Change set
Pick exam & year, then Go.
Question map
In India, it is legally mandatory for which of the following to report on cyber security incidents ? 1. Service providers 2. Data centres 3. Body corporate Select the correct answer using the code given below :
Explanation
The correct answer is option D (1, 2 and 3) because service providers, intermediaries, data centers and body corporate shall report the cyber security incidents to CERT-In within a reasonable[1] time frame. This reporting requirement is established under the provisions of section 70B of Information Technology (IT) Act, 2000[2], which mandates CERT-In to handle response and reporting of cyber incidents[2].
All three entities mentioned in the question—service providers (statement 1), data centres (statement 2), and body corporate (statement 3)—are explicitly included in the list of entities that must mandatorily report cyber security incidents to CERT-In. Therefore, all three statements are correct, making option D the right answer.
This comprehensive reporting framework ensures that CERT-In, as India's national agency for cyber security, can effectively perform its function of collection, analysis and dissemination of information on cyber incidents[3].
Sources- [1] https://naavi.org/importantlaws/itrules/jan4_2017_incident_report.pdf
- [2] https://www.cert-in.org.in/PDF/guidelinesgovtentities.pdf
- [3] https://prsindia.org/files/bills_acts/bills_parliament/2021/IT%20Act,%202000.pdf
PROVENANCE & STUDY PATTERN
Guest previewThis question bridges Current Affairs and Statutory Law. While standard books cover the IT Act broadly, the specific 'mandatory reporting' list comes from the 2013 CERT-In Rules, highlighted by 2017-era cyber threats (WannaCry). If a sector (Cyber Security) is in the news, you must know the *obligations* of private players, not just government bodies.
This question can be broken into the following sub-statements. Tap a statement sentence to jump into its detailed analysis.
Web source
Presence: 5/5
"Service providers, intermediaries, data centers and body corporate shall report the cyber security incidents to CERT-In within a reasonable ..."
Why this source?
- Explicitly states the duty of service providers and similar entities to report incidents to CERT-In.
- The phrasing 'shall report' indicates a legal/mandatory obligation rather than a recommendation.
Web source
Presence: 4/5
"and cyber security incidents in terms of the provisions of section 70B of Information Technology (IT) Act, 2000 (IT Act, 2000) ... issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;"
Why this source?
- Links reporting of cyber security incidents to the statutory provisions of section 70B of the IT Act, 2000, establishing CERT-In's legal role.
- Describes CERT-In functions including 'collection, analysis and dissemination of information on cyber incidents' and 'reporting of cyber incidents', supporting a legal reporting framework.
- Explicitly states the duty of service providers and similar entities to report incidents to CERT-In.
- The phrasing 'shall report' indicates a legal/mandatory obligation rather than a recommendation.
- Links reporting of cyber security incidents to the statutory provisions of section 70B of the IT Act, 2000, establishing CERT-In's legal role.
- Describes CERT-In functions including 'collection, analysis and dissemination of information on cyber incidents' and 'reporting of cyber incidents', supporting a legal reporting framework.
Geography of India ,Majid Husain, (McGrawHill 9th ed.) > Chapter 12: Transport, Communications and Trade > Internet > p. 43
Strength: 4/5
“As on December 31, 2006, there are 400 licenses for provision of Internet Services out of which 128 have signed Licenses for Provisions of Internet Services (including Internet Telephony). Based on reports received from Internet Service Providers till March 2006, there are approximately 12.00 million Internet subscribers in India (India 2010).”
Why relevant
Describes a licensing regime for Internet Service Providers (400 licences, 128 signed) indicating an existing regulatory framework governing ISPs.
How to extend
A student could check typical ISP licence conditions (reporting/notification clauses) or compare licence-era regulations around 2017 to see if incident-reporting was mandated.
Geography of India ,Majid Husain, (McGrawHill 9th ed.) > Chapter 17: Contemporary Issues > Cyber Crime > p. 93
Strength: 3/5
“15,000 police stations and 6000 higher offices of the police are connected in the country.• (v) Bengaluru city (Silicon Valley) recorded the most number of cyber cases in 2018 with 5035 FIRs. Delhi registered 84 cases as in 2017. Other metro cities with high record of cybercrime cases are Hyderabad, Kolkata and Chennai. The increasing use of laptops and mobile phones have caused a negative impact on the youth. The cyber crimes against the children and the women account for about 30%.• (vi) Technology evolution and innovations make it challenging to detect the cyber crimes. CAA”
Why relevant
Reports high counts of cybercrime cases (city-level FIRs) and notes technology makes detection challenging, implying government and police engagement with cyber incidents.
How to extend
One could infer that high incident levels might motivate legal obligations for providers; verify by looking up 2017 policies or advisories from law enforcement/Ministry of Home Affairs on mandatory reporting.
Indian Economy, Nitin Singhania .(ed 2nd 2021-22) > Chapter 5: Indian Tax Structure and Public Finance > GOOGLE TAX OR EQUALISATION LEVY > p. 89
Strength: 3/5
“• This direct tax is applicable on payment exceeding ₹1 lakh during a financial year.• It is withheld by recipient Indian companies at the time of payment to service providers (non-resident companies) for digital service rendered.• Non-resident service providers cannot claim tax credit against it in their home country under the Double Taxation Avoidance Agreements.• From 2016-17 to 2018-19, the Central Government has earned just ₹1800 crore from equalisation levy”
Why relevant
Shows the government imposed specific rules on digital service providers (equalisation levy withheld by Indian companies), demonstrating precedent for targeted regulation of service providers.
How to extend
Use this as a pattern that India enacted service-specific regulatory duties; search for contemporaneous cyber/security-specific rules applying analogous obligations (e.g., reporting) to service providers in 2017.
Indian Economy, Nitin Singhania .(ed 2nd 2021-22) > Chapter 7: Money and Banking > CRYPTOCURRENCIES > p. 160
Strength: 2/5
“In April 2018, RBI banned the trading of virtual currencies or cryptocurrencies in India. However, in 2020, the Supreme Court (SC) lifted the ban on cryptocurrencies which was imposed by the RBI. The SC held that the complete ban on trading was excessive. There is no such Act enacted yet to regulate cryptocurrencies in India.”
Why relevant
States absence of an enacted Act to regulate cryptocurrencies even after major regulatory steps, illustrating that in some digital domains India lacked formal legislation as of the dates referenced.
How to extend
As a cautionary counter-pattern, a student could use this to argue that absence of an Act in one tech area means specific legal obligations (like mandatory incident reporting) are not automatic—so they should look for explicit rules or advisories from 2017.
Describes a licensing regime for Internet Service Providers (400 licences, 128 signed) indicating an existing regulatory framework governing ISPs.
A student could check typical ISP licence conditions (reporting/notification clauses) or compare licence-era regulations around 2017 to see if incident-reporting was mandated.
Reports high counts of cybercrime cases (city-level FIRs) and notes technology makes detection challenging, implying government and police engagement with cyber incidents.
One could infer that high incident levels might motivate legal obligations for providers; verify by looking up 2017 policies or advisories from law enforcement/Ministry of Home Affairs on mandatory reporting.
Shows the government imposed specific rules on digital service providers (equalisation levy withheld by Indian companies), demonstrating precedent for targeted regulation of service providers.
Use this as a pattern that India enacted service-specific regulatory duties; search for contemporaneous cyber/security-specific rules applying analogous obligations (e.g., reporting) to service providers in 2017.
States absence of an enacted Act to regulate cryptocurrencies even after major regulatory steps, illustrating that in some digital domains India lacked formal legislation as of the dates referenced.
As a cautionary counter-pattern, a student could use this to argue that absence of an Act in one tech area means specific legal obligations (like mandatory incident reporting) are not automatic—so they should look for explicit rules or advisories from 2017.
This tab shows concrete study steps: what to underline in books, how to map current affairs, and how to prepare for similar questions.
Login with Google to unlock study guidance.
Discover the small, exam-centric ideas hidden in this question and where they appear in your books and notes.
Login with Google to unlock micro-concepts.
Access hidden traps, elimination shortcuts, and Mains connections that give you an edge on every question.
Login with Google to unlock The Vault.