Knowledge Center / CERT-In Directions
CERT-In, MeitY · India

CERT-In Directions (Cyber Incident Reporting)

CERT-In’s directions on incident reporting, log retention and security practices.

CERT-In’s directions issued under Section 70B of the IT Act (28 April 2022) set binding cyber-security obligations for a wide range of organisations operating in India, including strict incident-reporting timelines and log-retention requirements. CERT-In is India’s national nodal agency for cyber incidents and runs the auditor empanelment scheme under which CyberSigma is empanelled.

Who must comply

  • Service providers, intermediaries, data centres and body corporates operating in India.
  • Government organisations.
  • Data centres, virtual private server (VPS) providers, cloud service providers and VPN service providers (with additional KYC obligations).
  • Virtual asset / crypto exchanges and custodian wallet providers.

Key obligations

ObligationRequirement
Incident reportingReport specified cyber incidents to CERT-In within 6 hours of noticing them
Log retentionEnable and securely maintain ICT system logs for a rolling 180 days, stored within India
Time synchronisationSynchronise system clocks to NIC or NPL NTP servers
Point of contactDesignate and register a point of contact with CERT-In
KYC & records (specific providers)Data centres, VPS, cloud and VPN providers must maintain subscriber/customer records for defined periods

Types of incidents to report

The directions list reportable incident types including targeted scanning/probing, compromise of critical systems, unauthorised access, website defacements, malware/ransomware, data breaches and leaks, attacks on servers and network infrastructure, IoT and cloud incidents, and more.

Implementation roadmap

  1. Implement 24x7 incident detection and a 6-hour reporting workflow to CERT-In.
  2. Configure centralised logging with 180-day retention stored in India.
  3. Synchronise time to NIC/NPL NTP servers.
  4. Register a point of contact with CERT-In.
  5. For applicable providers, implement KYC and record-keeping.
  6. Test the reporting process and maintain evidence.

Evidence checklist

  • Incident-response plan with the 6-hour CERT-In reporting workflow.
  • Centralised logging with 180-day retention (in India).
  • NTP time-synchronisation configuration.
  • CERT-In point-of-contact registration.
  • KYC/record-keeping evidence (for applicable providers).
  • Records of any incidents reported to CERT-In.
How CyberSigma helps
We help you operationalise the CERT-In directions — the 6-hour reporting workflow, compliant logging and time-sync — and, as a CERT-In empanelled auditor, provide the VAPT and assurance regulators expect.

Frequently asked questions

What is the CERT-In 6-hour rule?
The April 2022 directions require covered organisations to report specified cyber incidents to CERT-In within 6 hours of noticing or being made aware of them.
How long must logs be retained?
ICT system logs must be maintained securely for a rolling period of 180 days and stored within India.

Need help with CERT-In Directions?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.