On April 19, 2026, the Lagos State Government released the Lagos State Cybersecurity Guidelines 2026 — a voluntary, tiered framework that recommends baseline controls (multi-factor authentication, backups, patching, quarterly phishing drills, incident reporting) scaled separately for SMEs, large corporations, and government agencies. It carries no fines and no audits, and it explicitly reinforces — rather than replaces — Nigeria's federal Data Protection Act (2023) and Cybercrime Act (2024). It is a modest document from a sub-national government. It is also, unintentionally, the clearest illustration of a design choice India's own cyber rulebook never made.
India built the opposite instrument
India's flagship cybersecurity instrument is the CERT-In Directions of April 28, 2022, issued under Section 70B(6) of the IT Act, 2000 and in force since June 27, 2022. The headline requirement is a mandatory six-hour window to report a broad list of cyber incidents to CERT-In — far tighter than the GDPR's 72 hours or the United States' 72-hour CIRCIA standard. The Directions also compel synchronised system clocks, 180 days of ICT logs stored inside India, and a six-hour response to any CERT-In information request. Non-compliance can mean imprisonment up to one year or a fine, under Section 70B(7).
Layered on top is the data-protection track. The Digital Personal Data Protection Rules, 2025 — notified by MeitY in November 2025, with full Data Fiduciary obligations phased in over 18 months to roughly May 2027 — require immediate intimation of a personal-data breach to affected individuals and the Data Protection Board, followed by a detailed report within 72 hours. The parent DPDP Act, 2023 sets penalties of up to ₹200 crore for failure to maintain reasonable security safeguards. The architecture is uniform, prescriptive, and penalty-anchored. The same six-hour clock applies to a payments giant and a two-person logistics startup alike.
The case for the strict version — taken seriously
The strongest argument for India's approach is real. A country running a $1.25-billion national AI program and absorbing tens of billions of dollars in cloud commitments is a vast attack surface, and breach under-reporting is a genuine problem: a soft, voluntary nudge can be ignored precisely by the actors who most need to act. A hard six-hour rule with statutory teeth forces breach visibility into a single national clearinghouse and gives CERT-In situational awareness it would otherwise lack. Uniformity also means no entity can litigate its way into a lower tier. For a regulator worried about systemic blind spots, prescription is a feature.
But the evidence on this specific design is not flattering. The Internet Society's impact brief warned that an indiscriminate, all-entities mandate raises compliance costs that fall hardest on SMEs, deters new entrants, and risks burying CERT-In under a deluge of low-signal reports — degrading the very emergency-response function the rule exists to serve. A six-hour deadline measured from the moment an organisation "becomes aware" of an incident rewards reporting noise over triage. And mandatory, India-resident 180-day log troves create a concentrated honeypot, turning a security rule into a target.
What Lagos got right that India can still borrow
The Lagos document's insight is not that rules are bad — it is that one rule for everyone is the wrong rule for most. By writing three tiers, it acknowledges that a corner retailer and a multinational bank have different threat models, different budgets, and different reasonable expectations. By staying voluntary and free to download, it lowers the adoption barrier instead of raising the litigation one. And by anchoring itself to existing federal statutes rather than inventing fresh obligations, it adds capacity without adding contradiction.
None of that requires India to abandon mandatory reporting. A proportionate redesign would keep the binding core for genuinely critical infrastructure and large data fiduciaries while right-sizing the rest: a longer, GDPR-aligned reporting window for smaller entities; materiality thresholds so that minor, contained events do not trigger the same six-hour scramble as a national-scale compromise; and a published, tiered baseline of recommended controls — exactly Lagos's MFA-backups-patching-drills list — that SMEs can adopt without a compliance team. The DPDP Rules' phased, runway-style rollout already shows MeitY can think in graduated terms; the CERT-In Directions simply predate that instinct.
The competitiveness stakes
This is not abstract. Indian-origin AI researchers are increasingly weighing a return home, and India is actively building sovereign compute — including a G42–Cerebras supercomputer deal signed May 15, 2026 to host machines "on its own soil, under its own rules." Owning the stack is the easy part. Governing it proportionately — so that a founder can ship without fearing a six-hour tripwire — is what determines whether that talent and capital actually stay. A regulator that wants a thriving domestic tech base should treat cybersecurity the way Lagos did: as a capability to be built across the ecosystem, scaled to who you are, not a uniform liability to be feared. The smaller jurisdiction wrote the more sophisticated rule.