CERT-In’s directions issued under Section 70B of the IT Act (28 April 2022) set binding cyber-security obligations for a wide range of organisations operating in India, including strict incident-reporting timelines and log-retention requirements. CERT-In is India’s national nodal agency for cyber incidents and runs the auditor empanelment scheme under which CyberSigma is empanelled.
Who must comply
- Service providers, intermediaries, data centres and body corporates operating in India.
- Government organisations.
- Data centres, virtual private server (VPS) providers, cloud service providers and VPN service providers (with additional KYC obligations).
- Virtual asset / crypto exchanges and custodian wallet providers.
Key obligations
| Obligation | Requirement |
|---|---|
| Incident reporting | Report specified cyber incidents to CERT-In within 6 hours of noticing them |
| Log retention | Enable and securely maintain ICT system logs for a rolling 180 days, stored within India |
| Time synchronisation | Synchronise system clocks to NIC or NPL NTP servers |
| Point of contact | Designate and register a point of contact with CERT-In |
| KYC & records (specific providers) | Data centres, VPS, cloud and VPN providers must maintain subscriber/customer records for defined periods |
Types of incidents to report
The directions list reportable incident types including targeted scanning/probing, compromise of critical systems, unauthorised access, website defacements, malware/ransomware, data breaches and leaks, attacks on servers and network infrastructure, IoT and cloud incidents, and more.
Implementation roadmap
- Implement 24x7 incident detection and a 6-hour reporting workflow to CERT-In.
- Configure centralised logging with 180-day retention stored in India.
- Synchronise time to NIC/NPL NTP servers.
- Register a point of contact with CERT-In.
- For applicable providers, implement KYC and record-keeping.
- Test the reporting process and maintain evidence.
Evidence checklist
- Incident-response plan with the 6-hour CERT-In reporting workflow.
- Centralised logging with 180-day retention (in India).
- NTP time-synchronisation configuration.
- CERT-In point-of-contact registration.
- KYC/record-keeping evidence (for applicable providers).
- Records of any incidents reported to CERT-In.
Frequently asked questions
Need help with CERT-In Directions?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
