Skip to Main Content.
  • Podcast Logo: "Data Privacy Detective"

    Data Privacy Detective Podcast – Episode 88: India’s Six-Hour Deadline to Report Cyberattacks to Government

Through a new cybersecurity regulation, businesses in India will have six hours to report cyberattacks to the government, pursuant to a regulation that comes into force at the end of June 2022. On April 28, 2022, the Indian Computer Emergency Response Team – CERT – part of the Ministry of Electronics and Information Technology, announced regulations that include the world’s most time-sensitive deadline for reporting cyber incidents to the government.

Stephen Mathias, head of the Technology Law Practice at the premier Indian law firm Kochhar & Co., presents the substance, challenges, and ambiguities of this pioneering effort. The regulation covers cyberattacks regardless of whether personal data is involved. In comparison to other global reporting requirements (such as GDPR’s 72-hour deadline for reporting breaches of personal data), the six-hour deadline is daunting and perhaps unworkable. Wording covers attacks even if not successful, in effect requiring Indian businesses to report in real-time the stream of all cyber-attacks that occur daily.

Global businesses rely on India’s strong tech industry for data processing. The regulation will challenge all Indian legal entities and any business with Indian connections to act quickly to assess the regulation’s impact before July 2022. Both civil and criminal enforcement can result from failing to report a broad array of cyber incidents. This podcast will help you understand the impact of the new Indian regulation and what it means to global business and data protection.


If you have ideas for more interviews or stories, please email