CERT-In's April 2022 Directions require every organisation operating in India to report specified cyber incidents to the Indian Computer Emergency Response Team within 6 hours of noticing them — not 6 hours after investigation, but 6 hours after first detection. Simultaneously, organisations must maintain ICT system logs for 180 days within Indian jurisdiction, synchronise clocks to NTP servers traceable to the National Physical Laboratory or National Informatics Centre, and provide KYC information for VPN and cloud subscribers. These Directions, issued under Section 70B(6) of the Information Technology Act, 2000, are legally binding on every entity — government, private, or public sector — that uses, provides, or manages information infrastructure in India.
What the CERT-In Directions Actually Say
The CERT-In Directions dated 28 April 2022 (published by the Ministry of Electronics and Information Technology, available at cert-in.org.in) came into force on 27 June 2022. They amend the 2014 CERT-In Operating Rules and make three core compliance obligations non-negotiable:
- 6-hour incident reporting — Covered organisations must report any of the listed incident types to CERT-In within 6 hours of becoming aware of the incident, regardless of whether the cause or scope has been established.
- 180-day log retention — Logs of ICT systems, including servers, network devices, endpoints, and cloud infrastructure, must be maintained for a rolling 180-day window and stored within India.
- NTP synchronisation — All ICT infrastructure clocks must sync to NPL- or NIC-traceable NTP sources to ensure log timestamps are legally defensible.
- KYC and subscriber records — VPN service providers, virtual asset service providers, cloud service providers, and data centres must maintain accurate subscriber/customer information for 5 years, even after the customer cancels the service.
Who Must Comply
The Directions apply broadly. There is no size threshold and no sector carve-out. If your organisation:
- Operates ICT infrastructure in India (servers, cloud workloads, SaaS, or on-premise),
- Provides internet services, data centre services, cloud services, or VPN services to Indian customers,
- Is a government body, public sector undertaking, or private enterprise using digital infrastructure, or
- Handles financial services, critical information infrastructure, or e-commerce,
ap-south-1 is in scope.The 20 Reportable Incident Categories
CERT-In's Directions enumerate 20 types of incidents that must be reported within the 6-hour window. These include:
| Category | Examples |
|---|---|
| Targeted scanning / probing | Systematic reconnaissance of critical networks |
| Compromise of critical systems | Servers, databases, authentication infrastructure |
| Unauthorised access | Accounts, applications, data |
| Defacement of websites or applications | Government portals, financial apps |
| Malware attacks | Ransomware, spyware, trojans on critical systems |
| Attacks on servers | DNS servers, mail servers, directory services |
| Identity theft and fraud | Spoofing, phishing campaigns targeting Indians |
| Denial-of-service attacks | DDoS, volumetric attacks |
| Attacks on critical infrastructure | Power, telecom, financial systems |
| Attacks on IoT devices | Embedded systems, industrial control systems |
| Data breaches / theft | PII, financial data, health records |
| Attacks on digital payment systems | UPI, NEFT, card networks |
| Attacks on satellites / navigation | Space segment, ground control |
| Malicious code in supply chain | Backdoored software updates, compromised libraries |
| Attacks on e-governance services | Government portals, Aadhaar-linked services |
| Attacks on healthcare systems | Hospital management, patient data platforms |
| Fake mobile apps | Impersonating banks, government agencies |
| Cryptocurrency theft | Exchange hacks, wallet compromises |
| Attacks on AI/ML systems | Model poisoning, adversarial manipulation |
| Incidents directed by foreign states | Attribution-confirmed nation-state attacks |
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanUnderstanding the 6-Hour Window in Practice
Six hours sounds generous until you factor in real-world constraints:
- Detection often happens outside business hours (most ransomware activates at 2–3 AM)
- Initial responders may not have authority to notify regulators
- The CERT-In portal requires structured information: incident type, affected systems, estimated impact, initial containment steps taken
- If your team is still in triage mode, you still must file — CERT-In accepts preliminary reports that can be supplemented later
What to Include in the Initial Report
CERT-In's reporting format (available at cert-in.org.in) typically asks for:
- Organisation name, contact details, and sector
- Date and time the incident was first noticed
- Type of incident (from the 20-category list)
- Affected systems and estimated scope
- Initial containment actions taken
- Whether law enforcement has been notified
The 180-Day Log Retention Requirement
Log retention is equally non-negotiable. The Directions require:
- Scope: Logs from ICT infrastructure — servers, routers, switches, firewalls, endpoints, VPNs, cloud environments, and SaaS tools with API log access
- Duration: Minimum 180 days on a rolling basis
- Location: Stored within India (organisations using foreign cloud providers must ensure logs flow to Indian regions or a separate India-based SIEM)
- Integrity: Logs must be tamper-evident; CERT-In can request them during an investigation
- Clock synchronisation: All log timestamps must come from NTP sources traceable to NPL (National Physical Laboratory) or NIC
ap-south-1, centralindia, asia-south1). The key gap for most SMBs is endpoint and on-premise network device logs, which are frequently discarded after 30–90 days.
VPN and Cloud Provider KYC Obligations
Organisations that offer VPN, cloud, or data centre services to Indian customers must collect and verify subscriber identity at onboarding and retain those records for 5 years — including after service termination — making them available to CERT-In on request. The requirement targets service providers, not individual users of commercial VPN products.
Building a 6-Hour Incident Reporting Workflow
Meeting the 6-hour deadline requires process engineering, not just technology. A workflow that depends on the right person being awake, available, and knowing the CERT-In portal password will fail.
graph TD
A[Incident Detected
Employee / Tool / Alert] --> B{Classify Severity}
B -- Critical / High --> C[Activate Incident Response Team]
B -- Low / Unclear --> D[Triage Assessment
max 30 min]
D --> E{Is it a CERT-In
Reportable Category?}
E -- No --> F[Internal Handling
Document Decision]
E -- Yes --> C
C --> G[Assign Incident Commander
and Regulatory Contact]
G --> H[Begin Containment
Isolate Systems]
H --> I[File Initial CERT-In
Report Within 6 Hours]
I --> J[Notify Legal and
Management]
J --> K[Preserve Logs
180-day retention verified]
K --> L[Detailed Follow-up
Report to CERT-In]
L --> M[Post-Incident Review
and Remediation]
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style I fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style K fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style L fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style M fill:#1e3d2f,stroke:#10B981,color:#e2e8f0The Five Process Pillars
1. 24/7 Detection Coverage Alerts from your SIEM, EDR, or cloud monitoring must reach a human within minutes, not hours. On-call rotations and automated escalation are prerequisites, not optional.
2. Documented Classification Matrix Your team must be able to determine within 15 minutes whether an incident falls into one of CERT-In's 20 categories. A single-page classification matrix in your runbook eliminates judgment paralysis during triage.
3. Pre-designated Regulatory Reporting Contact One named person — with a backup — holds the authority and credentials to file the CERT-In report. This should not be discovered during an incident.
4. Pre-populated Report Template Maintain a partially completed incident report with your organisation's static details. When an incident occurs, you fill in the specifics, not the boilerplate.
5. Verified Log Pipeline Confirm that logs from all in-scope systems are flowing to a centralised SIEM or log management platform, that the retention window is set to at least 180 days, and that the storage sits within India. Test this quarterly.
Incident Response Time Budget
The chart below shows how the 6-hour window should be allocated across detection, triage, escalation, and filing — leaving buffer for system slowdowns or off-hours gaps.
xychart-beta
title "6-Hour CERT-In Reporting Budget in Minutes"
x-axis ["Detection to Alert", "Alert to Triage", "Triage to Classify", "Classify to Escalate", "Escalate to Draft Report", "File to CERT-In", "Buffer"]
y-axis "Minutes" 0 --> 120
bar [15, 30, 20, 15, 60, 20, 60]Penalties for Non-Compliance
The CERT-In Directions are issued under Section 70B(6) of the IT Act, 2000. Non-compliance can result in enforcement action by CERT-In, including:
- Formal directions to comply, with timelines
- Referral to the Ministry of Electronics and Information Technology
- Prosecution under the IT Act, which carries imprisonment and financial penalties at the discretion of adjudicating authorities
- In cases involving critical information infrastructure, additional consequences under the National Cyber Security Policy and sector-specific regulations (RBI, SEBI, IRDAI) may apply
How VAPT Connects to CERT-In Compliance
CERT-In's Directions are reactive — they govern what you do after an incident. Proactive vulnerability management reduces how often those incidents occur and builds the documented evidence trail that regulators expect to see. Organisations that run a regular free VAPT scan identify the misconfigurations, unpatched CVEs, and weak authentication controls that attackers exploit before a breach triggers the 6-hour clock.
Bachao.AI, built by Dhisattva AI Pvt Ltd, automates vulnerability discovery so security and compliance teams have continuous visibility — not just a point-in-time audit once a year. Formal audits requiring CERT-In empanelled sign-off are handled with a CERT-In empanelled partner; Bachao.AI provides the automated scanning and evidence layer that feeds into that process.
Compliance Checklist
| Requirement | Frequency | Owner |
|---|---|---|
| Register with CERT-In portal | Once | IT / Compliance Lead |
| Maintain 20-category incident classification matrix | Review annually | Security Team |
| Designate regulatory reporting contact with backup | Once, update on role changes | CISO / IT Head |
| Verify 180-day log retention across all ICT systems | Quarterly | IT / DevOps |
| Confirm logs stored within India | Quarterly | IT / Cloud Admin |
| Sync all clocks to NPL/NIC NTP | Continuous | IT / DevOps |
| Collect and retain VPN/cloud subscriber KYC (if applicable) | Ongoing | Compliance / Legal |
| Run tabletop incident response exercise | Annually | Security Team |
| File test CERT-In report to verify process | Annually | Regulatory Contact |
| Document VAPT assessment and remediation evidence | Biannually | Security Team |