CERT-In 2022 directions compliance is a legal obligation under Section 70B(6) of the Information Technology Act, 2000, binding every organisation operating digital infrastructure in India. Issued on April 28, 2022, the Directions mandate 6-hour cybersecurity incident reporting to CERT-In, 180-day log retention within Indian jurisdiction, NTP clock synchronisation, and 5-year subscriber data retention for VPN and cloud providers. Non-compliance is a legal violation — not a policy gap — carrying civil penalties under the IT Act. Every service provider, intermediary, data centre, body corporate, and government organisation in India must comply, regardless of size or revenue.
What the CERT-In 2022 Directions Actually Require
The CERT-In 2022 Directions, formally titled "Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe and Trusted Internet," were issued after CERT-In identified systematic gaps in how Indian organisations detect, log, and report security incidents.
The directions cover four primary obligations:
Mandatory Incident Reporting within Six Hours. Any of the 20 listed incident types must be reported to CERT-In at incident@cert-in.org.in within six hours of the organisation becoming aware of the incident. This is not six hours after resolution — it is six hours after detection.
Log Retention for 180 Days. All ICT system logs — including server logs, firewall logs, application logs, and authentication logs — must be maintained and stored within Indian jurisdiction for a minimum of 180 days. Logs must be produced on demand when requested by CERT-In.
Accurate Clock Synchronisation. All ICT infrastructure must synchronise clocks with the Network Time Protocol servers operated by the National Informatics Centre or STQC, or with NTP servers traceable to them. This ensures forensic accuracy across log timestamps during incident investigations.
VPN and Cloud Provider Data Retention. Virtual Private Network service providers, virtual asset service providers, cloud service providers, and data centres must maintain verified subscriber records and usage logs for a minimum of five years.
Who Must Comply with CERT-In 2022 Directions in India
The scope of the CERT-In 2022 Directions is intentionally broad. Compliance is mandatory for:
| Entity Type | Obligation |
|---|---|
| Service providers and ISPs | 6-hour incident reporting, 180-day log retention |
| Cloud service providers | 6-hour reporting, 5-year subscriber log retention |
| VPN providers | 6-hour reporting, 5-year subscriber KYC and usage logs |
| Data centres and co-location | 6-hour reporting, 180-day log retention, NTP sync |
| Body corporates handling digital services | 6-hour reporting, 180-day log retention |
| Virtual asset service providers | 6-hour reporting, 5-year transaction log retention |
| Government organisations | Full compliance with all four obligations |
Not sure whether your current security posture can meet CERT-In's six-hour reporting obligation? Run a free VAPT scan to map your control gaps against these requirements — before CERT-In asks.
The 6-Hour Incident Reporting Process
Understanding the compliance flow is as important as knowing the obligation exists. The following diagram maps the mandatory process from detection through to documented compliance:
The critical design principle here is that incident response and compliance reporting run in parallel, not in sequence. Your IR team begins containment while your compliance team files the initial CERT-In notification simultaneously. The 30-day full technical report is your opportunity to provide complete root cause analysis, timeline reconstruction, and remediation evidence.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free Scan20 Incident Types That Trigger 6-Hour Reporting
CERT-In's 2022 Directions enumerate exactly 20 incident categories that trigger mandatory six-hour reporting. These span infrastructure attacks, financial fraud, data theft, and malware — reflecting the full breadth of the modern threat landscape in India.
Breaking these down by category:
- Infrastructure Attacks cover targeted scanning and probing, attacks on servers and network devices, DNS and routing attacks, DDoS, and attacks on IoT devices.
- Data and Unauthorized Access covers unauthorized access to IT systems or data, data breaches, identity theft, and intellectual property theft.
- Financial Fraud and Social Engineering covers attacks on digital payment systems, online fraud, fake mobile applications, and fraudulent calls or SMS.
- Malware and APT covers malicious code attacks (ransomware, trojans, worms) and Advanced Persistent Threats.
- Web and Social Media covers website intrusion and defacement, and unauthorized access to social media accounts.
- Critical Systems Compromise covers attacks on critical infrastructure and compromise of critical systems.
Technical Compliance Obligations for Indian Companies Under CERT-In
CERT-In 2022 compliance is not limited to filing notifications after incidents occur. Three structural technical obligations apply continuously and must be embedded into your infrastructure architecture.
Log Architecture for 180-Day Retention
Your log infrastructure must retain data at the Indian jurisdiction level. Practically, this requires:
- Centralised SIEM or log management platform with enforced 180-day retention policies
- Immutable log storage to prevent tampering or deletion
- Ability to produce specific log sets within 24 hours of a CERT-In request
- Coverage across all ICT layers: network, server, application, authentication, and endpoint
NTP Clock Synchronisation
The NTP requirement exists because log timestamps from unsynchronised systems are unreliable as forensic evidence. Inconsistent timestamps across server logs, network device logs, and application logs make it impossible to reconstruct a coherent attack timeline — which undermines both your incident response and any subsequent legal proceedings.
Organisations using commercial cloud providers that default to external global NTP pools need explicit configuration to synchronise with NIC or STQC NTP servers. This is a low-effort, high-impact configuration change that is frequently overlooked.
VPN and Cloud Infrastructure Data Retention
If your organisation provides VPN services, cloud infrastructure, or virtual asset services to Indian customers, the data retention obligation extends to subscriber KYC records and usage logs for five years. This obligation applies even if your infrastructure is hosted outside India. Virtual asset service providers — including cryptocurrency exchanges operating in India — face additional obligations covering transaction records.
Building CERT-In Compliance into Daily Operations
Most organisations fail CERT-In compliance not because they ignore it, but because their operational processes were never designed around a six-hour external notification deadline. A typical non-compliant incident response flows like this: detection triggers internal escalation, leadership gets briefed, legal is consulted, external notification is eventually filed — a process that routinely takes 24 to 72 hours in practice. The CERT-In Directions compress that external notification step to six hours, which means the entire internal escalation chain must be redesigned.
Practical steps for building lasting compliance:
Designate a CERT-In Reporting Officer. This named individual has authority to submit incident reports to CERT-In without waiting for full investigation completion. The initial report can include partial information — CERT-In accepts supplementary details in the 30-day full report. The bottleneck in most organisations is authority, not information.
Automate Log Collection and Retention. Manual log collection cannot meet a 180-day mandate at scale. Implement centralised log management with automatic ingestion from all systems, retention policy enforcement, and integrity verification. Test the ability to retrieve logs from a specific date range on demand — before CERT-In asks.
Run the Six-Hour Tabletop Exercise. Conduct incident response exercises that include CERT-In reporting as a mandatory milestone. Time the exercise from "detection" to "initial report submitted." Most organisations discover their first run far exceeds six hours, but the exercise reveals exactly where the process breaks.
Audit Your Third-Party Vendors. If you use third-party VPN, cloud, or virtual asset services, verify that those vendors are themselves compliant with the Directions. A log retention gap in a vendor's infrastructure can create compliance exposure even when your own systems are correctly configured.
Organisations beginning their compliance journey can start with a free VAPT scan to identify security control gaps before moving into formal compliance assessment. Bachao.AI, the automated VAPT platform built by Dhisattva AI Pvt Ltd, surfaces misconfigurations and control weaknesses that typically map directly to CERT-In compliance requirements. For data protection compliance obligations that run alongside CERT-In requirements, see the DPDP compliance guide.
The full text of the CERT-In 2022 Directions is published on the official CERT-In website. DSCI's published frameworks at dsci.in provide additional implementation guidance for Indian organisations navigating the compliance landscape.