The Indian government’s new policy requires organizations in the country to report cybersecurity incidents within six hours, including incidents involving vulnerability scans of computer systems.

The measure, along with other measures, was announced by the Indian Computer Emergency Response Team (CERT-In).

They were incorporated into Section 70B of the Information Technology (IT) Act, 2000 and are now part of the Indian law and will come into effect in 60 days.

The types of cybersecurity incidents that need to be reported to CERT-In include targeted scanning /probing of critical networks / systems, critical systems / information, unauthorized access to IT systems/data, defacement of website or intrusion into a website, malicious code attacks, attacks on servers, identity theft spoofing and phishing attacks, DoS and DDoS attacks, and attacks on critical infrastructure.

Others include attacks on applications, data breaches, data leaks, attacks on IoT devices and related devices, attacks or incidents involving digital payment systems, attacks through malicious mobile apps, counterfeit mobile apps, unauthorized access to social media accounts, and attacks or malicious/suspicious activities involving cloud computing systems and applications related to Big Data, Blockchain, virtual assets, and others.