India's Computer Emergency Response Team has extended its six-hour incident reporting mandate to cover AI systems that process personal data of Indian citizens, closing a gap that had left model-serving infrastructure outside the compliance net.

The directions require covered entities to maintain security event logs for 180 days on infrastructure located within India, and to designate a point of contact for CERT-In coordination.

Security leaders broadly welcomed the clarity but flagged the operational burden for startups running inference on third-party clouds.