Question map
In India, it is legally mandatory for which of the following to report on cyber security incidents ? 1. Service providers 2. Data centres 3. Body corporate Select the correct answer using the code given below :
Explanation
The correct answer is option D (1, 2 and 3) because service providers, intermediaries, data centers and body corporate shall report the cyber security incidents to CERT-In within a reasonable[1] time frame. This reporting requirement is established under the provisions of section 70B of Information Technology (IT) Act, 2000[2], which mandates CERT-In to handle response and reporting of cyber incidents[2].
All three entities mentioned in the question—service providers (statement 1), data centres (statement 2), and body corporate (statement 3)—are explicitly included in the list of entities that must mandatorily report cyber security incidents to CERT-In. Therefore, all three statements are correct, making option D the right answer.
This comprehensive reporting framework ensures that CERT-In, as India's national agency for cyber security, can effectively perform its function of collection, analysis and dissemination of information on cyber incidents[3].
Sources- [1] https://naavi.org/importantlaws/itrules/jan4_2017_incident_report.pdf
- [2] https://www.cert-in.org.in/PDF/guidelinesgovtentities.pdf
- [3] https://prsindia.org/files/bills_acts/bills_parliament/2021/IT%20Act,%202000.pdf
PROVENANCE & STUDY PATTERN
Full viewThis question bridges Current Affairs and Statutory Law. While standard books cover the IT Act broadly, the specific 'mandatory reporting' list comes from the 2013 CERT-In Rules, highlighted by 2017-era cyber threats (WannaCry). If a sector (Cyber Security) is in the news, you must know the *obligations* of private players, not just government bodies.
This question can be broken into the following sub-statements. Tap a statement sentence to jump into its detailed analysis.
- Statement 1: As of 2017, are service providers in India legally required to report cyber security incidents?
- Statement 2: As of 2017, are data centres in India legally required to report cyber security incidents?
- Statement 3: As of 2017, are body corporates in India legally required to report cyber security incidents?
- Explicitly states the duty of service providers and similar entities to report incidents to CERT-In.
- The phrasing 'shall report' indicates a legal/mandatory obligation rather than a recommendation.
- Links reporting of cyber security incidents to the statutory provisions of section 70B of the IT Act, 2000, establishing CERT-In's legal role.
- Describes CERT-In functions including 'collection, analysis and dissemination of information on cyber incidents' and 'reporting of cyber incidents', supporting a legal reporting framework.
Describes a licensing regime for Internet Service Providers (400 licences, 128 signed) indicating an existing regulatory framework governing ISPs.
A student could check typical ISP licence conditions (reporting/notification clauses) or compare licence-era regulations around 2017 to see if incident-reporting was mandated.
Reports high counts of cybercrime cases (city-level FIRs) and notes technology makes detection challenging, implying government and police engagement with cyber incidents.
One could infer that high incident levels might motivate legal obligations for providers; verify by looking up 2017 policies or advisories from law enforcement/Ministry of Home Affairs on mandatory reporting.
Shows the government imposed specific rules on digital service providers (equalisation levy withheld by Indian companies), demonstrating precedent for targeted regulation of service providers.
Use this as a pattern that India enacted service-specific regulatory duties; search for contemporaneous cyber/security-specific rules applying analogous obligations (e.g., reporting) to service providers in 2017.
States absence of an enacted Act to regulate cryptocurrencies even after major regulatory steps, illustrating that in some digital domains India lacked formal legislation as of the dates referenced.
As a cautionary counter-pattern, a student could use this to argue that absence of an Act in one tech area means specific legal obligations (like mandatory incident reporting) are not automatic—so they should look for explicit rules or advisories from 2017.
Describes RBI directives ('Storage of Payment System Data') imposing specific data‑storage and audit submission obligations on payment system providers — an example of sectoral legal requirements placed on entities that host or process sensitive data.
A student could check whether similar sectoral regulators (RBI) or central rules (e.g., CERT‑In/IT Act) around 2017 included mandatory incident‑reporting clauses for data centres or payment system operators.
Notes extensive reporting of cybercrime (FIRs) to police and large connectivity of police infrastructure, indicating an active legal/criminal reporting environment for cyber incidents.
One could infer that criminal cyber incidents are reportable to law enforcement and so investigate whether data centres were required to notify police or authorities when incidents affecting data or services occurred in 2017.
Mentions many cases registered under the IT Act and quantifies cybercrime reporting, showing the IT Act was used in practice to address cyber incidents.
A student could look into provisions of the IT Act or its Rules in force by 2017 to see if those provisions created mandatory reporting duties for data centre operators.
States that certain digital policy measures (equalisation levy) were introduced as part of the IT Act, illustrating that the IT Act served as a vehicle for digital regulation.
This supports checking the IT Act (and subordinate rules) circa 2017 for regulatory requirements—such as incident notification—applying to data centres.
Shows that Indian companies have statutory reporting obligations to regulators (example: companies receiving FDI must report to RBI).
A student could infer that similar statutory reporting duties could be imposed for cyber incidents by a competent regulator (e.g., RBI for banks, or a central cyber authority) and then check relevant sectoral rules from 2017.
Identifies the Companies Act, 2013 and the National Company Law Tribunal as the legal framework and adjudicatory body governing company law in India.
A student could use this to look for amendments, rules, or notifications under the Companies Act or related rules (circa 2017) that might impose cyber-incident reporting on body corporates.
Notes that corporate entities are expected to meet transparency and governance standards, suggesting an existing norm of disclosure/ compliance expectations for companies.
A student could reason that cyber-incident reporting might be framed as a transparency/governance requirement and therefore search corporate governance rules or stock exchange disclosure norms from 2017.
Describes police connectivity and that cybercrime incidents are recorded as FIRs, indicating law-enforcement mechanisms for cyber incidents.
A student might extend this to check whether reporting to police (FIR filing) was the de facto or legally required route for corporates in 2017 versus any separate statutory corporate reporting channel.
Provides an example of a regulator (RBI) issuing a nationwide prohibition (on crypto trading) and the Supreme Court later reviewing it, showing regulators can and do issue binding directives affecting industry practices.
A student could infer that sectoral regulators (like RBI, SEBI, or a cyber authority) could similarly issue incident-reporting mandates and then check regulator orders/policies in 2017 for such mandates.
- [THE VERDICT]: **Doable Current Affairs**. Derived from the *CERT-In Rules, 2013*, often cited in 2017 news due to ransomware attacks.
- [THE CONCEPTUAL TRIGGER]: **Cyber Security Governance**. The post-demonetization digital push made 'incident reporting' a critical governance mechanism.
- [THE HORIZONTAL EXPANSION]: Memorize the **CERT-In mandate**: 1. Entities (ISPs, Data Centres, Body Corporate), 2. Timeframe (Reasonable time/early detection), 3. Penalty (Section 44C/70B), 4. Difference between **CERT-In** (General) vs **NCIIPC** (Critical Infrastructure).
- [THE STRATEGIC METACOGNITION]: When studying a regulatory body (like CERT-In, SEBI, RBI), always ask: **'Who is regulated?'** and **'What is their primary mandatory duty?'**. The question tests the *scope* of the law.
Service providers (ISPs) are the regulated entities that underpin internet access in India; understanding their licensing/coverage is relevant when assessing any legal duties placed on them.
High-yield for UPSC: ISP licensing and scope connect to questions on digital infrastructure, regulation and responsibilities of private actors. Mastering this helps answer policy/regulatory questions about who might be required to comply with cyber rules. Useful linkage across telecom policy, cyber law and governance topics.
- Geography of India ,Majid Husain, (McGrawHill 9th ed.) > Chapter 12: Transport, Communications and Trade > Internet > p. 43
Data on police connectivity and cybercrime FIRs is directly relevant to the ecosystem for reporting and responding to cyber incidents.
Important for UPSC internal security and governance topics: shows law enforcement capacity and trends in cybercrime which shape policy on mandatory reporting and incident response. Helps frame questions on state preparedness and inter-agency response.
- Geography of India ,Majid Husain, (McGrawHill 9th ed.) > Chapter 17: Contemporary Issues > Cyber Crime > p. 93
Regulatory obligations imposed on service providers (here in fiscal context) illustrate how non-resident and digital service providers can face legal duties, a conceptually adjacent area to obligations like incident reporting.
Relevant for UPSC economics and public policy: digital taxation/regulation examples show how the state exerts obligations on service providers—useful when analysing legal duties in the digital domain. Connects to questions on digital economy governance and international tax/regulatory coordination.
- Indian Economy, Nitin Singhania .(ed 2nd 2021-22) > Chapter 5: Indian Tax Structure and Public Finance > GOOGLE TAX OR EQUALISATION LEVY > p. 89
Reference [2] describes RBI directives requiring payment system data to be stored in India, which is directly relevant to legal rules governing where sensitive data (held by data centres) must reside.
High-yield for UPSC because questions often probe India's regulatory approach to digital data and fintech: understand what regulators (RBI) can mandate (storage locality) vs. other incident-reporting obligations. Links to topics on financial regulation, cyber law and data governance; useful for essay/GS3 and policy-analysis questions.
- Indian Economy, Nitin Singhania .(ed 2nd 2021-22) > Chapter 8: Financial Market > 2020 > p. 247
References [4] and [1] report numbers of cybercrime cases and note cases registered under the IT Act, highlighting the IT Act as the statutory framework for cyber offences and enforcement.
Important for UPSC aspirants to connect cybercrime trends with the legal framework: helps answer questions on law-and-order in cyberspace, effectiveness of the IT Act, and institutional responses. Enables analysis-type questions on legal adequacy and crime statistics.
- Geography of India ,Majid Husain, (McGrawHill 9th ed.) > Chapter 14: Settlements > 9. Increase in Crimes > p. 49
- Geography of India ,Majid Husain, (McGrawHill 9th ed.) > Chapter 17: Contemporary Issues > Cyber Crime > p. 93
Reference [2] requires submission of consolidated system audit reports to the Comptroller and Auditor General; reference [3] shows RBI has statutory reporting obligations — both indicate forms of mandated reporting/audit by regulators.
Useful for distinguishing types of legal obligations (data storage, audit submission, public reporting) when evaluating whether 'incident reporting' is mandated. Helps with GS3 questions on institutional accountability, regulatory compliance and differences between audit/reporting vs. incident disclosure.
- Indian Economy, Nitin Singhania .(ed 2nd 2021-22) > Chapter 8: Financial Market > 2020 > p. 247
- Indian Economy, Vivek Singh (7th ed. 2023-24) > Chapter 2: Money and Banking- Part I > 12.Policy Research and Data Dissemination > p. 75
Reference [2] shows that Indian companies have statutory reporting duties (FDI must be reported to RBI), illustrating that companies can be subject to specific legal reporting obligations.
High-yield: helps aspirants recognise the distinction between sector-specific statutory reporting duties and broader compliance obligations. Connects company law, economic regulation and administrative agencies (e.g., RBI). Useful for questions on corporate compliance, regulatory architecture and differences in reporting regimes; learn by mapping responsibilities to specific regulators.
- Indian Economy, Nitin Singhania .(ed 2nd 2021-22) > Chapter 16: Balance of Payments > 16.8 Indian Economy > p. 476
Critical Information Infrastructure (CII): Under Section 70A of the IT Act, CII is protected by NCIIPC, not just CERT-In. A future question might swap CERT-In with NCIIPC or ask which sectors (Power, Banking, Transport) are designated as CII.
The 'Weakest Link' Logic: In network security, a vulnerability in a Data Centre or a Corporate server affects the whole country. A law designed to *protect the nation* would be toothless if it exempted the very entities holding the data (Data Centres) or the pipes carrying it (Service Providers). Thus, the mandate *must* be universal (All of the above).
GS3 Internal Security & Economy: Mandatory reporting creates a 'Data Lake' for the state but raises 'Ease of Doing Business' costs for firms. Use this tension in Mains answers regarding the Digital Personal Data Protection Act or Cyber Security Policy.