Every company running internet-facing systems in India now has half a day to fix known security flaws or risk regulatory consequences. In a directive published in early 2025 and drawing increased attention as of June 2026, India’s national cyber coordination body has set what appears to be the world’s tightest mandatory patching deadline: 12 hours from the moment a vulnerability is publicly disclosed and confirmed to be under active exploitation.
The rule is part of a document titled the Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure, published on India’s official cyber security portal. It applies to organizations under the oversight of CERT-In, the Indian Computer Emergency Response Team, and it targets a specific category of threat: software flaws in publicly reachable systems that attackers are already exploiting in the wild.
The mandate is not India’s first aggressive cybersecurity timeline. In 2022, CERT-In issued directions requiring organizations to report cyber incidents within six hours of detection, a rule that triggered significant pushback from industry groups and global technology firms. The new 12-hour patching requirement goes further, moving from notification to remediation and compressing the expected response into a single shift cycle.
Why 12 hours, and why now
The blueprint frames AI-assisted exploitation as the core reason for the compressed timeline. Its argument: the gap between public disclosure of a vulnerability and its weaponization by attackers has shrunk from weeks to hours as AI tools accelerate reconnaissance, exploit code generation, and automated targeting of vulnerable systems.
Published research supports the general trend, even if the blueprint itself does not cite specific studies. Google’s Threat Analysis Group and Mandiant reported that the median time-to-exploit for newly disclosed vulnerabilities dropped from 63 days in 2018 to just five days by 2023. Rapid7’s annual vulnerability intelligence reports have documented a similar compression. Academic research from the University of Illinois in 2024 demonstrated that large language models could autonomously exploit known vulnerabilities in test environments, reinforcing concerns that AI lowers the skill barrier for attackers.
None of these studies prove that AI-driven exploitation has already hit Indian infrastructure specifically. CERT-In has not published incident data tying a particular attack to AI-accelerated methods. But the directional evidence is strong enough that policymakers in New Delhi appear to have decided the risk justifies preemptive action rather than waiting for a domestic case study.
How the patching clock works
The blueprint borrows its prioritization framework directly from the U.S. Cybersecurity and Infrastructure Security Agency. CISA maintains a public Known Exploited Vulnerabilities (KEV) catalog that lists software flaws confirmed to have been used in real-world attacks. The Indian directive treats any KEV-listed flaw affecting an internet-facing asset as an emergency requiring remediation within 12 hours of public disclosure.
In practical terms, this means organizations must maintain a continuously updated inventory of their publicly reachable systems and cross-reference that inventory against the KEV catalog as new entries appear. The moment a match is found, the clock starts.
The blueprint makes clear that waiting for a scheduled maintenance window is not acceptable. Organizations are expected to have pre-authorized emergency change procedures that allow rapid deployment of vendor patches or, when patches are not yet available, compensating controls such as temporary service isolation, configuration hardening, or web application firewall rules.
No other country has gone this far
Among publicly documented national mandates, no government has imposed a patching deadline this aggressive. CISA’s Binding Operational Directive 22-01, which covers U.S. federal civilian agencies, typically allows 14 to 21 days for remediation of KEV-listed vulnerabilities. Australia’s Essential Eight maturity model recommends patching critical vulnerabilities within 48 hours. The European Union’s NIS2 directive establishes incident-reporting timelines and broad risk-management obligations but does not prescribe a fixed patching clock measured in hours.
The gap between a 12-hour mandate and the operational reality of enterprise IT is substantial. Large organizations typically test patches in staging environments before deploying them to production, a process that can take days even under pressure. The Indian timeline effectively forces companies to choose between two uncomfortable options: invest heavily in automated vulnerability management that can compress testing and deployment into hours, or accept the risk of pushing untested patches to production to avoid a compliance violation.
The directive also challenges a common practice in corporate IT: risk acceptance. In many organizations, a business owner can sign off on deferred patching if the operational cost of disruption outweighs the perceived security risk. Under a hard 12-hour mandate for actively exploited flaws, that calculation changes sharply. The blueprint treats failure to patch in time not as a discretionary business decision but as a potential regulatory lapse.
Significant gaps remain
For all its ambition, the directive leaves several critical questions unanswered.
Enforcement: No public data from CERT-In shows which catalog entries have triggered the 12-hour rule, how many organizations have received compliance notices, or what penalties apply for missing the deadline. Without enforcement statistics, it is difficult to judge whether the mandate has already changed patching behavior across Indian networks or remains largely aspirational.
Scope: CERT-In’s authority extends across sectors, but the blueprint does not specify whether critical infrastructure operators, banks, telecom providers, and smaller enterprises all face the same 12-hour clock. India’s banking regulator (RBI) and telecom authority (TRAI) enforce their own cybersecurity standards, and the blueprint does not address how overlapping or conflicting requirements should be resolved.
Trigger definitions: The document does not spell out whether “public disclosure” means a vendor advisory, a global vulnerability database entry, or a formal CERT-In notice. It is also unclear whether exploitation must be confirmed by Indian authorities, observed on domestic networks, or can be inferred from international threat intelligence feeds. These definitional gaps could become contentious if an organization disputes when its 12-hour window actually began.
Why this matters beyond India
India is home to one of the world’s largest IT services industries. Companies like TCS, Infosys, and Wipro manage infrastructure and applications for clients across dozens of countries. A domestic mandate that forces these firms to overhaul their patching processes will ripple outward, potentially raising the baseline for vulnerability response times in organizations that rely on Indian-managed services.
The directive also sets a policy precedent. If India demonstrates that a 12-hour patching mandate is enforceable and effective, other governments facing the same AI-accelerated threat landscape may follow with similarly compressed timelines. Conversely, if the mandate proves unworkable and leads to rushed patches causing service outages, it could become a cautionary example of regulation outpacing operational capacity.
For now, the strongest evidence comes from two primary, government-maintained sources: the blueprint itself on India’s national cyber security knowledge portal and CISA’s KEV catalog. What neither source provides is outcome data. There is no published measurement of how quickly Indian organizations are actually patching, no before-and-after comparison of exploitation rates, and no enforcement record showing real consequences for noncompliance.
Companies operating internet-facing systems under CERT-In jurisdiction should treat the blueprint as an active compliance requirement regardless. The most immediate steps: build an accurate, continuously updated asset inventory of publicly reachable systems, cross-reference it against the KEV catalog, establish emergency change procedures with clear internal ownership (who decides, who approves, who executes), and budget for the automated tooling and around-the-clock monitoring coverage that a 12-hour window demands. Until CERT-In publishes enforcement data or clarifying guidance, assuming the mandate carries real consequences is the safer bet.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
