CERT-In Compliance: Directions, 6-Hour Incident Reporting & Audit Guide
Since 2022, CERT-In compliance has become a baseline obligation for almost every organisation operating digital systems in India. The Indian Computer Emergency Response Team (CERT-In), under Section 70B of the Information Technology Act, issued Directions that introduced strict timelines for reporting cyber incidents, mandatory logging, and record-keeping requirements that apply across service providers, intermediaries, data centres, and body corporates.
This guide explains what the CERT-In Directions require, who must comply, the 6-hour incident reporting rule, log retention and time-synchronisation obligations, the incidents you must report, and how to prepare. CyberSigma, a CERT-In empanelled cybersecurity firm, helps organisations meet these requirements and demonstrate compliance.
What Are the CERT-In Directions?
In April 2022, CERT-In issued Directions under Section 70B(6) of the IT Act relating to information security practices, procedures, prevention, response, and reporting of cyber incidents. They are legally binding on a broad set of entities and were designed to strengthen the country's collective cyber resilience by ensuring incidents are reported quickly and that logs and records are available for investigation.
Who Must Comply with CERT-In?
The Directions apply broadly to entities operating in or serving India:
- Service providers, intermediaries, and data centres
- Body corporates and companies operating digital systems
- Cloud service providers and hosting providers
- VPN service providers (with specific KYC and record-keeping obligations)
- Virtual asset service providers and exchanges
- Government organisations and their service providers
The 6-Hour Incident Reporting Rule
The most well-known requirement is the reporting timeline: organisations must report specified cyber incidents to CERT-In within six hours of noticing or being notified about them. This is significantly tighter than many international regimes and means incident detection and an internal escalation process must be operational and tested, not theoretical. Reports are made to CERT-In through the prescribed channels.
Logging and Time-Synchronisation Requirements
Beyond reporting, the Directions impose ongoing obligations:
- Enable and securely maintain logs of ICT systems for a rolling period of 180 days, stored within India
- Synchronise all system clocks to the Network Time Protocol (NTP) servers of NIC or NPL (or a traceable source)
- VPN, cloud, and data-centre providers: maintain validated customer (KYC) and subscription records for at least five years
- Virtual asset providers: maintain KYC and transaction records as specified
What Incidents Must Be Reported?
The Directions list categories of reportable incidents, including (among others): targeted scanning or probing of critical systems, compromise of critical systems, unauthorised access to data or systems, website defacements, malware and ransomware infections, attacks on servers and network infrastructure, data breaches and data leaks, attacks on IoT and SCADA systems, and incidents affecting cloud, applications, or digital payment systems. When in doubt, the safe approach is to report.
Penalties for Non-Compliance
Non-compliance with CERT-In Directions can attract action under Section 70B(7) of the IT Act, which provides for penalties including imprisonment or fine. Beyond legal exposure, failing to report or to maintain logs undermines incident investigation and signals weak governance to regulators, partners, and customers.
How to Prepare for CERT-In Compliance
- Implement centralised logging with 180-day retention, stored in India
- Synchronise system clocks to NIC/NPL NTP sources
- Build and test an incident-response runbook that can produce a CERT-In report within six hours
- Define escalation paths and ownership so detection translates into reporting fast
- Maintain the required KYC and subscription records if you are a VPN, cloud, or data-centre provider
- Engage a CERT-In empanelled auditor to validate controls and readiness
How CyberSigma Helps
As a CERT-In empanelled cybersecurity firm, CyberSigma helps organisations operationalise CERT-In compliance — from logging and time-sync architecture to incident-response readiness and the testing that backs it up. Our senior auditors validate that your controls meet the Directions and that, if an incident occurs, you can detect, contain, and report within the six-hour window with confidence.
Conclusion
CERT-In compliance is not a one-time project but an operational capability: fast detection, disciplined logging, and a reporting process that works under pressure. Organisations that build these into business as usual stay on the right side of the law and respond to incidents far more effectively. A readiness review with an empanelled partner is the quickest way to close the gaps.
Liked the post? Share on:





Leave A Comment