An Indian organisation hit by a breach faces a thicket of overlapping notification rules: CERT-In wants cyber-incident notice within 6 hours, the DPDP Act gives 72 hours for personal-data breaches, and RBI, SEBI, and IRDAI each impose their own (often 6-hour) reporting on regulated entities. The answer is not five playbooks — it is one decision tree.
The clocks you are racing
- CERT-In — 6 hours of noticing a reportable cyber incident.
- DPDP — ~72 hours to notify the Board and affected Data Principals of a personal-data breach.
- RBI / SEBI / IRDAI — typically within hours for regulated entities, per their frameworks.
The 6-hour CERT-In clock is the tightest, so it sets the pace: your detection-to-decision pipeline must produce a notification-grade summary in well under six hours.
One integrated playbook
- Single intake + severity triage. Every suspected incident enters one workflow with a decision tree that flags which regulators are in scope.
- Pre-drafted templates for CERT-In, the DPDP Board, and your sector regulator — fill in the variables, do not write from scratch at 3 a.m.
- Escalation matrix with named owners and out-of-hours contacts; the 6-hour clock does not pause for a weekend.
- Evidence capture from minute one — timeline, scope, data categories — because every regulator asks “what data, how many people.”
- Legal + DPO in the loop from the first hour, not after the technical dust settles.
Test it before you need it
A playbook you have never rehearsed fails under pressure. Run a tabletop with the clocks running. RingSafe builds and exercises integrated breach playbooks for Indian regulated entities. Book a tabletop.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.