CERT-In April 2022 Directive — Updated May 2026

Does CERT-In Require VAPT? Yes. Here Is Exactly What.

The April 2022 CERT-In directive mandates 6-hour breach notification, vulnerability disclosure, and 180-day log retention. VAPT is the mechanism that satisfies all three.

Get CERT-In Aligned VAPT Report →See compliance mapping

Which organisations must comply?

The directive applies to all service providers, intermediaries, data centres, body corporates, and government organisations operating in India.

✓All data centres and cloud service providers operating in India

✓Government organisations and ministries

✓Banks, financial institutions, and payment aggregators

✓Telecom operators and internet service providers

✓Hospitals and health-tech companies handling patient data

✓SaaS companies processing data of Indian users

✓E-commerce platforms and D2C brands with >10 lakh customers

✓Stock brokers, depository participants, and SEBI-regulated entities

CERT-In directive → Bachao.AI deliverable

Every mandatory control in the April 2022 directive, mapped to the specific Bachao.AI output that satisfies it.

CERT-In Requirement	Directive Clause	Bachao.AI Deliverable
6-hour breach notification to CERT-In	Direction 3(i)	Incident Response retainer + breach detection alerting
Vulnerability disclosure to CERT-In	Direction 3(v)	VAPT report with CVSS-rated findings + disclosure template
Secure log retention (180 days / ICT systems)	Direction 3(iv)	Log management guidance in VAPT remediation report
Synchronised system clocks (NTP)	Direction 3(iii)	Infrastructure audit check in VAPT scan suite
Prohibition on VPN / anonymisation tools without disclosure	Direction 3(vi)	Network topology review in full-scope VAPT
Periodic vulnerability assessment	CERT-In advisory best practice	Quarterly / on-demand VAPT scan with AI-validated findings

6 hrs

Maximum time to notify CERT-In of a cybersecurity incident

180 days

Mandatory log retention period for all ICT systems

Incident categories that trigger the 6-hour notification clock

CERT-In VAPT requirements — full breakdown

The April 2022 CERT-In directive: what changed

On 28 April 2022, CERT-In issued directions under Section 70B(6) of the IT Act that fundamentally changed cybersecurity obligations for organisations operating in India. The two most consequential requirements: mandatory 6-hour breach notification (previously there was no legally binding timeline), and mandatory log retention of at least 180 days for ICT systems. These requirements transformed VAPT from a best practice into a compliance mechanism — because you cannot report vulnerabilities you have not found, and you cannot demonstrate due diligence without a documented assessment.

6-hour notification: what you must report and how VAPT helps

The directive lists 20 incident categories that trigger the 6-hour notification clock: data breaches, ransomware, DDoS attacks, malware deployment, unauthorised access, and more. VAPT does not eliminate incidents, but it dramatically reduces the likelihood of undetected vulnerabilities becoming incidents. When you have a current VAPT report showing your risk posture, incident response teams can correlate new incidents against known vulnerability surface much faster — often compressing the time from detection to notification submission.

Vulnerability disclosure: what CERT-In expects

Direction 3(v) requires covered entities to report vulnerabilities in their systems and in third-party software they use. A Bachao.AI VAPT report provides the documented vulnerability inventory that satisfies this obligation. Each finding includes: CVE reference where applicable, CVSS v3.1 base score, reproduction steps, affected component, and recommended fix. This is the evidence package regulators and auditors look for when assessing compliance.

RBI, SEBI, and IRDA: sector-specific VAPT mandates

CERT-In directives set the floor. Sector regulators have layered additional VAPT requirements on top. RBI's IT Examination Framework explicitly requires periodic VAPT for banks, NBFCs, and payment aggregators — with findings reported to the board's IT Committee. SEBI's CSCRF requires registered intermediaries to conduct VAPT at least annually, with enhanced frequency for systemic risk entities. IRDA requires insurers to run annual VAPT under their Information and Cyber Security Guidelines. A single Bachao.AI VAPT report can satisfy the CERT-In baseline while also producing the artefacts each sector regulator requires.

Log retention and NTP: the infrastructure checks most miss

Beyond breach notification and vulnerability disclosure, the 2022 directive mandates 180-day log retention for all ICT systems and synchronised system clocks using NTP (Network Time Protocol). These are infrastructure controls that VAPT audits surface as findings when misconfigured. A Bachao.AI scan includes infrastructure checks that flag misconfigured log retention policies and NTP mismatches — giving your team the evidence they need to remediate before an audit.

What a CERT-In aligned VAPT report contains

A Bachao.AI CERT-In aligned VAPT report includes: executive summary with risk rating, CVSS v3.1 scores per finding, proof-of-concept evidence for each vulnerability, step-by-step remediation guidance with AI-generated fix code for your tech stack, CERT-In methodology attestation, DPDP Act Schedule I compliance mapping, retest schedule, and closure certificate after remediation. The report format follows CERT-In advisory guidelines and is accepted by banking and financial regulators for compliance submissions.

Frequently asked questions

Common questions about CERT-In VAPT requirements in India.

Does CERT-In explicitly require VAPT?

CERT-In's April 2022 directive (No. 20(3)/2022-CERT-In) mandates that covered organisations report cybersecurity incidents within 6 hours and maintain vulnerability disclosure processes. While the directive does not use the exact phrase 'VAPT mandatory', vulnerability assessment and penetration testing is the primary mechanism by which organisations identify and report the vulnerabilities that CERT-In requires to be disclosed. Regulated sector guidance (RBI, SEBI) explicitly names periodic VAPT as a control.

Which organisations must comply with the CERT-In April 2022 directive?

The directive applies broadly to all service providers, intermediaries, data centres, body corporates, and government organisations operating in India. In practice, this covers every company that operates IT systems in India — from large enterprises to startups processing Indian user data. CERT-In has issued additional sector-specific guidance for banks (via RBI), stock exchanges (via SEBI), and critical infrastructure operators.

What is the 6-hour breach notification requirement?

Under Direction 3(i) of the April 2022 directive, covered entities must report cybersecurity incidents to CERT-In within 6 hours of becoming aware of them. This covers breaches, DDoS attacks, ransomware, data theft, and other incident types listed in the directive. The notification must include: nature of incident, affected systems, estimated impact, and initial remediation steps taken. VAPT helps you detect vulnerabilities before they become incidents that trigger the 6-hour clock.

How does a Bachao.AI VAPT report satisfy CERT-In requirements?

A Bachao.AI VAPT report delivers: CVSS v3.1 scored findings per vulnerability, evidence and reproduction steps for each finding, remediation guidance mapped to your tech stack, CERT-In aligned methodology and report format, and a retest closure certificate. This report serves as the vulnerability disclosure artifact that CERT-In expects from covered organisations, and provides the documented evidence of due diligence that auditors and regulators ask for.

What is the penalty for non-compliance with CERT-In directives?

CERT-In operates under the Information Technology Act 2000. Section 70B(7) provides for penalties for non-compliance with CERT-In directions. Additionally, non-compliance with sector-specific regulations (RBI IT Framework, SEBI CSCRF) that reference CERT-In guidelines can trigger penalties from those regulators — up to ₹5 crore per violation for certain SEBI breaches. CERT-In can also direct ISPs to block non-compliant services in extreme cases.

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

API Security Testing

OWASP API Top 10 coverage for REST and GraphQL endpoints.

Learn more →

Cloud Security Audit

AWS, Azure & GCP misconfiguration detection with DPDP mapping.

Learn more →

Dark Web Monitoring

Credential leak detection, brand impersonation & Telegram scanning.

Learn more →

Get your CERT-In aligned VAPT report

Satisfy every April 2022 directive requirement. Report ready in under 2 hours. Accepted by RBI, SEBI, and banking auditors.

Get CERT-In Aligned VAPT Report →

CERT-In April 2022 Directive — Updated May 2026

Does CERT-In Require VAPT? Yes. Here Is Exactly What.

The April 2022 CERT-In directive mandates 6-hour breach notification, vulnerability disclosure, and 180-day log retention. VAPT is the mechanism that satisfies all three.

Get CERT-In Aligned VAPT Report →See compliance mapping

Which organisations must comply?

The directive applies to all service providers, intermediaries, data centres, body corporates, and government organisations operating in India.

✓All data centres and cloud service providers operating in India

✓Government organisations and ministries

✓Banks, financial institutions, and payment aggregators

✓Telecom operators and internet service providers

✓Hospitals and health-tech companies handling patient data

✓SaaS companies processing data of Indian users

✓E-commerce platforms and D2C brands with >10 lakh customers

✓Stock brokers, depository participants, and SEBI-regulated entities

CERT-In directive → Bachao.AI deliverable

Every mandatory control in the April 2022 directive, mapped to the specific Bachao.AI output that satisfies it.

CERT-In Requirement	Directive Clause	Bachao.AI Deliverable
6-hour breach notification to CERT-In	Direction 3(i)	Incident Response retainer + breach detection alerting
Vulnerability disclosure to CERT-In	Direction 3(v)	VAPT report with CVSS-rated findings + disclosure template
Secure log retention (180 days / ICT systems)	Direction 3(iv)	Log management guidance in VAPT remediation report
Synchronised system clocks (NTP)	Direction 3(iii)	Infrastructure audit check in VAPT scan suite
Prohibition on VPN / anonymisation tools without disclosure	Direction 3(vi)	Network topology review in full-scope VAPT
Periodic vulnerability assessment	CERT-In advisory best practice	Quarterly / on-demand VAPT scan with AI-validated findings

6 hrs

Maximum time to notify CERT-In of a cybersecurity incident

180 days

Mandatory log retention period for all ICT systems

Incident categories that trigger the 6-hour notification clock

CERT-In VAPT requirements — full breakdown

The April 2022 CERT-In directive: what changed

6-hour notification: what you must report and how VAPT helps

Vulnerability disclosure: what CERT-In expects

RBI, SEBI, and IRDA: sector-specific VAPT mandates

Log retention and NTP: the infrastructure checks most miss

What a CERT-In aligned VAPT report contains

Frequently asked questions

Common questions about CERT-In VAPT requirements in India.

Does CERT-In explicitly require VAPT?

Which organisations must comply with the CERT-In April 2022 directive?

What is the 6-hour breach notification requirement?

How does a Bachao.AI VAPT report satisfy CERT-In requirements?

What is the penalty for non-compliance with CERT-In directives?

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

Get your CERT-In aligned VAPT report

Satisfy every April 2022 directive requirement. Report ready in under 2 hours. Accepted by RBI, SEBI, and banking auditors.

Get CERT-In Aligned VAPT Report →