If your business suffers a cyber incident in India, CERT-In is not always the only body you must notify — which one depends on your sector. Banks and NBFCs report to the Reserve Bank of India, securities-market entities report to SEBI, telecom licensees report to the Department of Telecommunications, and every other organisation reports to CERT-In — while CSIRT-Fin, a nodal CSIRT under CERT-In, coordinates incident response across the wider financial sector (banking, securities, insurance, and pension). Knowing which regulator applies to you — and reporting to CERT-In in every case regardless of sector — is a compliance obligation, not an optional courtesy.
CERT-In: the national nodal agency
The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), is designated under the Information Technology Act, 2000 as the national agency for responding to cybersecurity incidents. CERT-In's mandate covers collecting, analysing, and disseminating information on cyber incidents; issuing alerts and advisories; and — most relevant to businesses — receiving mandatory incident reports from a wide range of entities under its 2022 cybersecurity directions.
CERT-In's role is deliberately broad: it is the default reporting destination for any Indian organisation experiencing a significant cyber incident, and it also functions as the coordinating hub that sectoral CERTs and CSIRTs plug into. Full details of what must be reported, and how, are published at cert-in.org.in.
Why sectoral bodies exist at all
A single national CERT cannot realistically hold the domain expertise needed to assess incident severity across every sector — a fraudulent NEFT transaction pattern at a bank looks nothing like a manipulated order-flow anomaly at a stock exchange, and neither resembles a SIM-swap wave at a telecom operator. India's regulatory response has been to let domain regulators — RBI for banking, SEBI for securities, DoT for telecom — build sector-specific incident-reporting and response capability, while CERT-In retains the national coordinating role and the authority under the IT Act to require reporting from any entity.
This is a common pattern internationally: national CERTs paired with sector-specific CSIRTs is how many mature cyber-incident ecosystems are structured, because sector regulators already have the supervisory relationship, the domain context, and in some cases the enforcement teeth to act on what they learn from an incident report.
CSIRT-Fin: the financial sector's nodal CSIRT
CSIRT-Fin (Computer Security Incident Response Team for the Financial Sector) is a nodal sectoral CSIRT that sits under CERT-In and MeitY, set up with the Department of Economic Affairs and Department of Financial Services, Ministry of Finance. It is not a SEBI body and it is not limited to the securities market — its mandate spans the whole financial sector (banking, securities, insurance, and pension), and it coordinates incident prevention and response with all four financial regulators: RBI, SEBI, IRDAI, and PFRDA.
For a securities-market entity specifically, SEBI remains the direct sector regulator with supervisory authority, and it publishes its own cybersecurity and cyber-resilience framework circulars setting out incident-reporting expectations for regulated market entities — stock exchanges, depositories, clearing corporations, stockbrokers, mutual funds, and other SEBI-regulated intermediaries. CSIRT-Fin sits alongside that relationship as a coordinating layer feeding into CERT-In, rather than as a body SEBI runs itself. In practice, a securities-market entity reports incident details to SEBI as its direct regulator, with the same incident also reportable to CERT-In under the IT Act — CSIRT-Fin coordinates in the background. SEBI publishes its cybersecurity and cyber-resilience framework requirements at sebi.gov.in.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanRBI: banking and NBFC incident reporting
The Reserve Bank of India requires regulated entities — scheduled commercial banks, cooperative banks, and non-banking financial companies (NBFCs) above applicable thresholds — to report cybersecurity incidents through its supervisory and cyber-security frameworks. RBI has, over successive circulars and master directions, built out expectations around board-level cybersecurity oversight, incident reporting timelines, and cyber-resilience frameworks specific to the banking and NBFC sector. Full current requirements are published at rbi.org.in.
As with SEBI-regulated securities-market entities, RBI reporting for a bank or NBFC does not remove the separate obligation to report significant incidents to CERT-In under the IT Act framework — the two run in parallel, addressed to different regulators with different statutory bases.
DoT: telecom sector incident reporting
Telecom licensees — internet service providers, telecom operators, and related licensed entities — have incident-reporting obligations to the Department of Telecommunications (DoT) as their sector regulator, tied to their telecom licence conditions and security requirements. This sits alongside, not instead of, CERT-In reporting for the same incident where CERT-In's economy-wide mandate applies.
Which body applies to you — a practical breakdown
Most Indian businesses fall into one of a small number of buckets. This table is a starting orientation, not a substitute for checking the current circular that applies to your specific registration or licence category.
| Your business type | Primary sector regulator | Also report to |
|---|---|---|
| Bank or NBFC | RBI | CERT-In |
| Stock exchange, depository, clearing corporation, broker, mutual fund, other SEBI-registered intermediary | SEBI | CERT-In |
| Telecom licensee, ISP | DoT | CERT-In |
| E-commerce, SaaS, IT services, healthtech, and most other unregulated-sector businesses | CERT-In | — |
| Government / critical information infrastructure entity | Sector-specific CII authority where designated | CERT-In (and NCIIPC where applicable) |
Sectoral coverage across India's incident-reporting ecosystem
The chart below is a qualitative illustration of how sector-specific reporting authority is distributed across CERT-In's economy-wide mandate and the sector regulators layered on top of it — not a precise measure of incident volume or entity count, which is not publicly published in a directly comparable form across these bodies. CSIRT-Fin cuts across the RBI and SEBI slices below rather than being its own segment.
Building this into your incident-response process
For most Indian businesses, the practical takeaway is not "know the entire regulatory map" — it's knowing your own sector's obligation cold, before an incident happens, so a stressful moment doesn't turn into a missed statutory deadline. A workable process looks like:
- Identify your applicable regulator(s) at onboarding or annual compliance review — don't leave this discovery to incident day.
- Document the reporting channel and expected timeline for each applicable body (CERT-In, and RBI, SEBI, or DoT if relevant) inside your incident-response plan.
- Assign an owner — usually your CISO, compliance lead, or, for smaller businesses, the founder or designated IT lead — responsible for triggering both the sector-regulator and CERT-In reports.
- Rehearse it. A tabletop exercise that walks through "who do we call" for a plausible incident scenario surfaces gaps in contact details and ownership long before a real breach does.
- Keep the technical and reporting workstreams separate but parallel — forensic containment should not wait on reporting-obligation research, and vice versa.
Where technical readiness fits in
Regulatory reporting obligations only get invoked once an incident is detected — and detection depends on having enough visibility into your own attack surface to notice something has gone wrong. A structured vulnerability assessment surfaces the exposed services, misconfigurations, and weak points that are most likely to be exploited in the first place, which is a prerequisite for reducing how often you need to exercise any of this reporting machinery at all. If your organisation hasn't had its external attack surface independently reviewed, a free VAPT scan is a practical starting point, and for regulated entities that need a formal, empanelled sign-off, that work can be delivered with a CERT-In empanelled partner.
Businesses that also process personal data as part of their operations should review their separate obligations under India's data protection law — see our DPDP compliance guide for what applies. Dhisattva AI Pvt Ltd built Bachao.AI to make the technical half of cyber-risk readiness accessible to Indian businesses that don't have a dedicated security team to track every regulator's requirements alone.
For more guides on India's cybersecurity compliance landscape, visit the Bachao.AI blog.