← Back to all briefings
Policy 6 min read Published Updated Credibility 88/100

Policy Briefing — India CERT-In Incident Reporting Directions

India’s April 28, 2022 CERT-In cybersecurity directions impose six-hour incident reporting, log retention, and KYC checks, forcing companies operating in India to revamp security operations, governance, and vendor oversight.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On April 28, 2022 India’s Computer Emergency Response Team (CERT-In) issued Directions under subsection (6) of Section 70B of the Information Technology Act, effective June 27, 2022. The directions require service providers, intermediaries, data centres, body corporates, and government organizations to report specific cyber incidents within six hours, retain system logs for 180 days, synchronize system clocks with Network Time Protocol (NTP) servers, and perform know-your-customer (KYC) checks for certain services. Cloud service providers (CSPs), virtual private server (VPS) providers, VPN providers, and cryptocurrency exchanges face additional obligations. Organizations operating in or serving India must overhaul incident response, governance, and vendor management to comply.

Scope and key obligations

The directions enumerate reportable incidents—including targeted scanning, unauthorized access, data breaches, ransomware, denial-of-service attacks, malicious scripts, and supply chain compromises. Covered entities must report incidents to CERT-In within six hours of noticing or being brought to notice, using prescribed formats via email or phone. Logs of all ICT systems must be maintained within Indian jurisdiction for at least 180 days and made available to CERT-In upon request. Entities must connect to one of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) NTP servers, or other trusted sources, to ensure consistent timestamps.

Providers of virtual assets, VPN, VPS, cloud services, and data centers must collect and maintain subscriber information—such as names, contact details, customer onboarding IPs, and purpose of service usage—for at least five years even after service cancellation. Cryptocurrency exchanges and wallets must maintain know-your-customer (KYC) details and financial transaction records for five years. Intermediaries must assist CERT-In during incident response, including providing real-time information or access to systems.

Operational priorities

Update incident response plans to meet the six-hour reporting window. Establish 24/7 security operations center (SOC) coverage, escalation matrices, and communication protocols. Implement playbooks that define reportable incident categories, required data fields, and approval workflows. Conduct dry runs simulating ransomware, cloud compromise, or insider threats impacting Indian operations to ensure reporting readiness.

Enhance log management and retention capabilities. Identify systems within scope—on-premises, cloud, OT—and ensure logs are stored within India or mirrored to Indian data centers. Deploy centralized log management solutions with retention policies of at least 180 days, ensuring integrity and secure access. Document processes for sharing logs with CERT-In, including anonymization and secure transfer methods.

Ensure time synchronization across infrastructure. Configure NTP synchronization with approved servers and monitor compliance. Document exceptions (e.g., air-gapped OT environments) and implement compensating controls.

Review customer onboarding processes for VPN, VPS, cloud hosting, and cryptocurrency services. Implement KYC procedures aligned with Indian regulations, capturing valid identification, contact information, and service usage justification. Update privacy notices and consent forms to explain data retention requirements. For global providers, segregate Indian customer data to comply with retention and access mandates.

Governance and compliance management

Establish governance structures to oversee CERT-In compliance. Assign accountability to the CISO or regional compliance officer, with regular reporting to senior management and boards. Integrate requirements into enterprise risk management frameworks, highlighting penalties for non-compliance, which may include imprisonment and fines under the IT Act.

Update policies covering incident response, logging, data retention, and customer onboarding. Align with other Indian regulations, such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, the proposed Digital Personal Data Protection Bill, and sector-specific requirements (RBI, IRDAI, SEBI). Document standard operating procedures (SOPs) and maintain evidence for audits.

Coordinate with legal teams to monitor interpretations and clarifications from the Ministry of Electronics and Information Technology (MeitY). CERT-In has issued FAQs and extensions for certain service providers; track updates to adjust compliance timelines. Engage industry associations (NASSCOM, DSCI) to stay informed about advocacy efforts and clarifications.

Sourcing and third-party risk

Assess vendors providing SOC services, logging infrastructure, VPN solutions, and cloud hosting. Ensure contracts include obligations to meet CERT-In requirements, provide incident notifications within contractual SLAs (ideally less than six hours), and support log retention within India. Review data processing agreements to confirm vendors can provide subscriber information and logs upon request.

For multinational companies relying on global SIEM platforms or outsourced SOCs, evaluate whether service providers can store logs in India and meet time synchronization requirements. Consider hybrid architectures where local log collectors feed both global and India-based storage to maintain compliance without disrupting analytics.

Cryptocurrency exchanges and virtual asset service providers must validate that KYC vendors support Indian identification standards (Aadhaar, PAN) and maintain data retention for five years. Implement periodic vendor audits covering data security, access controls, and regulatory readiness.

Security architecture and technology

Deploy technologies that enhance detection and reporting. Implement endpoint detection and response (EDR), intrusion detection systems (IDS), and anomaly detection tailored to Indian environments. Use automation (SOAR) to triage incidents rapidly and gather required reporting data. Integrate ticketing systems with reporting templates to accelerate submissions to CERT-In.

Ensure cloud architectures support log retention and access. Configure cloud provider services (AWS CloudTrail, Azure Monitor, Google Cloud Logging) to store logs in India regions. Implement backup strategies and data lifecycle management to prevent log loss. For OT environments, deploy secure gateways that forward logs to compliant repositories without compromising safety.

Review access controls and encryption. Limit privileged access to log repositories, enforce MFA, and monitor access logs. Encrypt logs at rest and in transit to protect sensitive information while maintaining availability for CERT-In requests.

Risk management and reporting

Add CERT-In compliance to risk registers. Define key risk indicators such as incident reporting timeliness, percentage of systems synchronized to approved NTP servers, log retention coverage, and KYC completion rates. Report metrics to executive leadership and boards, highlighting remediation plans for gaps.

Internal audit should schedule reviews of incident response, log management, and customer onboarding processes. Evaluate evidence of six-hour reporting drills, log storage configurations, and vendor compliance. Document findings and track remediation to closure.

Engage with regulators proactively. Establish communication channels with CERT-In, participate in workshops, and seek clarification when needed. Maintain records of correspondence, incident reports, and compliance attestations.

International coordination

Multinational companies must align global policies with Indian requirements. Determine how CERT-In directions interact with GDPR, HIPAA, or other data protection laws. Establish data segregation and access controls to prevent conflicts, especially when sharing logs containing personal data. Coordinate with global incident response teams to ensure consistent messaging and compliance with multiple jurisdictions.

Evaluate the impact on business continuity and customer experience. Increased KYC requirements may affect onboarding times—communicate changes to customers and provide support channels. For VPN providers, consider how data retention affects privacy promises and adjust marketing materials accordingly.

By implementing comprehensive governance, technology, and vendor strategies, organizations can comply with CERT-In’s 2022 directions while improving cyber resilience. Early investment in automation, training, and stakeholder engagement will reduce regulatory risk and strengthen trust with Indian authorities and customers.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • CERT-In
  • Cybersecurity
  • Incident reporting
  • India regulation
Back to curated briefings