For years, the open secret of India's ransomware economy has been that many victims quietly pay, restore operations, and hope the incident never surfaces. That calculus is being reshaped in 2026 as the Digital Personal Data Protection (DPDP) Rules — notified in early 2025 and now moving through phased implementation — begin to operate alongside the Indian Computer Emergency Response Team's (CERT-In) long-standing six-hour cyber incident reporting mandate. The combined effect is not a ransomware ban, but a sharper legal spotlight on the increasingly untenable practice of paying attackers in silence.
Two clocks, one incident
Under the CERT-In Directions issued in April 2022 under Section 70B(6) of the Information Technology Act, 2000, organisations operating in India must report a defined set of cyber incidents — including ransomware attacks, data breaches, and unauthorised access to IT systems — within six hours of noticing them. That window has always been aggressive by global standards. The EU's NIS2 framework allows 24 hours for an early warning; the US SEC's disclosure rule for public companies operates on a four-business-day cycle once materiality is determined.
Layered on top of CERT-In's rules, the DPDP Rules operationalise Section 8(6) of the Digital Personal Data Protection Act, 2023, by requiring Data Fiduciaries to notify both affected individuals and the Data Protection Board of India (DPBI) of any personal data breach — reportedly within 72 hours of becoming aware of it, subject to the conditions in the notified Rules. Crucially, “personal data breach” under the DPDP Act covers unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data — language that captures the typical ransomware fact pattern of exfiltration and encryption.
For a company hit with a double-extortion ransomware attack involving customer or employee data, the practical timeline now looks like this: a six-hour clock to CERT-In on the incident itself, and a separate 72-hour clock to the DPBI and affected individuals on the personal data dimension. Paying the ransom in week one and pretending the event never happened becomes a regulatory exposure on two distinct fronts.
India in the Counter Ransomware Initiative posture
India is a participant in the US-led International Counter Ransomware Initiative (CRI), whose joint statements have consistently urged members to strongly discourage anyone within their jurisdiction from paying ransomware demands, and to promote a “don’t pay, do report” norm. India has not gone as far as some CRI partners that have explored statutory payment bans for public-sector entities, but the direction of policy travel is clear: payments are increasingly framed as a problem to be measured, reported, and discouraged — not quietly insured against.
That reflects an emerging international consensus that the ransomware ecosystem is partly demand-driven. When victims pay, they fund the next campaign, normalise the criminal business model, and obscure the data needed for coordinated disruption. Reporting obligations are the upstream policy lever that makes a “don’t pay” norm tractable.
A proportionate read — and where it can go wrong
From a pro-innovation, proportionate-regulation perspective, the architecture India is assembling is broadly defensible. Breach notification to affected individuals is consumer protection 101: people whose personal data has been stolen deserve a timely chance to defend themselves against identity theft and fraud. And a regulator that can see incident patterns can issue better guidance, sector advisories, and threat intelligence. Voluntary, silent settlement with criminals does none of that.
But the design risks are real and worth flagging:
- Cumulative compliance burden. A start-up or mid-sized SaaS company hit by a ransomware crew must now simultaneously triage forensics, restore systems, manage CERT-In reporting in six hours, prepare a DPDP-grade notification to the DPBI and to potentially millions of users within 72 hours, and consider sector-specific RBI, SEBI or IRDAI obligations. Without safe-harbour calibration for good-faith first responders, the regime risks punishing the victim more reliably than it punishes the attacker.
- Over-disclosure and panic. Forcing premature individual notifications before forensics are complete can generate consumer alarm without actionable information — the well-known “notification fatigue” problem documented under earlier US state breach laws.
- Chilling effect on threat intelligence sharing. If reporting is perceived as an enforcement trigger rather than a protective interaction, firms will share less, not more, with CERT-In — precisely the opposite of the policy aim.
What good implementation looks like
The DPBI’s early enforcement choices will set the tone. A regulator that distinguishes between a competent incident response that meets reporting timelines and a cover-up will reinforce the norm the CRI is trying to build. A regulator that treats every breach notification as prima facie evidence of failure will quietly push companies back toward silent payments and offshore disclosures.
The smarter path — consistent with India’s digital-economy ambitions — is to pair the new reporting clocks with three things: clear written guidance on what a “reasonable security safeguard” under Section 8(5) of the DPDP Act looks like in practice; a structured safe harbour for victims who report promptly and cooperate with CERT-In and law enforcement; and active discouragement, but not yet criminalisation, of ransom payments, so that the underlying market signal shifts without forcing victims into impossible choices.
The CERT-In six-hour rule and the DPDP 72-hour rule are not, in themselves, a ransomware policy. Together, though, they are the scaffolding on which one can finally be built — and the era of paying quietly and moving on is, on the legal terms India has now chosen, coming to an end.