DPDP Compliance for CERT-In Aligned Companies

DPDP Compliance for CERT-In Aligned Companies: Why CERT-In Readiness Is Not the Same as DPDP Compliance

Many Indian companies assume that if they are already aligned with CERT-In requirements, they are mostly covered for India’s privacy law as well. That is a mistake. CERT-In compliance and DPDP compliance overlap in cybersecurity, incident handling, logging, and accountability, but they are not the same thing. CERT-In is India’s national nodal agency for responding to computer security incidents, and its April 28, 2022 directions focus on cyber incident reporting, log retention, time synchronization, subscriber information retention for certain service providers, and related cybersecurity practices. The Digital Personal Data Protection Act, 2023 (DPDP Act) is a separate legal framework for the lawful processing of digital personal data.

That distinction matters for SaaS companies, cloud platforms, fintechs, healthtech firms, marketplaces, telecom-linked services, and any business serving Indian users. A company may be strong on CERT-In incident reporting and still fall short on DPDP notice requirements, consent architecture, grievance handling, and Data Principal rights. In simple terms, CERT-In tells you a lot about how to handle cyber incidents; DPDP tells you how to lawfully handle digital personal data. Those are related, but not interchangeable, obligations.

Why CERT-In Readiness Is a Strong Starting Point

If your company is already aligned with the CERT-In Directions of 2022, you are not starting from zero. The official directions require covered entities such as service providers, intermediaries, data centres, body corporates, and government organisations to report specified cyber incidents to CERT-In within 6 hours of noticing them or being brought to notice. The directions also require entities to enable and maintain logs securely for 180 days within India and to synchronize system clocks with recognized time sources such as NPL or NIC.

CERT-In’s FAQ further clarifies that if all incident details are not available within the six-hour window, entities should still report available information and share updates later. The FAQ also states that certain service providers must designate a point of contact to liaise with CERT-In. This means companies that already take CERT-In seriously often have better security operations, escalation chains, evidence preservation, and response discipline than companies that do not.

That is valuable for DPDP compliance. Companies with mature CERT-In processes usually already have:

incident response workflows

escalation paths

log retention discipline

security monitoring

investigation records

internal points of contact

All of those help when building an India-focused privacy program. But they are still only part of the picture.

Why CERT-In Compliance Does Not Equal DPDP Compliance

The first reason is scope. CERT-In is a cybersecurity and incident-response regime under the Information Technology Act framework. The DPDP Act 2023 is a personal-data law that governs how digital personal data is processed for lawful purposes and how individuals’ rights are protected. A company can comply with cyber incident reporting rules and still have weak privacy notices, poor consent flows, or inadequate user-rights handling.

The second reason is that CERT-In is mainly triggered by cybersecurity events and operational security duties, while DPDP covers the broader lifecycle of personal data. Under the DPDP Act, the focus is not just on breaches. It is also on lawful processing, notice, consent where applicable, grievance redressal, and duties linked to personal-data governance. So even a company with excellent SOC monitoring and incident reporting cannot assume that it is automatically DPDP compliant.

The third reason is breach handling itself. CERT-In requires reporting certain cyber incidents quickly, but the Digital Personal Data Protection Rules, 2025 create a privacy-law layer on top of breach response. According to MeitY’s November 2025 overview, the Rules give full effect to the DPDP Act and focus on operational implementation. Public summaries and coverage of the notified Rules indicate that personal data breaches require notification to affected individuals and the Data Protection Board, which is different from the cyber-incident reporting logic under CERT-In. That means security reporting and privacy-breach response are now parallel obligations, not a single checklist.

What CERT-In Aligned Companies Still Need to Do for DPDP Compliance

The first step is to stop treating cybersecurity compliance and privacy compliance as the same project. They are connected, but they answer different legal questions. CERT-In asks whether you can detect, preserve, and report cyber incidents properly. DPDP asks whether your collection and use of digital personal data is lawful and transparent in the first place.

The second step is a DPDP-specific gap assessment. If your company already has a CERT-In playbook, compare it against the DPDP Act and the notified Digital Personal Data Protection Rules, 2025. Review privacy notices, onboarding forms, customer and employee data flows, consent capture, rights workflows, complaint handling, retention logic, and vendor access. Companies often discover that they are strong on logging and forensic readiness but weak on privacy notices and purpose mapping.

The third step is to build a privacy layer on top of your incident layer. CERT-In readiness usually means your company can detect and escalate incidents. DPDP readiness means your company must also know whether a particular event involves digital personal data, whether affected individuals need to be informed, whether the Data Protection Board needs to be notified under the Rules, and what internal records must be preserved for accountability. This is an inference from the different reporting functions described in the CERT-In directions and the DPDP implementation materials.

The fourth step is to strengthen notices and consent design. Many engineering-led companies that are serious about CERT-In are still weak in legal UX. Their systems are secure, but their product flows do not clearly explain what data is collected, why it is collected, and how individuals can exercise choices or raise concerns. That is where DPDP compliance starts to differ sharply from pure cyber readiness.

The fifth step is to build a grievance and rights process. CERT-In directions require prompt operational coordination for cyber incidents. DPDP requires a more user-facing governance layer. The 2025 DPDP materials published by MeitY include implementation details around the Board and compliance structure, and public summaries indicate a stronger formal framework around user communication and breach notification. A company that only has a security escalation mailbox but no visible privacy-response path is likely underprepared.

Where CERT-In and DPDP Actually Complement Each Other

This is where the opportunity is. A company that is already disciplined about CERT-In compliance often has exactly the kind of operational maturity that makes DPDP compliance easier: clear ownership, documented procedures, logs, incident playbooks, and audit trails. CERT-In gives you the muscles for cybersecurity response. DPDP gives you the legal framework for personal-data governance. Together, they form a stronger trust posture for Indian enterprises, procurement teams, and regulators. This is an inference based on the complementary roles of the two frameworks.

Why This Matters Now

This is no longer just a theoretical distinction. CERT-In’s directions have been in force since 2022, and India’s DPDP framework moved significantly in 2025 with publication of the Digital Personal Data Protection Rules, 2025 and the establishment of the Data Protection Board of India. The regulatory expectation for Indian businesses is now moving toward both stronger cyber discipline and stronger personal-data governance.

Final Thoughts

If your company is already aligned with CERT-In, you have a meaningful advantage. You likely already have incident response, evidence preservation, security logging, and escalation discipline. That is a strong operational base. But CERT-In compliance is not DPDP compliance. To become DPDP compliant, your company must add the legal and operational privacy layer required by the DPDP Act 2023 and the Digital Personal Data Protection Rules, 2025: clear notices, lawful data handling, consent architecture where applicable, user-rights and grievance workflows, and privacy-breach decisioning on top of cyber-incident response.

The strongest market message is not “we are CERT-In aligned.” The stronger message is: we are CERT-In aligned and DPDP ready for India. That is what builds trust in a market where cybersecurity and privacy are increasingly being evaluated together. This last point is an inference from how the two frameworks operate in parallel.