CERT-In Compliance: Directions, 6-Hour Incident Reporting & Audit Guide
The clock starts before you know you have been hit. That is the part most boards do not grasp about CERT-In. When a ransomware note lands on a Monday morning, or your SOC flags data exfiltration from a payments API, the six-hour countdown for reporting to CERT-In began at the moment of detection — not at the moment your legal team finished arguing about wording. We have watched organisations burn four of those hours drafting a perfect email that no one asked for, then miss the window that actually mattered.
CERT-In is the Indian Computer Emergency Response Team, operating under the Ministry of Electronics and Information Technology (MeitY). Its 28 April 2022 Directions, issued under Section 70B(6) of the Information Technology Act 2000, are not a framework you adopt at leisure. They are binding law with a criminal tail — non-compliance can attract imprisonment up to one year, a fine up to one lakh rupees, or both, under Section 70B(7). And yet most Indian entities we assess treat it as an afterthought bolted onto their ISO 27001 project. This guide is what we tell clients in the audit room, minus the corporate softening.
Who actually has to comply (hint: it is almost everyone)
The single biggest misconception is that CERT-In only applies to critical infrastructure or licensed sectors. It does not. The 2022 Directions apply to service providers, intermediaries, data centres, body corporates and Government organisations. If you run a website, an app, a cloud tenancy or a network in India, you are in scope for incident reporting. There is no revenue floor, no employee count, no sectoral carve-out for the core reporting obligation.
Where scope does narrow is the specialised obligations. Some rules bite only certain categories:
| Obligation | Who it binds | What it actually means |
|---|---|---|
| Report cyber incidents within 6 hours | Every service provider, intermediary, data centre, body corporate, Govt org | No exceptions; applies to all listed incident types |
| Enable and retain logs for 180 days | All the above | ICT system logs kept within Indian jurisdiction, producible to CERT-In |
| Sync clocks to NIC/NPL NTP | All entities and their ICT systems | Use time.nplindia.org or time servers of National Informatics Centre |
| Maintain KYC and 5-year transaction logs | Data Centres, VPS, cloud and VPN service providers | Register and retain validated customer details for 5 years post-cancellation |
| Retain records for 5 years | Virtual asset / crypto exchanges and custodian wallet providers | KYC plus financial transaction records under PMLA-aligned norms |
That VPN and cloud KYC rule is the one that made headlines. It is real, it is in force, and if you resell hosting or VPS you cannot pretend it does not exist. But for the average body corporate running SaaS on AWS Mumbai, the two clauses that will define your audit are the six-hour rule and the 180-day log retention.
The 6-hour rule, decoded properly
The Direction says you must report cyber incidents to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents. Read that carefully. The trigger is noticing, not confirming, not root-causing, not containing. The moment a competent person in your organisation becomes aware of a reportable incident, the timer runs.
This is where teams get it wrong. They wait for certainty. They want to know the blast radius, the CVE, the attacker attribution — all the things a forensic investigation delivers days later. CERT-In does not expect a finished report at hour six. It expects notification. You tell them what you know, flag it as preliminary, and update as facts firm up. A same-day report that says under investigation beats a perfect report filed on day three that lands you a Section 70B(7) exposure.
What counts as a reportable incident
The Directions annexe a list of mandatorily reportable incident types. It is broad by design. Do not read it as an exhaustive menu where anything unlisted is safe to ignore — CERT-In reserves the right to add categories, and the spirit is over-report rather than under-report. The core categories you must know:
- Targeted scanning or probing of critical networks and systems
- Compromise of critical systems or information
- Unauthorised access to IT systems or data
- Defacement of a website or intrusion into a website, and any unauthorised changes such as inserting malicious code or links
- Malicious code attacks — ransomware, virus, worm, Trojan, bots, spyware
- Attacks on servers such as database, mail and DNS, and network devices such as routers
- Identity theft, spoofing and phishing attacks
- Denial of Service and Distributed Denial of Service (DoS/DDoS) attacks
- Attacks on critical infrastructure, SCADA, operational technology and wireless networks
- Attacks on applications such as e-governance and e-commerce
- Data breach and data leak
- Attacks on Internet of Things (IoT) devices, and associated systems, networks, software and servers
- Attacks or incidents affecting digital payment systems
- Attacks through malicious mobile apps
- Fake mobile apps
- Unauthorised access to social media accounts
- Attacks or malicious activity affecting cloud computing systems, servers, software and applications
- Attacks or malicious activity affecting systems related to big data, blockchain, virtual assets, robotics, 3D and 4D printing, additive manufacturing and drones
Notice how many of these have nothing to do with critical infrastructure. A defaced marketing microsite is reportable. A phishing page impersonating your brand is reportable. A compromised corporate LinkedIn account is reportable. This breadth is deliberate, and it is why we insist clients build reporting into the incident runbook rather than treating each event as a fresh legal debate.
How you actually report — the mechanics people skip
There is no mystery here, but there are avoidable delays. CERT-In accepts reports by email to incident@cert-in.org.in, via phone on the published helpline, by fax, or through the online reporting portal. For a live incident, email plus the portal is what we use. The format is the CERT-In Incident Reporting Form, and the fields you must be ready to populate include:
- Time and date the incident was noticed
- Information about the affected system — IP, domain, hostname, location
- Nature and brief description of the incident
- Symptoms observed
- Impact assessment as known so far
- Any remedial action already taken
- Contact details of the reporting person and the organisation
The friction is never the form. It is the internal path to the form. Who is authorised to hit send? Does the SOC analyst at 2am have that authority, or must they wake a CISO who must wake general counsel? Every handoff eats the six hours. The organisations that get this right pre-authorise a named point of contact — a CERT-In liaison — with standing authority to file the preliminary report without a committee.
A scene from the audit room
A mid-sized fintech we assessed had a genuinely capable SOC. Detection was fast — their EDR caught lateral movement within eleven minutes. Then it fell apart. The playbook routed the decision to a chief information security officer who was on a flight. His deputy did not believe he had authority to notify a regulator. Legal wanted the forensic firm engaged first. By the time the report went out, it was hour nine. In the post-incident review we did not fault their tooling. We faulted a single missing line in the runbook: a named backup authoriser and a standing instruction that preliminary notification is mandatory, not discretionary. That one gap converted a well-handled incident into a compliance breach.
Logs: the 180-day obligation that trips up cloud tenants
The Direction requires you to enable logs of all your ICT systems and maintain them securely for a rolling period of 180 days, within Indian jurisdiction. When CERT-In asks — during an incident or an order — you must produce them. Simple to state, genuinely hard to satisfy when your estate is a sprawl of SaaS, managed services and multi-region cloud.
Three failure modes we see repeatedly:
| Failure mode | What goes wrong | The fix |
|---|---|---|
| Default retention too short | Cloud log services default to 7-30 day retention; nothing is kept 180 days | Explicitly set retention to 180+ days and budget the storage |
| Logs stored outside India | Centralised SIEM or log bucket sits in a US or EU region | Keep a producible copy within Indian jurisdiction |
| No time sync | Logs across systems have skewed timestamps; a forensic timeline is impossible | Sync all systems to NIC/NPL NTP servers as the Directions mandate |
That last point is under-appreciated. The Directions specifically require connection to the Network Time Protocol (NTP) servers of the National Informatics Centre or the National Physical Laboratory, or servers traceable to them. The reason is not bureaucratic — when CERT-In correlates your logs against a national picture of an attack campaign, mismatched clocks make your evidence useless. We have seen a forensic reconstruction collapse because the firewall was fourteen minutes off the application servers.
CERT-In empanelled audit versus a general security audit
Here is a distinction that costs organisations real money when they get it wrong. A CERT-In empanelled audit is not the same as any competent penetration test or ISO gap assessment. CERT-In maintains a panel of empanelled security auditing organisations, and certain obligations — for Government projects, regulated sector mandates, or post-incident directions — must be conducted by a firm on that panel. If your compliance requirement specifies CERT-In empanelled, an audit from a non-empanelled firm, however good, does not satisfy it.
| Aspect | General security audit | CERT-In empanelled audit |
|---|---|---|
| Auditor status | Any qualified firm | Must be on CERT-In empanelled list |
| Accepted for Govt/regulated mandates | Often not | Yes, where empanelment is specified |
| Scope reference | Client-defined | Aligned to CERT-In and sectoral requirements |
| Report acceptance | Varies by recipient | Recognised for CERT-In-linked obligations |
| Typical cost range (India) | Rs 50,000 to Rs 3 lakh for a mid app | Rs 1.5 lakh to Rs 8 lakh depending on scope and criticality |
The cost figures move with scope — a single web application is at the low end, a full network plus multiple applications plus a source-code review sits at the high end, and repeat cycles are cheaper once the baseline exists. Do not choose on price alone. The value is in whether the report is accepted by the party demanding it.
How CERT-In fits with everything else you must do
CERT-In does not live in isolation. It sits alongside a stack of Indian obligations, and treating them as separate projects wastes budget. The overlaps are substantial and you should exploit them.
| Regime | Core obligation | Overlap with CERT-In |
|---|---|---|
| CERT-In Directions 2022 | 6-hour reporting, 180-day logs, NTP sync | Baseline for all |
| DPDP Act 2023 | Notify Data Protection Board and affected persons of personal data breach | A data breach is reportable to both; align the runbook |
| RBI directions | Report cyber incidents to RBI within 2-6 hours for regulated entities | Dual reporting; RBI window can be tighter |
| SEBI CSCRF | Reporting and audit for market intermediaries | Empanelled audit and incident reporting overlap |
| ISO 27001 | Information security management system | Log and incident controls feed CERT-In readiness |
The practical takeaway: one incident can trigger three separate regulatory clocks. A payments company suffering a breach of cardholder and personal data may owe reports to CERT-In within six hours, to RBI within its window, and to the Data Protection Board under DPDP — plus PCI DSS obligations to card schemes. If your runbook has one destination, you have already failed two regulators. Build a single detection trigger that fans out to every obligation.
Five gaps that fail a CERT-In readiness review
When we assess CERT-In readiness, the same five gaps recur. None is technically hard. All are organisational.
- No named CERT-In liaison with standing authority to file the preliminary report without escalation
- Log retention left at cloud defaults, so nothing survives 180 days and nothing is producible within Indian jurisdiction
- Clocks not synced to NIC or NPL NTP servers, making any forensic timeline unreliable
- The reportable-incident list not embedded in the SOC playbook, so analysts debate reportability during a live event
- No rehearsed six-hour drill, so the first time anyone tries to meet the window is during a real breach
Your fix-it checklist before the next incident
Do these now, while things are calm. Every item removes minutes from your response time or removes an audit finding.
- Appoint a named CERT-In point of contact and a documented backup, both pre-authorised to file the preliminary report
- Pre-fill the CERT-In Incident Reporting Form template with your organisation details so only incident facts need adding under pressure
- Set log retention to at least 180 days across every ICT system and confirm a producible copy sits within Indian jurisdiction
- Point every system clock at time.nplindia.org or an NIC-traceable NTP server and monitor for drift
- Embed the full reportable-incident list into your SOC and helpdesk playbooks so reportability is a lookup, not a debate
- Map each incident type to every regulator it triggers — CERT-In, DPDP, RBI, SEBI, PCI as applicable — in one fan-out sheet
- Run a tabletop drill against the six-hour window at least twice a year and time yourself honestly
- If a mandate requires it, engage a CERT-In empanelled auditor and schedule the cycle before, not after, the deadline
The clock is the whole point
Come back to where we started. The six-hour window is not a paperwork nuisance — it is a test of whether your organisation can act under uncertainty. The technical controls matter, but the failures we see are almost always human and organisational: an unauthorised analyst, a default log setting, a runbook that routes a regulatory decision into a committee. Fix those and CERT-In compliance stops being a scramble and becomes muscle memory.
If you would rather pressure-test your readiness with people who have sat on both sides of the table, CyberSigma is a CERT-In empanelled auditor. We run the tabletop, close the gaps, and conduct the audit hands-on — quietly, without the theatre.
FAQs
Does the CERT-In 6-hour rule apply to my small company?
Yes. The 2022 Directions have no revenue, headcount or sectoral floor for incident reporting. If you operate a website, app, network or cloud tenancy in India as a body corporate, service provider or intermediary, you must report the listed cyber incidents within six hours of noticing them.
What is the penalty for not reporting to CERT-In?
The Directions are issued under Section 70B(6) of the IT Act 2000. Non-compliance can attract imprisonment for up to one year, a fine of up to one lakh rupees, or both, under Section 70B(7). Beyond the legal penalty, non-reporting typically compounds regulatory and reputational damage during an incident.
How exactly do I report an incident to CERT-In?
Use the CERT-In Incident Reporting Form and send it by email to incident@cert-in.org.in, via the online reporting portal, by the published helpline, or by fax. For a live incident, file a preliminary report with what you know, mark it as under investigation, and update as facts firm up. Do not wait for a complete forensic picture.
How long must I keep logs, and where?
You must enable and securely retain logs of all ICT systems for a rolling 180 days, and they must be maintained within Indian jurisdiction so they can be produced to CERT-In on request. Cloud log defaults are usually far shorter than 180 days, so retention must be set explicitly.
Is a CERT-In empanelled audit different from a normal penetration test?
Yes. A CERT-In empanelled audit must be carried out by a firm on CERT-In's empanelled list. Where a Government project, regulated mandate or post-incident direction specifies empanelment, a report from a non-empanelled firm — however technically strong — will not satisfy the requirement.
One incident, several regulators — how do I handle that?
A single breach can start multiple clocks. A personal-data breach is reportable to CERT-In within six hours and to the Data Protection Board under the DPDP Act; a regulated entity may also owe RBI or SEBI within their windows, plus card-scheme obligations under PCI DSS. Build one detection trigger that fans out to every obligation rather than a runbook with a single destination.
Liked the post? Share on:





Leave A Comment