction between these two types of incidents is not always clear in the heat of the moment, leading to confusion that could hinder effective incident management.

Challenges Faced by Large Enterprises

For large enterprises, the digital landscape often resembles a sprawling labyrinth. With multi-cloud deployments, a plethora of outsourced IT services, and extensive software supply chains, they face a vastly complex attack surface. Even though many of these organizations have sophisticated Security Operations Centers (SOCs) and extended detection and response (XDR) platforms, correlating logs and identifying whether personal data is involved can become a Herculean task.

Given the six-hour window for reporting to CERT-In, the coordination required between various teams—legal, cybersecurity, data protection, and operations—can turn into a race against time. Sometimes, simply ascertaining “what happened” takes longer than the mandated reporting period.

Mid-Sized Organizations: A Different Set of Challenges

Mid-sized organizations often rely on outsourced Security Operations Center (SOC) services and managed service providers. Unfortunately, these arrangements may not always align with CERT-In’s stringent six-hour requirement. Many such organizations discover breaches retroactively, which limits the time available for appropriate analysis and reporting. Moreover, a lack of experienced cybersecurity legal advisors can complicate the process even further.

The 72-hour requirement of the DPDP Act necessitates not only an alert but a comprehensive understanding of how personal data is affected, what harm may have occurred, and how the situation will be communicated. This level of preparedness is often not fully established in mid-sized companies.

The Struggles of MSMEs

The situation is even more precarious for MSMEs. They are subject to the same CERT-In reporting requirement, yet they often lack the foundational resources—such as dedicated IT staff, cybersecurity measures, or even a basic incident detection capability. By the time a breach is detected, days may have passed, making compliance with the six-hour rule virtually impossible.

Additionally, MSMEs may not maintain adequate records regarding the personal data they store or process, which can complicate compliance with DPDP. Essentially, identifying whether the incident involves personal data may remain an elusive challenge.

Common Pain Points Across All Segments

The pain points experienced by organizations, regardless of size, reveal several systemic weaknesses:

1. Lack of Integrated Breach Response Frameworks: Many organizations separate cybersecurity from privacy breaches, leading to duplicated efforts and conflicting decisions. An integrated “Cyber + Privacy” incident response playbook can streamline efforts.

2. Vendor Dependence: Organizations often rely on cloud providers or managed services to detect anomalies. If these third parties do not promptly share information, regulatory timelines may be missed.

3. Forensic Preparedness: Compliance with CERT-In requires the ability to produce logs swiftly. Yet, many organizations find themselves lacking in this regard, rendering compliance nearly impossible.

4. Operational and Psychological Pressure: Teams face a dual fear of underreporting—risking incomplete information—and overreporting—risking regulatory non-compliance.

5. Fear of Reputational Damage: Reporting breaches can trigger scrutiny from management and regulators, instilling fear that may deter timely disclosures.

6. Skills Shortage: The talent pool for both cybersecurity and privacy expertise is shallow in India, exacerbating the compliance challenges posed by DPDP and CERT-In.

Practical Solutions for Effective Compliance

Amid these challenges, organizations can implement several practical strategies:

• Unified Breach Notification Playbook: Developing a comprehensive breach notification playbook that aligns with CERT-In, DPDP, and relevant sectoral regulations is imperative. This streamlined approach ensures clarity and cohesiveness in incident responses.

• Prioritizing Forensic Readiness: Focus on log retention, integrating SIEM tools, and ensuring time synchronization. Documented procedures for evidence collection can enhance compliance capabilities.

• Cross-Functional Incident Response Teams: Assemble teams that encompass legal, cybersecurity, data protection, and communication experts to facilitate swift and informed responses.

• Pre-Approved Templates: Establishing templates for reporting can ease the burden of compliance, helping teams avoid legal bottlenecks during emergencies.

• Shared SOC Models for Small Organizations: For SMEs and MSMEs, leveraging shared SOC services can prove beneficial. Simplified response frameworks and industry association-led awareness programs can also offer robust support.

In this new era of dual compliance, India faces an opportunity for maturity rather than mere burden. CERT-In sparks urgency, and DPDP demands accountability. By embracing integrated preparedness, organizations can not only comply but thrive in an increasingly regulated digital landscape.