Compliance Briefing — April 28, 2022
CERT-In’s April 2022 directions impose six-hour incident reporting, India-based log retention, and expanded subscriber identification duties that organisations must operationalise through updated playbooks, governance, and supplier controls by the June go-live date.
Executive briefing: India’s Computer Emergency Response Team (CERT-In) issued binding directions on 28 April 2022 under section 70B(6) of the Information Technology Act, mandating six-hour reporting of enumerated cybersecurity incidents, retention of logs within India for 180 days, and expanded know-your-customer (KYC) obligations on data centres, virtual private network (VPN) providers, cloud services, and cryptocurrency exchanges. The Ministry of Electronics and Information Technology set a 60-day compliance runway, making 27 June 2022 the practical go-live date; subsequent FAQs in May and June clarified reporting formats, exemptions for certain business-to-business VPNs, and data retention scopes.
Operational priorities
Enterprise responders must first map CERT-In’s incident taxonomy—including unauthorised access, targeted scanning, malware attacks, identity theft, data breaches, denial-of-service, and infrastructure disruptions—against existing severity matrices. Many Indian subsidiaries rely on global security operation centres (SOCs); playbooks should specify India-based accountable leads capable of submitting Form I or the online incident report within six hours of detection or notification, whichever is earlier. For multinational VPN, cloud, and crypto service providers, aligning Indian customer onboarding, network logging, and customer identity verification workflows with global privacy and consent regimes is essential to avoid conflicting data minimisation obligations.
Log retention demands warrant dedicated engineering effort. CERT-In expects maintenance of ICT system logs in India, in a secure, tamper-evident repository, for at least 180 days. Companies should review their security information and event management (SIEM) retention tiers, confirm that logs from firewalls, intrusion detection systems, authentication services, and application gateways are replicated to India-based storage, and implement data destruction timers to purge records beyond the mandated window. Where global retention exceeds 180 days, organisations can document the rationale—such as sectoral regulators (RBI, SEBI, IRDAI) requiring longer spans—and ensure consistency in their record-of-processing activities under India’s upcoming Digital Personal Data Protection Act.
Customer identification requirements extend beyond consumer VPNs. CERT-In prescribes storing validated subscriber information—including names, addresses, contact details, IP allocations, timestamps, and usage patterns—for a minimum of five years even after service termination. Cloud service providers must capture onboarding details, purpose of hiring services, and ownership patterns; virtual asset exchanges must store know-your-customer records consonant with Prevention of Money Laundering Act guidelines. Firms should integrate these data points into customer relationship management systems, enforce retention policies, and implement access controls to prevent unauthorised exposure of sensitive identity artifacts.
Governance and accountability
Boards and risk committees should recognise that CERT-In’s directions carry statutory compulsion: non-compliance can attract penalties under the IT Act, including fines and potential imprisonment for responsible officers. Senior leadership must assign a nodal point of contact—often the Chief Information Security Officer—for all CERT-In correspondence and ensure that power-of-attorney documents authorise deputised responders. Governance charters should align CERT-In obligations with other frameworks, such as the Reserve Bank of India’s cybersecurity directives for payment system operators, the Securities and Exchange Board of India’s requirements for market intermediaries, and sectoral Computer Emergency Response Teams.
Audit committees should oversee readiness assessments covering people, process, and technology dimensions. Conduct tabletop exercises simulating a ransomware event affecting Indian infrastructure, verifying that detection, triage, legal review, and CERT-In notification steps fit within the six-hour window. Ensure that breach response plans incorporate bilingual communication templates and escalation to public relations teams when incidents trigger mandatory public disclosure under other statutes (for example, India’s Companies Act or SEBI’s listing obligations). Periodic internal audits should verify that log repositories meet integrity expectations, that access is monitored, and that customer data retention registers reflect ongoing obligations.
Sourcing and vendor management
Procurement teams must evaluate managed security service providers, cloud vendors, and VPN partners for CERT-In alignment. Contracts signed after April 2022 should reference the directions explicitly, obligating service providers to supply log data, incident notifications, and subscriber information to customers within contractual timelines that enable six-hour reporting. For legacy agreements, issue contract amendments or supplier notices referencing clause 5 of the directions, which compels entities to report incidents even when systems are managed by third parties. Multinationals should negotiate data processing addenda clarifying responsibilities for storing logs in India, verifying that storage regions comply with localisation requirements without undermining disaster recovery plans.
Vendor due diligence questionnaires ought to include specific controls: whether the provider can furnish raw network traffic logs, maintain audit trails for remote access, and authenticate subscribers using verifiable government-issued identity. Crypto exchanges should evidence adherence to Financial Intelligence Unit (FIU-IND) obligations, ensuring that KYC artefacts can be shared with CERT-In upon demand. Firms relying on anonymising VPN services for consumer privacy features need documented risk acceptances that explain how they reconcile service offerings with subscriber traceability mandates, or whether they will geofence Indian traffic into compliant infrastructure.
Sectoral considerations
Financial institutions already subject to Reserve Bank of India circulars may find overlapping requirements but must harmonise reporting channels: RBI and CERT-In both expect prompt notice of significant incidents. Banks should adopt a single incident intake process that categorises events by regulator, triggers consolidated reporting packs, and maintains evidence of submission timestamps. Telecommunications providers must align Department of Telecommunications licence conditions—such as lawful interception readiness—with CERT-In’s log and KYC obligations. For critical infrastructure operators under the National Critical Information Infrastructure Protection Centre, double-check that redundancies built for Section 70 safeguards extend to the broader set of reportable incidents introduced by the 2022 directions.
Information technology service companies hosting offshore delivery centres in India should train onsite response teams to differentiate between client-owned and provider-owned assets. Contracts with overseas customers may stipulate that the client retains incident reporting authority; however, CERT-In directions make the Indian service provider directly responsible for reporting incidents occurring on infrastructure they operate. Establish joint operating procedures with clients to avoid conflicting disclosures, especially when incidents are also notifiable to the client’s domestic regulator, such as the EU’s Network and Information Security Directive or the United States’ state-level breach notification laws.
Regulatory outlook
While CERT-In’s FAQs softened certain edges—clarifying that enterprise VPNs used solely for internal corporate purposes are out of scope and that log retention can leverage cloud storage located within India—the government signalled that strict enforcement will begin after 27 June 2022. Industry bodies like NASSCOM and the Asia Internet Coalition continue to engage with MeitY seeking proportional implementation, particularly around data localisation and subscriber verification for enterprise SaaS providers. Organisations should monitor further clarifications, especially as India finalises the Digital Personal Data Protection Bill and drafts a new national cybersecurity strategy, both of which could entrench or expand CERT-In’s authority.
Implementation roadmap
In the immediate term (weeks one to six), compile an inventory of Indian infrastructure, assess current incident response flows, and initiate log replication to an India-based SIEM cluster or object storage bucket with retention automation. Update customer onboarding forms to capture required identity fields, and configure secure document vaults with encryption and access logging. Simultaneously, develop CERT-In submission templates, translating the specified incident categories into drop-down selections within the case management system to avoid delays.
Over the medium term (two to six months), establish a governance forum involving security, legal, privacy, and compliance leaders to review CERT-In submissions, root-cause analyses, and remediation status. Deploy automated detection rules that flag incidents matching CERT-In’s list, integrate with ticketing systems, and generate metrics on mean time to notify. Align training for customer support and sales engineering teams so that they can answer subscriber questions about data collection, particularly in light of India’s forthcoming data protection law and global regimes like the EU’s GDPR.
Longer term (six to twelve months), embed CERT-In considerations into technology roadmaps. Evaluate endpoint detection and response tooling that can export telemetry to India without breaching cross-border data transfer commitments. Consider establishing a dedicated India cyber fusion cell to coordinate with sectoral CERTs and intelligence-sharing groups. Maintain a regulatory watchlist tracking developments such as the draft Digital India Bill, amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, and cross-border data flow negotiations that could impact log localisation strategies.
Metrics and evidence
Key performance indicators should quantify compliance and resilience. Track the percentage of incidents reported within six hours, the completeness of log sources ingested into India-based repositories, and the proportion of subscriber records with verified identity attributes. Monitor outstanding CERT-In queries and response times, ensuring closure within stipulated deadlines. Maintain evidence folders containing submission receipts, log integrity attestations, and training rosters, ready for inspection by regulators or statutory auditors.
By treating CERT-In’s 2022 directions as a catalyst for disciplined incident response, log governance, and customer transparency, organisations can improve cyber resilience while reducing enforcement risk. Leadership attention, targeted investment in logging and KYC infrastructure, and close coordination with suppliers will position Indian and multinational teams to meet the mandate confidently and sustainably.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.