Spice Route Legal
| CYBER SECURITY LAW IN INDIA: SUMMARY OF REPORTING OBLIGATIONS | ||||
| Reporting Entity | Type of Security Incident | Entity to Report to | Mode of Reporting | Timeline for Reporting |
| GENERAL REPORTING | ||||
| All companies (Note: A general obligation is imposed on all companies to report incidents to the Indian Computer Emergency Response Team (“CERT-In“) in the manner provided in this table. Additional reporting obligations may apply, depending how an entity is regulated.) |
Certain cyber security incidents of severe nature to be mandatorily reported, such as denial of service, distributed denial of service attacks, intrusion, spread of computer contaminant including: ransomware on any part of the public information infrastructure including backbone network infrastructure;data breaches or data leaks; large-scale or most frequent incidents such as intrusion into computer resource, websites, etc.;cyber incidents impacting safety of human beings (collectively, “Prescribed Security Incidents“). All other security incidents. |
CERT-In | Email (incident@cert-in.org.in) Phone (1800-11-4949) Fax (1800-11-6969) Incident response form: https://www.cert-in.org.in/PDF/certinirform.pdf |
6 hours upon receipt of knowledge of Prescribed Security Incident. Without undue delay for all other security incidents (however no specific prescribed timeline). |
| All organisations that have “protected systems”, as designated by the government under Section 70 of the Information Technology Act, 2000 | Security incidents that impact protected systems. | National Critical Information Infrastructure Protection Centre (“NCIIPC“) | Email (ir@nciipc.gov.in) Phone (1800114430) Incident report form: https://nciipc.gov.in/documents/Incidence_Report_Form.pdf | No prescribed timeline |
