Raksha News
Security intel for Indian businesses.
The regulation you have to follow and the threats you have to watch — in one place, in plain English, framed for what it means to a business like yours.
DPDP penalties go up to ₹250 crore — and there's no cure period
The DPDP Act sets maximum penalties as high as ₹250 crore for security failures. They're ceilings the Board assesses case-by-case, not automatic fines — but there's no grace period to fix things after a breach.
- you want to size the financial risk of non-compliance
- you handle sensitive or large volumes of personal data
DPDP Rules 2025 are notified — the compliance clock has started
India's Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025, putting the 2023 Act into motion. The core obligations are phased in over 18 months, with the hard deadline for most businesses on 14 May 2027.
- you collect customer personal data
- you run a website or app with sign-ups
- you hold data on customers or employees
The DPDP timeline: what's due on 14 Nov 2025, 14 Nov 2026 and 14 May 2027
DPDP obligations don't all start at once. Some provisions began on notification, Consent Manager registration opens at the one-year mark, and the substantive obligations most businesses care about bite on 14 May 2027.
- you process personal data of people in India
- you need a compliance roadmap and dates
DPDP applies to you even if you're a small business or startup
There is no blanket small-business or startup exemption in the DPDP Act. If you decide how and why personal data is processed, you're a 'data fiduciary' regardless of your size or revenue.
- you're a small business, solo founder or startup
- you assumed data-protection law doesn't apply at your size
- you're a DPIIT-recognised startup
CERT-In already requires cyber-incident reporting within 6 hours
Separate from DPDP, CERT-In's 2022 directions require you to report specified cyber incidents within 6 hours of noticing them. This has been enforceable since June 2022 — it's a present-day obligation, not a future one.
- you run any internet-facing service in India
- you operate servers, websites or apps
The Data Protection Board isn't operational yet — use the runway
The Data Protection Board of India exists in law but isn't functioning yet — no chairperson or members are in office. MeitY only invited applications in May 2026. This is a window to prepare, not an excuse to delay.
- you're wondering whether anyone is enforcing DPDP yet
- you want to prepare ahead of active enforcement
There's no '50 lakh users' rule for Significant Data Fiduciaries
Despite what many blogs claim, neither the DPDP Act nor the 2025 Rules sets a numeric threshold (like '50 lakh users' or '₹250 crore turnover') for becoming a Significant Data Fiduciary. Only a government notification can designate you one.
- you've seen '50 lakh users / ₹250 crore' SDF claims online
- you're unsure whether extra SDF duties apply to you
Log4Shell is years old and still one of the most-exploited flaws
CVE-2021-44228 ("Log4Shell") in Apache Log4j lets an attacker run arbitrary code with a single crafted string. Years after disclosure it is still heavily exploited, because unpatched Log4j stays buried deep inside production Java stacks.
India's SaaS and enterprise estates are Java-heavy, and Log4j often hides inside dependencies nobody remembers shipping. If you run Java anywhere internet-facing, confirm you're on Log4j 2.17+ — a Kavach scan flags services that still respond to the exploit string.
regreSSHion: a critical OpenSSH flaw reopened a years-old hole
CVE-2024-6387 ("regreSSHion") is an unauthenticated remote-code-execution race condition in OpenSSH's server on glibc Linux — a regression that re-introduced a previously fixed bug, affecting a huge population of internet-facing SSH servers.
Most Indian startups run on Linux VPS and cloud instances with SSH exposed to the world. Patch OpenSSH, and better still put SSH behind a bastion or IP allowlist so a future server-side RCE isn't reachable from anywhere on the internet.
The MOVEit breach wave shows the cost of one file-transfer bug
A SQL-injection flaw in Progress MOVEit Transfer (CVE-2023-34362) was mass-exploited by the Cl0p group to steal data from thousands of organisations through their managed file-transfer servers — one of the largest breach campaigns on record.
Indian fintech, BPO and logistics firms lean on managed file-transfer tools to move bulk data with partners. A single internet-exposed transfer appliance is a high-value target — inventory yours, patch on disclosure, and don't leave them reachable from the open internet.
Phishing kits impersonating Indian banks and UPI apps keep evolving
Threat actors keep running high-volume phishing and fake-app campaigns that impersonate Indian banks, UPI handles and payment apps to harvest credentials and OTPs. CERT-In repeatedly flags new lures aimed at Indian consumers and businesses.
UPI's ubiquity makes Indian users and merchants a constant phishing target. Train staff to distrust payment-related links and OTP requests, prefer 2FA that isn't OTP-over-SMS where you can, and make sure your own domain is hard to spoof (set SPF, DKIM and DMARC).
Don't just read it — find out where you stand.
A free scan shows what your live site is exposing today. When you're ready to be audit-ready, our Compliance Sprint gets you DPDPA-ready in 30 days.
Raksha News is general information, not legal or security advice. We link primary sources on every item so you can verify — confirm specifics with a qualified advisor before acting.