On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) issued Directions under Section 70B(6) of the Information Technology Act, 2000. These Directions came into force on June 28, 2022, and fundamentally changed the cyber security compliance landscape for organisations operating in India.
The provision that received the most attention — and created the most operational anxiety — was the 6-hour incident reporting requirement. Three years on, many organisations still do not have the processes in place to comply with it.
What the CERT-In Directions Actually Require
The 2022 Directions apply to a broad set of entities:
- All service providers, intermediaries, data centres, body corporates, and government organisations
- This effectively covers every significant organisation operating IT systems in India
The 6-Hour Reporting Obligation
Organisations must report cyber incidents to CERT-In within 6 hours of detection. This is not 6 hours from the start of the incident — it is 6 hours from when your team becomes aware of it.
The 20 incident types that must be reported include:
- Targeted scanning and probing of critical networks
- Compromise of critical systems or information
- Unauthorised access to IT systems and data
- Website defacement
- Malicious code attacks including ransomware
- Attacks on critical infrastructure
- DDoS attacks
- Data breaches and data leaks
- Attacks on Internet of Things (IoT) devices
Log Retention — 180 Days
All ICT (Information and Communication Technology) system logs must be maintained within Indian jurisdiction for a rolling period of 180 days. This includes server logs, network device logs, application logs, and security event logs.
Logs must be available for CERT-In inspection on demand.
Synchronised Time — NTP Servers
All ICT infrastructure must synchronise time with the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or National Physical Laboratory (NPL), or with NTP servers traceable to these authoritative sources.
This is a technical requirement that most organisations overlook entirely until they receive a compliance notice.
VPN and Cloud Service Providers
VPN service providers must maintain logs of all subscribers, including validated names and email addresses, IP addresses assigned, timestamps of all connections, and the purpose of use. Data must be retained for 5 years.
Cloud service providers and virtual private server (VPS) providers must maintain records of subscribers and the infrastructure they use.
Why 6-Hour Reporting Is Operationally Hard
The 6-hour window sounds generous until you map out what it requires in practice.
Detection: You need a monitoring system that detects the incident. Many SMBs rely on manual detection — an employee notices something is wrong. By the time it is escalated internally, 2–3 hours may already have passed.
Classification: You need to determine whether the incident falls into one of the 20 reportable categories. This requires someone with enough knowledge to make that determination quickly, under pressure.
Notification: You need to notify CERT-In through the official reporting mechanism (the CERT-In incident reporting portal) with specific technical details including the nature of the incident, affected systems, and initial impact assessment.
Internal escalation: Senior management and legal counsel may need to be involved before notification. In organisations without a pre-approved incident response protocol, this internal process alone can consume the available time.
Organisations without a tested incident response plan will almost always miss the 6-hour window the first time they face a real incident. The second time, they will not — but by then they may have already faced CERT-In scrutiny.
The Incident Response Readiness Gap
A survey by DSCI (Data Security Council of India) found that only 31% of Indian organisations have a formally documented and tested incident response plan. This means 69% of organisations are attempting to respond to incidents — including within a 6-hour reporting window — without a defined process.
The gap is not awareness. Most IT and security teams are aware of the CERT-In obligation. The gap is operational readiness: the documented procedures, trained team, tested detection capabilities, and pre-approved communication templates that make 6-hour compliance achievable under real conditions.
What an Incident Response Assessment Covers
A cyber security maturity assessment that includes incident response readiness evaluates:
Detection Capability
- Is there a Security Information and Event Management (SIEM) system or equivalent?
- Are alerts configured for the 20 CERT-In reportable incident types?
- Is there 24/7 monitoring coverage, or only business-hours coverage?
Response Procedures
- Is there a documented incident response plan approved by senior management?
- Has it been tested in a tabletop exercise in the last 12 months?
- Are roles and responsibilities clearly defined for each incident type?
CERT-In Reporting Process
- Is there a pre-prepared notification template for CERT-In reporting?
- Does the team know how to access the CERT-In reporting portal?
- Is there a pre-approved escalation chain for reportable incidents?
Log Retention Compliance
- Are logs from all ICT systems being retained for at least 180 days?
- Is log storage within Indian jurisdiction?
- Are logs indexed and searchable for on-demand production?
NTP Synchronisation
- Are all servers and network devices synchronised to NIC or NPL NTP sources?
- Is synchronisation monitored and alerting configured for drift?
DPDP Act 2023 — The Next Layer
Organisations that achieve CERT-In compliance also need to prepare for the Digital Personal Data Protection (DPDP) Act 2023, which is in the process of rule finalisation. DPDP introduces:
- Mandatory personal data breach notification to the Data Protection Board of India
- Data minimisation and purpose limitation obligations
- Rights for data principals including access, correction, and erasure
- Significant financial penalties for non-compliance
The overlap between CERT-In incident response readiness and DPDP breach notification is substantial. Organisations that build robust incident response capabilities for CERT-In are well-positioned for DPDP compliance.
Steps to Achieve CERT-In Readiness
1. Assess current posture — Run a cyber security maturity assessment covering incident response, log management, detection capability, and NTP synchronisation. Identify specific gaps against CERT-In requirements.
2. Document the incident response plan — Create a formal, written plan that includes a CERT-In notification checklist, role assignments, and escalation procedures for each of the 20 reportable incident types.
3. Configure log retention — Audit all ICT systems for log coverage. Implement centralised log management with 180-day retention and Indian data residency.
4. Test the process — Run a tabletop exercise simulating a ransomware incident. Time the detection-to-notification workflow. Identify where delays occur and fix them.
5. Train the team — Ensure all IT staff know the 6-hour reporting obligation and their role in the response process. Not just the CISO — the first-line engineer who detects the incident needs to know what to do.
Frequently Asked Questions
Who does CERT-In's 6-hour reporting rule apply to? All service providers, intermediaries, data centres, body corporates, and government organisations operating in India. This is deliberately broad and covers virtually every organisation with a significant IT presence in India.
What happens if an organisation misses the 6-hour reporting window? CERT-In can issue directions requiring compliance and, in cases of repeated or wilful non-compliance, refer matters to the Ministry of Electronics and Information Technology (MeitY) for further action. The primary risk for most organisations is regulatory scrutiny and reputational impact.
Does the 6-hour rule apply to all cyber incidents? No. Only incidents falling into the 20 specified categories require mandatory reporting within 6 hours. Other incidents should still be reported but are not subject to the 6-hour obligation.
Are there penalties for non-compliance with CERT-In Directions? Non-compliance with CERT-In Directions can attract penalties under the Information Technology Act, including imprisonment and fines. The more immediate risk for most organisations is the mandatory audit and remediation process triggered by CERT-In scrutiny.
How does CERT-In compliance relate to ISO 27001? ISO 27001 provides a strong framework for information security management and addresses many of the same domains as CERT-In. However, CERT-In has India-specific requirements — particularly around the 6-hour reporting window, NTP synchronisation with Indian sources, and log data residency — that are not covered by ISO 27001 alone.
TACGauge partners across India — IT consultants and managed service providers — use TACGauge to run structured cyber security maturity assessments that evaluate their clients' CERT-In readiness across incident response, log management, detection capability, and more. The resulting report includes a benchmarked maturity score, gap analysis, and 90-day remediation roadmap.