[This article has been co-authored by Aayushman Verma and Amal Singh Patel, who hold an MS in Cyber Law & Information Security from the National Law Institute University, Bhopal. It examines India’s cyber incident reporting regime under CERT-In’s 2022 Directions, arguing that while it imposes strict six-hour reporting deadlines on companies, it fails to create any corresponding rights for breach victims to be notified. The authors contend that this framework, built on delegated legislation without parliamentary oversight, violates constitutional principles established in Puttaswamy by denying citizens their right to informational self-determination and lacks the transparency and victim protections found in global standards like the EU’s NIS2 Directive and GDPR. ]
Introduction: Breached, But Uninformed
In 2023, India recorded more than 1.3 million cybersecurity incidents. These numbers were officially reported to the Indian Computer Emergency Response Team (CERT-In), yet many breaches never reached the public eye and victims remained unaware. Government servers, private corporations, fintech platforms, and even health databases were compromised. The victims of these breaches were neither notified nor given any legal remedy. No formal process exists that compels authorities or companies to inform affected users of data loss or exploitation.
CERT-In’s April 2022 Directions introduced a six-hour deadline for companies to report cyber incidents. But these rules impose duties only on entities. They do not create any rights for individuals whose data may have been breached. In contrast, under the European Union’s General Data Protection Regulation, companies must report personal data breaches to supervisory authorities and affected individuals within 72 hours if there is a likely risk to rights or freedoms. The United States, under its Cyber Incident Reporting for Critical Infrastructure Act, also mandates timely notifications and ensures legislative oversight.
India’s framework lacks statutory support. CERT-In’s powers originate from delegated legislation under the Information Technology Act, 2000, but these rules do not undergo parliamentary review or public consultation. The Digital Personal Data Protection Act, 2023, includes provisions on data breach reporting but does not clearly align with CERT-In rules. There is no uniform obligation to inform victims or publish breach reports. These inconsistencies create legal uncertainty & deny citizens their right to know when their data is compromised.
The Supreme Court acknowledged the right to privacy as a basic right under Article 21 of the Constitution in “Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1”. This right involves having control over one’s personal data and being alerted when it is being misused. This constitutional protection is ineffective in practice if there are opaque legislative requirements regarding breach notification.
India’s Cyber Incident Reporting Mandate
CERT-In functions under Section 70B of the Information Technology Act, 2000. It has the statutory responsibility to collect, analyse and respond to cybersecurity threats and incidents. In April 2022, CERT-In issued legally binding Directions mandating service providers, intermediaries, data centres, and corporate bodies to report specific cyber incidents within six hours of detection. These include data breaches, system compromises, unauthorized access, DDoS attacks, and more.
The 6-hour mandate applies irrespective of the breach magnitude. The Directions also impose data retention duties, including maintaining ICT system logs for 180 days and storing customer information by VPNs and cloud service providers. However, these obligations are issued via delegated legislation and lack detailed legislative scrutiny or consultation. They do not clarify how the timeline applies during weekends, national holidays, or across global operations, making compliance vague for international entities.
Additionally, the Directions require that system clocks be synchronized with Indian servers. They do not, however, provide a grievance redressal system or a duty of transparency regarding the results of breaches. The Rules remain silent on the rights of affected individuals, including their right to be notified. Although breach notifications are mentioned in the Digital Personal Data Protection Act of 2023, there is no procedural overlap between this law and the CERT-In system.
The existing reporting system in India is victim-silent but heavily focused on compliance. It doesn’t specify which occurrences are eligible for publication or what “significant harm” entails. No breach summaries or enforcement actions made in accordance with these directives are published by CERT-In. This undermines public awareness, industry trust, and constitutional values under Article 14 and 21. In “Shreya Singhal v. Union of India, (2015) 5 SCC 1”, The IT Act’s vague clauses were struck down by the Supreme Court for failing to pass the legality test. The CERT-In Directions raise similar constitutional issues due to their similar opacity.
Legal Gaps and Constitutional Concerns
The CERT-In Directions of 2022 do not originate from a standalone legislation. They are issued under delegated powers of Section 70B of the IT Act, 2000. This creates a regulatory framework without statutory checks or parliamentary oversight. There is no enabling Act that defines due process, purpose limitation, or victim redress. The scheme imposes duties on intermediaries but creates no enforceable rights for breach victims. This violates the doctrine of proportionality laid down in “Modern Dental College and Research Centre v. State of Madhya Pradesh, (2016) 7 SCC 353”, which requires all restrictions on rights to be backed by law, necessary, and the least restrictive.
CERT-In’s Directions do not contain any provision mandating notice to individuals affected by reported incidents. Breach victims remain unaware. This omission runs contrary to the right to informational self-determination under Article 21. In “Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1”, the Supreme Court held that the right to privacy includes control over dissemination of personal data. Without breach disclosures, that control is illusory.
There is no clarity on the scope of penalties, no appeal process, & no time-bound response mechanism from CERT-In. Affected entities are subject to directions but cannot challenge them through independent review. In “Bennett Coleman & Co. v. Union of India, (1973) 2 SCC 788”, the Court held that excessive executive discretion is unconstitutional when it stifles individual freedoms. CERT-In’s wide powers, vague classifications, and lack of procedural safeguards invite the same risk. Moreover, the public has no access to compliance statistics or enforcement transparency.
Additionally, India’s data protection laws are still fragmented. The Digital Personal Data Protection Act of 2023 is not consistent with CERT-In’s mandate. There are no shared thresholds, timelines, or jurisdictional boundaries defined This legal dualism makes things more confusing for companies and makes data principals less predictable. It also creates potential for overreach & arbitrary enforcement, which is contrary to Article 14’s guarantee of equal protection and non-arbitrariness.
Global Best Practices v. India’s Approach
The European Union’s NIS2 Directive mandates entities to report cybersecurity incidents within 24 hours. It also requires follow-up reports, public notifications if necessary, and includes penalties for non-compliance. The Directive promotes coordination between public authorities and operators. It defines clear thresholds for reportable incidents and respects the principle of proportionality. The General Data Protection Regulation (GDPR) complements this by compelling breach notifications to both regulators and affected individuals where personal data is at risk.
The United States passed the Cyber Incident Reporting for Critical Infrastructure Act, 2022. It requires entities to report substantial incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The law also ensures whistle-blower protections, prohibits public disclosure without consent, and imposes criminal liability for non-compliance. Singapore’s Cybersecurity Act, 2018 establishes licensing requirements, sectoral regulators, and empowers authorities to investigate without overstepping privacy rights.
These protections are absent from India’s CERT-In structure. There is no public breach registry available. No layered thresholds. No individual rights. No clarity on enforcement. It operates through executive circulars, not primary legislation. The Digital Personal Data Protection Act of 2023 has no procedural connection. Global regimes, in contrast, guarantee democratic scrutiny, victim protection, and transparency. All three are absent from India’s structure.
Conclusion: Bridging The Trust Deficit
The current cyber incident reporting regime in India lacks constitutional safeguards. It fails to inform breach victims. It excludes public oversight. It burdens intermediaries but denies procedural fairness. No legislative checks exist on CERT-In’s expanding powers. This framework stands on delegated directions, not parliamentary debate. In “Anuradha Bhasin v. Union of India, (2020) 3 SCC 637”, the Supreme Court stressed on proportionality, transparency, and necessity while restricting fundamental rights. The CERT-In framework does not satisfy that standard.
No statutory right to breach notification exists for citizens. Neither under the IT Act nor under the Digital Personal Data Protection Act, 2023. This omission weakens data protection. It also creates asymmetry between State power and citizen rights. “PUCL v. Union of India, (1997) 1 SCC 301” recognized the right to privacy as essential for dignity. Silence after a cyber breach defies this dignity. India must harmonize its cybersecurity rules with democratic accountability. Mandatory individual notifications. Tiered reporting thresholds. Independent appellate review. Public breach registries. Legal clarity on timelines. These are not idealistic solutions. They are minimal standards in global frameworks. India must recognize that trust in digital systems grows only when individuals are empowered with information.