Regulators & Obligations
Authorities and reporting timelines that apply to your engagements
Regulators covered
DPB
Data Protection Board of India
DPDP Act enforcement, breach notifications, penalties.
MeitY
Ministry of Electronics & IT
DPDP Rules, notified countries, exemptions.
CERT-In
Indian Computer Emergency Response Team
Cyber incident reporting (6-hour rule).
RBI
Reserve Bank of India
BFSI data localisation, IT directions, payments.
SEBI
Securities and Exchange Board of India
CSCRF, market intermediary cybersecurity.
IRDAI
Insurance Regulatory & Development Authority
Insurer information security guidelines.
TRAI
Telecom Regulatory Authority
Subscriber data, UCC, telecom privacy.
NHA
National Health Authority
ABDM, health data management policy.
Reporting obligations
| ID | Obligation | Trigger | SLA | Regulator |
|---|---|---|---|---|
| OB-01 | Personal data breach notification | On detection of breach | Without delay; per Rules | DPB |
| OB-02 | Cyber incident report | On detection of incident | 6 hours | CERT-In |
| OB-03 | DSAR fulfilment | Verified principal request | Within prescribed period | DPB |
| OB-04 | Grievance redressal | Grievance raised | Reasonable period | DPB |
| OB-05 | Annual DPIA / audit (SDF) | SDF designation | Annual | DPB |
| OB-06 | Cross-border transfer attestation | Transfer to non-notified country | On transfer | MeitY / DPB |
| OB-07 | BFSI breach reporting | Material cyber incident | 2-6 hours per circular | RBI |