We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

CERT-In Compliance: Directions, 6-Hour Incident Reporting & Audit Guide

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

CERT-In Compliance: Directions, 6-Hour Incident Reporting & Audit Guide

The clock starts before you know you have been hit. That is the part most boards do not grasp about CERT-In. When a ransomware note lands on a Monday morning, or your SOC flags data exfiltration from a payments API, the six-hour countdown for reporting to CERT-In began at the moment of detection — not at the moment your legal team finished arguing about wording. We have watched organisations burn four of those hours drafting a perfect email that no one asked for, then miss the window that actually mattered.

CERT-In is the Indian Computer Emergency Response Team, operating under the Ministry of Electronics and Information Technology (MeitY). Its 28 April 2022 Directions, issued under Section 70B(6) of the Information Technology Act 2000, are not a framework you adopt at leisure. They are binding law with a criminal tail — non-compliance can attract imprisonment up to one year, a fine up to one lakh rupees, or both, under Section 70B(7). And yet most Indian entities we assess treat it as an afterthought bolted onto their ISO 27001 project. This guide is what we tell clients in the audit room, minus the corporate softening.

Who actually has to comply (hint: it is almost everyone)

The single biggest misconception is that CERT-In only applies to critical infrastructure or licensed sectors. It does not. The 2022 Directions apply to service providers, intermediaries, data centres, body corporates and Government organisations. If you run a website, an app, a cloud tenancy or a network in India, you are in scope for incident reporting. There is no revenue floor, no employee count, no sectoral carve-out for the core reporting obligation.

Where scope does narrow is the specialised obligations. Some rules bite only certain categories:

ObligationWho it bindsWhat it actually means
Report cyber incidents within 6 hoursEvery service provider, intermediary, data centre, body corporate, Govt orgNo exceptions; applies to all listed incident types
Enable and retain logs for 180 daysAll the aboveICT system logs kept within Indian jurisdiction, producible to CERT-In
Sync clocks to NIC/NPL NTPAll entities and their ICT systemsUse time.nplindia.org or time servers of National Informatics Centre
Maintain KYC and 5-year transaction logsData Centres, VPS, cloud and VPN service providersRegister and retain validated customer details for 5 years post-cancellation
Retain records for 5 yearsVirtual asset / crypto exchanges and custodian wallet providersKYC plus financial transaction records under PMLA-aligned norms

That VPN and cloud KYC rule is the one that made headlines. It is real, it is in force, and if you resell hosting or VPS you cannot pretend it does not exist. But for the average body corporate running SaaS on AWS Mumbai, the two clauses that will define your audit are the six-hour rule and the 180-day log retention.

The 6-hour rule, decoded properly

The Direction says you must report cyber incidents to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents. Read that carefully. The trigger is noticing, not confirming, not root-causing, not containing. The moment a competent person in your organisation becomes aware of a reportable incident, the timer runs.

This is where teams get it wrong. They wait for certainty. They want to know the blast radius, the CVE, the attacker attribution — all the things a forensic investigation delivers days later. CERT-In does not expect a finished report at hour six. It expects notification. You tell them what you know, flag it as preliminary, and update as facts firm up. A same-day report that says under investigation beats a perfect report filed on day three that lands you a Section 70B(7) exposure.

What counts as a reportable incident

The Directions annexe a list of mandatorily reportable incident types. It is broad by design. Do not read it as an exhaustive menu where anything unlisted is safe to ignore — CERT-In reserves the right to add categories, and the spirit is over-report rather than under-report. The core categories you must know:

  • Targeted scanning or probing of critical networks and systems
  • Compromise of critical systems or information
  • Unauthorised access to IT systems or data
  • Defacement of a website or intrusion into a website, and any unauthorised changes such as inserting malicious code or links
  • Malicious code attacks — ransomware, virus, worm, Trojan, bots, spyware
  • Attacks on servers such as database, mail and DNS, and network devices such as routers
  • Identity theft, spoofing and phishing attacks
  • Denial of Service and Distributed Denial of Service (DoS/DDoS) attacks
  • Attacks on critical infrastructure, SCADA, operational technology and wireless networks
  • Attacks on applications such as e-governance and e-commerce
  • Data breach and data leak
  • Attacks on Internet of Things (IoT) devices, and associated systems, networks, software and servers
  • Attacks or incidents affecting digital payment systems
  • Attacks through malicious mobile apps
  • Fake mobile apps
  • Unauthorised access to social media accounts
  • Attacks or malicious activity affecting cloud computing systems, servers, software and applications
  • Attacks or malicious activity affecting systems related to big data, blockchain, virtual assets, robotics, 3D and 4D printing, additive manufacturing and drones

Notice how many of these have nothing to do with critical infrastructure. A defaced marketing microsite is reportable. A phishing page impersonating your brand is reportable. A compromised corporate LinkedIn account is reportable. This breadth is deliberate, and it is why we insist clients build reporting into the incident runbook rather than treating each event as a fresh legal debate.

How you actually report — the mechanics people skip

There is no mystery here, but there are avoidable delays. CERT-In accepts reports by email to incident@cert-in.org.in, via phone on the published helpline, by fax, or through the online reporting portal. For a live incident, email plus the portal is what we use. The format is the CERT-In Incident Reporting Form, and the fields you must be ready to populate include:

  • Time and date the incident was noticed
  • Information about the affected system — IP, domain, hostname, location
  • Nature and brief description of the incident
  • Symptoms observed
  • Impact assessment as known so far
  • Any remedial action already taken
  • Contact details of the reporting person and the organisation

The friction is never the form. It is the internal path to the form. Who is authorised to hit send? Does the SOC analyst at 2am have that authority, or must they wake a CISO who must wake general counsel? Every handoff eats the six hours. The organisations that get this right pre-authorise a named point of contact — a CERT-In liaison — with standing authority to file the preliminary report without a committee.

A scene from the audit room

A mid-sized fintech we assessed had a genuinely capable SOC. Detection was fast — their EDR caught lateral movement within eleven minutes. Then it fell apart. The playbook routed the decision to a chief information security officer who was on a flight. His deputy did not believe he had authority to notify a regulator. Legal wanted the forensic firm engaged first. By the time the report went out, it was hour nine. In the post-incident review we did not fault their tooling. We faulted a single missing line in the runbook: a named backup authoriser and a standing instruction that preliminary notification is mandatory, not discretionary. That one gap converted a well-handled incident into a compliance breach.

Logs: the 180-day obligation that trips up cloud tenants

The Direction requires you to enable logs of all your ICT systems and maintain them securely for a rolling period of 180 days, within Indian jurisdiction. When CERT-In asks — during an incident or an order — you must produce them. Simple to state, genuinely hard to satisfy when your estate is a sprawl of SaaS, managed services and multi-region cloud.

Three failure modes we see repeatedly:

Failure modeWhat goes wrongThe fix
Default retention too shortCloud log services default to 7-30 day retention; nothing is kept 180 daysExplicitly set retention to 180+ days and budget the storage
Logs stored outside IndiaCentralised SIEM or log bucket sits in a US or EU regionKeep a producible copy within Indian jurisdiction
No time syncLogs across systems have skewed timestamps; a forensic timeline is impossibleSync all systems to NIC/NPL NTP servers as the Directions mandate

That last point is under-appreciated. The Directions specifically require connection to the Network Time Protocol (NTP) servers of the National Informatics Centre or the National Physical Laboratory, or servers traceable to them. The reason is not bureaucratic — when CERT-In correlates your logs against a national picture of an attack campaign, mismatched clocks make your evidence useless. We have seen a forensic reconstruction collapse because the firewall was fourteen minutes off the application servers.

CERT-In empanelled audit versus a general security audit

Here is a distinction that costs organisations real money when they get it wrong. A CERT-In empanelled audit is not the same as any competent penetration test or ISO gap assessment. CERT-In maintains a panel of empanelled security auditing organisations, and certain obligations — for Government projects, regulated sector mandates, or post-incident directions — must be conducted by a firm on that panel. If your compliance requirement specifies CERT-In empanelled, an audit from a non-empanelled firm, however good, does not satisfy it.

AspectGeneral security auditCERT-In empanelled audit
Auditor statusAny qualified firmMust be on CERT-In empanelled list
Accepted for Govt/regulated mandatesOften notYes, where empanelment is specified
Scope referenceClient-definedAligned to CERT-In and sectoral requirements
Report acceptanceVaries by recipientRecognised for CERT-In-linked obligations
Typical cost range (India)Rs 50,000 to Rs 3 lakh for a mid appRs 1.5 lakh to Rs 8 lakh depending on scope and criticality

The cost figures move with scope — a single web application is at the low end, a full network plus multiple applications plus a source-code review sits at the high end, and repeat cycles are cheaper once the baseline exists. Do not choose on price alone. The value is in whether the report is accepted by the party demanding it.

How CERT-In fits with everything else you must do

CERT-In does not live in isolation. It sits alongside a stack of Indian obligations, and treating them as separate projects wastes budget. The overlaps are substantial and you should exploit them.

RegimeCore obligationOverlap with CERT-In
CERT-In Directions 20226-hour reporting, 180-day logs, NTP syncBaseline for all
DPDP Act 2023Notify Data Protection Board and affected persons of personal data breachA data breach is reportable to both; align the runbook
RBI directionsReport cyber incidents to RBI within 2-6 hours for regulated entitiesDual reporting; RBI window can be tighter
SEBI CSCRFReporting and audit for market intermediariesEmpanelled audit and incident reporting overlap
ISO 27001Information security management systemLog and incident controls feed CERT-In readiness

The practical takeaway: one incident can trigger three separate regulatory clocks. A payments company suffering a breach of cardholder and personal data may owe reports to CERT-In within six hours, to RBI within its window, and to the Data Protection Board under DPDP — plus PCI DSS obligations to card schemes. If your runbook has one destination, you have already failed two regulators. Build a single detection trigger that fans out to every obligation.

Five gaps that fail a CERT-In readiness review

When we assess CERT-In readiness, the same five gaps recur. None is technically hard. All are organisational.

  • No named CERT-In liaison with standing authority to file the preliminary report without escalation
  • Log retention left at cloud defaults, so nothing survives 180 days and nothing is producible within Indian jurisdiction
  • Clocks not synced to NIC or NPL NTP servers, making any forensic timeline unreliable
  • The reportable-incident list not embedded in the SOC playbook, so analysts debate reportability during a live event
  • No rehearsed six-hour drill, so the first time anyone tries to meet the window is during a real breach

Your fix-it checklist before the next incident

Do these now, while things are calm. Every item removes minutes from your response time or removes an audit finding.

  • Appoint a named CERT-In point of contact and a documented backup, both pre-authorised to file the preliminary report
  • Pre-fill the CERT-In Incident Reporting Form template with your organisation details so only incident facts need adding under pressure
  • Set log retention to at least 180 days across every ICT system and confirm a producible copy sits within Indian jurisdiction
  • Point every system clock at time.nplindia.org or an NIC-traceable NTP server and monitor for drift
  • Embed the full reportable-incident list into your SOC and helpdesk playbooks so reportability is a lookup, not a debate
  • Map each incident type to every regulator it triggers — CERT-In, DPDP, RBI, SEBI, PCI as applicable — in one fan-out sheet
  • Run a tabletop drill against the six-hour window at least twice a year and time yourself honestly
  • If a mandate requires it, engage a CERT-In empanelled auditor and schedule the cycle before, not after, the deadline

The clock is the whole point

Come back to where we started. The six-hour window is not a paperwork nuisance — it is a test of whether your organisation can act under uncertainty. The technical controls matter, but the failures we see are almost always human and organisational: an unauthorised analyst, a default log setting, a runbook that routes a regulatory decision into a committee. Fix those and CERT-In compliance stops being a scramble and becomes muscle memory.

If you would rather pressure-test your readiness with people who have sat on both sides of the table, CyberSigma is a CERT-In empanelled auditor. We run the tabletop, close the gaps, and conduct the audit hands-on — quietly, without the theatre.

FAQs

Does the CERT-In 6-hour rule apply to my small company?

Yes. The 2022 Directions have no revenue, headcount or sectoral floor for incident reporting. If you operate a website, app, network or cloud tenancy in India as a body corporate, service provider or intermediary, you must report the listed cyber incidents within six hours of noticing them.

What is the penalty for not reporting to CERT-In?

The Directions are issued under Section 70B(6) of the IT Act 2000. Non-compliance can attract imprisonment for up to one year, a fine of up to one lakh rupees, or both, under Section 70B(7). Beyond the legal penalty, non-reporting typically compounds regulatory and reputational damage during an incident.

How exactly do I report an incident to CERT-In?

Use the CERT-In Incident Reporting Form and send it by email to incident@cert-in.org.in, via the online reporting portal, by the published helpline, or by fax. For a live incident, file a preliminary report with what you know, mark it as under investigation, and update as facts firm up. Do not wait for a complete forensic picture.

How long must I keep logs, and where?

You must enable and securely retain logs of all ICT systems for a rolling 180 days, and they must be maintained within Indian jurisdiction so they can be produced to CERT-In on request. Cloud log defaults are usually far shorter than 180 days, so retention must be set explicitly.

Is a CERT-In empanelled audit different from a normal penetration test?

Yes. A CERT-In empanelled audit must be carried out by a firm on CERT-In's empanelled list. Where a Government project, regulated mandate or post-incident direction specifies empanelment, a report from a non-empanelled firm — however technically strong — will not satisfy the requirement.

One incident, several regulators — how do I handle that?

A single breach can start multiple clocks. A personal-data breach is reportable to CERT-In within six hours and to the Data Protection Board under the DPDP Act; a regulated entity may also owe RBI or SEBI within their windows, plus card-scheme obligations under PCI DSS. Build one detection trigger that fans out to every obligation rather than a runbook with a single destination.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with RBI/SEBI cyber audits, VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205