Issued under the Information Technology Act, the CERT-In Directions of April 2022 set out cybersecurity obligations that apply broadly across organisations operating in India — including service providers, intermediaries, data centres, body corporates, and cloud and VPN providers. For many Indian organisations, these directions are the most immediate and operationally demanding cybersecurity requirement they face.
At the heart of the directions are strict timelines and record-keeping duties that demand real operational capability, not just paperwork. Preparing for CERT-In compliance means being able to detect incidents fast, report them within six hours, retain logs for 180 days within India, and cooperate with the national CERT. This guide breaks down the key requirements and how to meet them.
The most well-known and challenging requirement is that specified categories of cyber incidents must be reported to CERT-In within six hours of being noticed or brought to the organisation’s attention. The clock is tied to awareness, not to completing a full investigation, which means organisations must be able to recognise and report incidents quickly even before they fully understand them.
Reportable incidents include a wide range of events such as unauthorised access, data breaches, malware and ransomware attacks, denial-of-service attacks, and attacks on critical systems. Meeting the six-hour window requires monitoring, clear escalation paths, and a ready reporting process — improvising after an incident is not an option.
The directions require organisations to enable and securely maintain logs of all their ICT systems for a rolling period of 180 days, and to store these logs within India. When an incident is reported, or when CERT-In requests them, these logs must be made available.
This obligation has real architectural implications: organisations must ensure comprehensive logging is switched on across systems, that logs are retained for the full period, and that storage location requirements are met. Logs are also essential for investigating incidents and demonstrating compliance.
The directions apply broadly, and several additional obligations accompany the headline rules. Organisations within scope should be aware of the full set of expectations:
1. Broad applicability to service providers, intermediaries, data centres, and body corporates.
2. Time synchronisation of system clocks to a recognised standard for accurate logs.
3. Designated point of contact with CERT-In for incident reporting.
4. Additional duties for data centres, cloud, and VPN providers, including specified record-keeping.
5. Cooperation with CERT-In, including providing information when directed.
Meeting CERT-In requirements is fundamentally about operational readiness. Organisations need monitoring and detection that can identify reportable incidents quickly, an incident response plan with the six-hour reporting step built in, comprehensive logging configured and retained correctly, and a designated contact who knows how to file with CERT-In.
Because the timelines are tight, rehearsal matters. Tabletop exercises that simulate an incident and walk through detection, decision-making, and reporting within six hours reveal whether the capability actually works under pressure — and surface gaps while they are cheap to fix.
Beyond the directions, many Indian regulatory and tender requirements call for security audits conducted by CERT-In empanelled auditors. Engaging an empanelled auditor provides recognised assurance that your systems have been assessed to the expected standard, which is frequently required across BFSI, government, and other sectors.
Working with an empanelled partner also helps you interpret and operationalise CERT-In obligations correctly, closing gaps in logging, monitoring, and incident response before they become compliance failures or, worse, the reason an incident goes unreported.
The CERT-In Directions impose demanding, operationally real obligations: six-hour incident reporting, 180-day log retention within India, and broad cooperation with the national CERT. Meeting them requires genuine capability in detection, logging, and incident response, not just documentation.
Because the timelines are tight, rehearsal and preparation are essential. Working with a CERT-In empanelled partner helps you operationalise these obligations correctly and close gaps before an incident, or a regulator, exposes them.
CERT-In requires entities to report specified categories of cyber incidents within six hours of noticing them or being made aware. Reportable incidents include unauthorised access, data breaches, malware, ransomware, and denial-of-service attacks. The clock is tied to awareness, so fast detection and escalation are essential to comply.
Entities must enable and securely maintain logs of all their ICT systems for a rolling 180-day period, and store these logs within India. The logs must be provided to CERT-In when an incident is reported or when specifically requested, making comprehensive logging a core requirement.
The directions apply broadly to service providers, intermediaries, data centres, body corporates, government organisations, and cloud and VPN providers, whether domestic or international, if they serve Indian users. Certain provider categories, such as data centres and VPN services, carry additional record-keeping obligations.
Shieldbyte Infosec is a CERT-In empanelled security auditor that helps Indian organisations achieve and maintain CERT-In compliance. We assess your logging, monitoring, and incident-response readiness against the directions, remediate gaps, and help you build the capability to report within six hours and retain logs as required.
From security audits and VAPT to incident-response planning and tabletop exercises, we ensure you are genuinely prepared to meet CERT-In obligations — not just on paper, but in practice.
Connect with our Experts
Get tailored guidance and solutions aligned with your business needs.