Cross-regulator · India Deep Dive
Multi-Regulator Breach Playbook
The CERT-In 6-hour clock is the fastest breach deadline in the world — it sets the pace for every other notification. Select your entity type and breach type below to generate your notification sequence, then keep your internal detection-to-notification pipeline under 4 hours for a safety margin.
Last verified: 2026-06-17Interactive decision tree
Breach notification timeline — all regulators
| Regulator / Body | Deadline from Detection | Report Trigger | What to Include | Applies To |
|---|---|---|---|---|
| CERT-In | 6 hours | Any reportable cyber incident (26 types) | Incident type, affected systems, impact estimate, initial remediation steps; preliminary report accepted | All intermediaries, data centres, body corporate |
| RBI (CSITE) | 6 hours | Cyber incident affecting bank systems, customer data, or payment services | Parallel to CERT-In; use RBI CSITE portal; preliminary report + final RCA within 21 days | Banks, NBFCs, Payment Aggregators |
| SEBI (Cybercell) | 6 hours | Cyber incident affecting market systems, investor data, or trading platforms | SEBI incident report format; simultaneous with CERT-In | Stock exchanges, brokers, depositories, MIIs |
| IRDAI | 6 hours (sector) | Cyber incident affecting insurer systems, policyholder data, or claims processing | IRDAI notification + CERT-In simultaneously; SAR update required | Insurers, reinsurers, insurance brokers |
| Data Protection Board (DPBI) | 72 hours | Personal data breach affecting Data Principals | Notify DPB + affected Data Principals; breach description, categories of data, remediation steps | All Data Fiduciaries under DPDP Act (enforceable ~May 2027) |
| Board / Internal | Immediately | Any material cyber incident | CEO and Board notified immediately; crisis response team activated; legal counsel engaged | All regulated entities |