All insights
Regulatory updateIncident readiness

CERT-In directions and incident readiness

A concise operational view of incident reporting and log retention obligations relevant to security and privacy teams.

Data>Nuance

The CERT-In directions under the Information Technology Act sit alongside privacy governance responsibilities. An incident may require fast technical reporting while also triggering internal personal-data assessment.

Build a joined response path

Security and privacy teams should agree how an event is detected, escalated, assessed and recorded. The response design should cover the six-hour CERT-In reporting requirement where applicable and the logs needed to establish what happened.

Practical outputs

  • an incident classification and escalation playbook;
  • contact and reporting responsibilities;
  • log-retention and access controls; and
  • a post-event evidence record.

This briefing is general information. Organisations should obtain advice for their specific incident and applicable reporting duties.

This publication is general information and is not legal advice for a specific organisation or matter.

Continue reading

Children's data

Children's data checks for edtech products in India

A practical DPDP readiness guide for edtech products handling children's data across student accounts, schools, parents, vendors and support flows.

Read insight

Children's data

Age gating design under the DPDP Act

A practical guide to age gating design under the DPDP Act, covering age signals, product triggers, parent flows, feature controls and evidence records.

Read insight

Start with context

Book a focused DPDP Act consultation.

Bring an upcoming launch, notice review, data mapping question, incident readiness issue or implementation deadline. We will help identify the right next step.