Navigating Cyber Incident Reporting: India's Stance Amidst Global Standards

The landscape of cybersecurity incident reporting has become a critical battleground for regulators worldwide, aiming to enhance resilience and accountability. As of April 2026, Indian entities face a multi-layered reporting regime, which merits a close comparison with the structured approaches seen in the European Union’s NIS2 Directive and the United States’ SEC cyber rules. For Indian businesses, understanding these divergent yet interconnected frameworks is paramount for compliance and risk management.

India’s Multi-Faceted Reporting Mandate

India’s incident reporting framework is anchored by the Indian Computer Emergency Response Team (CERT-In) Directions, issued under sub-section (6) of Section 70B of the Information Technology Act, 2000. These directions, particularly the April 2022 update, mandate that service providers, data centres, corporate bodies, and government organisations report specific types of cybersecurity incidents to CERT-In within six hours of noticing or being brought to notice. This swift timeline is one of the most stringent globally and applies broadly across various incident types, from data breaches to denial-of-service attacks.

Complementing CERT-In, the Digital Personal Data Protection Act, 2023 (DPDPA) introduces a general obligation for Data Fiduciaries. Section 8(6) of the DPDPA requires Data Fiduciaries to notify the Data Protection Board of India and affected Data Principals in the event of a personal data breach, “in such form and manner as may be prescribed.” While the specific timelines and thresholds for all personal data breaches are still being fully elaborated through subsequent rules, the overarching duty is clear. For regulated sectors, the Reserve Bank of India (RBI) Master Directions on IT Governance, Risk, Controls, and Assurance Practices (most recently updated in 2023-24) impose even more granular and often stricter reporting requirements on financial entities, sometimes demanding reports within two hours for critical incidents, directly to the RBI. This layered approach means many Indian entities must navigate multiple reporting obligations depending on their sector and the nature of the incident.

EU’s NIS2 Directive: A Structured Approach

Across the globe, the European Union’s NIS2 Directive (Directive (EU) 2022/2555), which became effective in October 2024, significantly expanded the scope and stringency of cybersecurity reporting for “essential” and “important” entities. Article 23 of NIS2 establishes a multi-stage reporting process for “significant incidents.” Entities must submit an initial “early warning” notification to their national CSIRT or competent authority within 24 hours of becoming aware of a significant incident. This must be followed by an updated notification within 72 hours, detailing the incident’s assessment and severity. A final report is then required within one month.

NIS2’s scope is broad, covering sectors from energy and transport to digital infrastructure, health, and even certain manufacturing and food production entities. Unlike India’s CERT-In which focuses on a single, rapid initial report, NIS2 prioritises a structured, evolving understanding of the incident, allowing for more comprehensive information gathering over time.

US SEC Rules: Materiality for Public Companies

In the United States, the Securities and Exchange Commission (SEC) adopted new rules in July 2023 (Regulation S-K Item 106 and Form 8-K) specifically targeting publicly traded companies. These rules mandate disclosure of “material” cybersecurity incidents. A company must determine the materiality of an incident and, if deemed material, disclose it on Form 8-K within four business days of that determination.

The key differentiator here is the “materiality” threshold. Companies are given time to assess the impact of an incident on their financial condition or operations before the reporting clock starts. This approach reflects the SEC’s mandate to protect investors by ensuring timely and accurate information about risks that could affect stock prices. The scope is limited to publicly traded companies, contrasting with the broader applicability of CERT-In and NIS2.

Comparative Analysis: Timelines, Scope, and Triggers

Comparing these frameworks reveals distinct regulatory philosophies. India’s CERT-In Directions stand out for their exceptionally tight six-hour initial reporting timeline, arguably the strictest among the general frameworks, pushing entities towards immediate, albeit potentially incomplete, notification. The RBI’s even shorter timelines for financial entities further exemplify this emphasis on speed. This makes India stricter on initial reporting speed for a broad range of entities.

In contrast, NIS2’s 24-hour initial notification followed by a 72-hour update and one-month final report offers a more structured, phased approach to incident reporting, allowing for better information quality over time. The SEC rules, with their four-business-day window after a materiality determination, offer the most flexibility in terms of initial reporting, but place a significant burden on companies to make a timely and accurate materiality assessment. Here, India is stricter on the initial reporting timeline, while the SEC is more flexible, contingent on materiality.

Regarding scope, CERT-In’s directions apply to a wide array of “corporate bodies,” making it broadly applicable. NIS2 targets “essential” and “important” entities across critical sectors, which is also broad but sector-specific. The SEC rules are narrower, focused exclusively on publicly traded companies. India’s DPDPA, while general, applies to all Data Fiduciaries processing personal data, thereby encompassing a vast number of entities for personal data breaches.

On triggers, CERT-In mandates reporting upon “noticing or being brought to notice” of any specified incident. NIS2 requires reporting of “significant incidents.” The SEC rules are triggered by “material” incidents. The DPDPA is triggered by a “personal data breach.” India’s CERT-In is arguably the broadest in its trigger, requiring reporting for a wide range of incidents without an explicit materiality or significance threshold in the initial phase.

Indian law is currently silent on a direct equivalent to the SEC’s explicit public disclosure requirements for material incidents by private companies, beyond the DPDPA’s mandate to notify affected Data Principals. While CERT-In may issue advisories, a formal, regular public disclosure mechanism for non-financial private entities, similar to the SEC’s Form 8-K, is not present.

Practical Takeaway

For Indian businesses, DPOs, and GCs, the takeaway is clear: develop and maintain robust, agile internal incident response plans that can meet multiple, often overlapping, and sometimes conflicting, reporting obligations. The CERT-In’s 6-hour window demands immediate internal triage and notification capabilities. Entities operating internationally must also align with NIS2’s structured reporting and the SEC’s materiality-driven disclosures if they fall under those jurisdictions. This necessitates a sophisticated understanding of incident severity, potential impact, and jurisdictional applicability, ensuring that the right information reaches the right regulator within the prescribed (and often tight) timelines, while also preparing for potential Data Principal notifications under DPDPA. Proactive legal and technical readiness is no longer an option but a necessity.