Back to Resources
CERT-In Compliance Guide — visual preview
Guide

CERT-In Compliance Guide

6-Hour Incident Reporting & Mandatory Directions

Overview

CERT-In (Indian Computer Emergency Response Team) issued mandatory Directions on April 28, 2022, that fundamentally changed cybersecurity compliance for organizations operating in India. These directions require all government and private entities, service providers, intermediaries, and data centers to report cyber incidents within 6 hours and implement a range of security measures. Non-compliance can result in imprisonment up to one year or a fine, or both, under Section 70B of the IT Act. These are not guidelines; they carry the force of law.

Reportable Cyber Incidents

Incident TypeExamplesReporting Window
Targeted scanning/probingPort scanning of critical systems, vulnerability probing6 hours
Compromise of systemsUnauthorized access, defacement, malware infections6 hours
Data breachesUnauthorized access to or exfiltration of personal or sensitive data6 hours
Identity theft and spoofingPhishing attacks, DNS spoofing, credential theft6 hours
Denial of Service attacksDDoS, application-layer attacks6 hours
Malicious code attacksRansomware, wiper malware, trojans6 hours
Attacks on servers and applicationsSQL injection, XSS, API attacks6 hours
Attacks on critical infrastructureSCADA/ICS attacks, supply chain compromise6 hours
Unauthorized access to social mediaCompromise of official social media accounts6 hours

Mandatory Compliance Requirements

  • Report all cyber incidents to CERT-In within 6 hours of noticing them
  • Synchronize all ICT system clocks to NTP servers of NIC or NPL, or to NTP servers traceable to these
  • Maintain logs of all ICT systems for a rolling period of 180 days within Indian jurisdiction
  • Maintain accurate subscriber and customer registration data for a period of 5 years after cancellation or withdrawal
  • Virtual private server providers must maintain validated KYC records of all subscribers for 5 years
  • Cloud service providers must maintain KYC data and records of resource allocation for 5 years
  • Virtual asset service providers and exchanges must maintain KYC and transaction records for 5 years
  • Designate a Point of Contact (PoC) and communicate details to CERT-In

Log Retention and Synchronization

The 180-day log retention requirement is one of the most operationally significant mandates. Logs must be stored within India and must include firewall logs, IDS/IPS logs, web and proxy logs, mail server logs, DNS logs, application logs, database logs, and endpoint detection logs. All systems generating these logs must be synchronized to NTP servers operated by NIC (National Informatics Centre) or NPL (National Physical Laboratory). This time synchronization is critical because it ensures log correlation across systems and provides forensic reliability in incident investigations.

Implementation Action Plan

  • Designate a Point of Contact and submit details to CERT-In using the prescribed format
  • Configure all ICT systems to sync with NIC or NPL NTP servers
  • Deploy centralized log collection covering all in-scope systems
  • Configure 180-day log retention with storage within Indian jurisdiction
  • Establish an incident detection and reporting process that meets the 6-hour window
  • Build a pre-formatted incident report template aligned with CERT-In reporting requirements
  • Conduct tabletop exercises to test your 6-hour reporting capability
  • Review and update KYC processes for applicable service categories
  • Train SOC and IT teams on what constitutes a reportable incident

Penalties for Non-Compliance

Failure to comply with CERT-In Directions can result in imprisonment up to one year, a fine, or both under Section 70B(7) of the Information Technology Act, 2000. CERT-In also has the authority to request information, systems for analysis, or access to facilities. Refusal to cooperate with CERT-In during an investigation is itself a punishable offense. Organizations should note that "noticing" an incident triggers the 6-hour clock, so delayed detection does not provide a compliance loophole, but willful ignorance or failure to detect evident incidents can attract regulatory scrutiny.

Frequently Asked Questions

Do the CERT-In directions apply to all organizations in India?
Yes. The directions apply to all service providers, intermediaries, data centers, body corporates, and government organizations. There is no exemption based on size or industry. Any entity operating ICT infrastructure in India must comply.
What happens if we discover an incident outside business hours?
The 6-hour reporting window runs from the time the incident is "noticed," regardless of business hours. Organizations need processes and on-call arrangements to report incidents to CERT-In within 6 hours at any time, including weekends and holidays.
Where do we submit incident reports?
Incidents must be reported to CERT-In via email ([email protected]), phone, or through the CERT-In portal. A specific reporting format is provided by CERT-In that covers incident type, systems affected, actions taken, and impact assessment.
Can logs be stored in cloud infrastructure outside India?
No. The 180-day log retention requirement explicitly mandates that logs must be maintained within Indian jurisdiction. If you use cloud infrastructure for log storage, the servers must be physically located in India.
How does this interact with DPDPA 2023?
CERT-In directions and the Digital Personal Data Protection Act (DPDPA) 2023 operate in parallel. CERT-In focuses on incident reporting and technical security measures, while DPDPA governs personal data processing and data principals rights. A data breach may trigger obligations under both frameworks simultaneously.

Ready to use this resource?

Download it now or schedule a demo to see how Hunto AI can automate your security workflows.

Book a Demo