Policy Briefing — India CERT-In Incident Reporting Directions

Executive briefing: On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) released Directions relating to information security practices, procedure, prevention, response, and reporting of cyber incidents. The mandate compels service providers, intermediaries, data centers, and enterprises to report specified incidents within six hours, retain logs for 180 days, and synchronize system clocks with national time sources.

Immediate compliance priorities

• Incident reporting playbooks. Update response plans to capture the six-hour notification window and required data elements for CERT-In filings.
• Logging architecture. Ensure security logs across key systems are stored for at least 180 days within India and can be furnished upon request.
• Vendor coordination. Confirm cloud, VPN, and virtual asset service providers supplying Indian customers can comply with subscriber data retention and verification mandates.

Control alignment

• Time synchronization. Configure systems to align with National Informatics Centre or National Physical Laboratory time servers as required.
• Access governance. Harden identity and access controls to support rapid incident triage and evidence preservation.
• Regulatory liaison. Establish escalation paths for responding to CERT-In information requests and onsite inspections.

Enablement moves

• Provide targeted awareness training for SOC, legal, and product teams handling Indian users.
• Review contractual commitments to reflect CERT-In obligations for managed service and infrastructure partners.
• Track follow-on FAQs and compliance clarifications issued by the Ministry of Electronics and IT.

Sources

• CERT-In: Directions under Section 70B(6) of the IT Act
• Press Information Bureau: Government outlines CERT-In compliance requirements

Zeph Tech helps organizations serving India adapt to CERT-In's accelerated reporting timelines and logging mandates.