When a cyber incident occurs, the clock starts immediately. Every jurisdiction has different mandatory reporting deadlines โ and when you operate across multiple markets, the strictest deadline governs. This reference page covers every major jurisdiction's mandatory notification obligations.
Multi-jurisdiction rule: When operating across multiple jurisdictions, the shortest applicable deadline governs your response timeline. A company with operations in India and the EU must meet the CERT-In 6-hour deadline โ not the GDPR 72-hour deadline.
| Jurisdiction | Law / Regulation | Deadline | Report To | Scope | Max Fine |
|---|---|---|---|---|---|
| ๐ฎ๐ณIndia | CERT-In Rules 2022 | 6 hours | CERT-In | All organisations operating in India | Criminal liability under IT Act 2000 |
| ๐จ๐ณChina | CSL 2017 / DSL 2021 / PIPL 2021 | 24 hours | MIIT / CAC | All organisations processing Chinese data or operating in China | Up to RMB 50m; business suspension |
| ๐ช๐บEU โ NIS2 | NIS2 Directive 2024 | 24h early warning / 72h full | National CSIRT | 18 critical sectors + supply chains | Up to โฌ10m or 2% global turnover |
| ๐ช๐บEU โ GDPR | GDPR Article 33 | 72 hours | National supervisory authority | All organisations processing EU personal data | Up to โฌ20m or 4% global turnover |
| ๐ฌ๐งUK | UK GDPR / Data Protection Act 2018 | 72 hours | ICO | All organisations processing UK personal data | Up to ยฃ17.5m or 4% global turnover |
| ๐บ๐ธUSA โ CIRCIA | CIRCIA 2022 | 72h incidents / 24h ransomware | CISA | 16 critical infrastructure sectors | Civil penalties; final rules pending |
| ๐บ๐ธUSA โ SEC | SEC Cybersecurity Rules 2023 | 4 business days | SEC (Form 8-K) | US public companies | SEC enforcement action |
| ๐ฐ๐ทSouth Korea | PIPA (amended 2023) | 72 hours | PIPC | All organisations processing South Korean personal data | Up to 3% of relevant revenue |
| ๐ฆ๐ชUAE | PDPL (Federal Decree-Law 45/2021) | 72 hours | UAE Data Office | All organisations processing UAE personal data | Up to AED 5m |
| ๐ธ๐ฆSaudi Arabia | PDPL (effective September 2023) | 72 hours | SDAIA | All organisations processing Saudi personal data | Up to SAR 5m |
| ๐ง๐ทBrazil | LGPD (2020) | 2 working days | ANPD | All organisations processing Brazilian personal data | Up to 2% of Brazilian revenue, capped at R$50m per violation |
| ๐ธ๐ฌSingapore | PDPA (amended 2021) | 3 calendar days | PDPC | All organisations processing Singapore personal data | SGD 1m or 10% of annual Singapore turnover |
| ๐ฏ๐ตJapan | APPI (amended 2022) | 30 days (60 if foreign actors) | PPC | All organisations processing Japanese personal data | Up to JPY 100m (corporate) |
| ๐จ๐ฆCanada | PIPEDA / Quebec Law 25 | As soon as feasible (QC: 72h) | OPC / CAI (Quebec) | All organisations processing Canadian personal data | Up to CAD 100,000 |
| ๐ฆ๐บAustralia โ NDB | NDB Scheme (Privacy Act 1988) | 30 days | OAIC | Organisations covered by the Privacy Act | Up to AUD 50m (Privacy Act Review reforms) |
| ๐ฆ๐บAustralia โ SOCI | SOCI Act (amended 2022) | 12h serious / 72h other | ASD | 11 critical infrastructure sectors | Civil penalties |
Strictest deadline globally. Also: 180-day log retention in India. Covers ransomware, data breaches, DDoS, malware.
Strict data localisation requirements. Cross-border data transfer restrictions. Security assessments required for certain transfers.
Supply chain security obligations: covered entities must assess their suppliers. 1-month final report also required.
Also notify affected individuals if high risk (Article 34). Applies regardless of where the organisation is based.
Post-Brexit retained UK GDPR. NIS Regulations 2018 also apply to essential services. UK Cyber and Resilience Bill (2025) will expand scope.
72 hours for significant cyber incidents; 24 hours for ransomware payments. CISA final rules expected 2025โ2026.
4 business days from determining materiality. Annual disclosure of cyber risk management in Form 10-K. Creates supply chain pressure.
2023 amendments significantly strengthened requirements. ICNA also requires incident reporting to KISA for digital service providers.
UAE Cybersecurity Council also mandates critical infrastructure incident reporting. DIFC and ADGM have separate data protection regimes.
NCA (National Cybersecurity Authority) mandates critical infrastructure incident reporting. Vision 2030 driving rapid regulatory expansion.
ANPD guidance specifies 2 working days from awareness. LGPD applies regardless of where the organisation is based.
Notifiable breach = likely significant harm or affects 500+ individuals. MAS also has separate cyber incident reporting for financial institutions.
Cybersecurity Basic Act + Economic Security Promotion Act 2022 add supply chain security requirements for critical infrastructure.
Quebec Law 25 (in force Sept 2023): 72-hour notification to CAI. Bill C-26 (proposed) would add mandatory cyber reporting for critical infrastructure.
Eligible breach = likely serious harm. Privacy Act Review (2023) may tighten timelines.
12 hours for serious incidents; 72 hours for other incidents. Supply chain security requirements for critical infrastructure operators.
ESG Stress Free's Cyber AI Analyst helps SMEs understand their reporting obligations across all the jurisdictions they operate in โ and build an incident response plan that meets the strictest applicable deadline.
Open Cyber AI Analyst