Compliance — CERT-In directions

India’s Computer Emergency Response Team (CERT-In) issued binding directions on 28 April 2022 under section 70B(6) of the Information Technology Act, mandating six-hour reporting of enumerated cybersecurity incidents, retention of logs within India for 180 days, and expanded know-your-customer (KYC) obligations on data centers, virtual private network (VPN) providers, cloud services, and cryptocurrency exchanges. The Ministry of Electronics and Information Technology set a 60-day compliance runway, making 27 June 2022 the practical go-live date; subsequent FAQs in May and June clarified reporting formats, exemptions for certain business-to-business VPNs, and data retention scopes.

What to prioritize

Enterprise responders must first map CERT-In’s incident taxonomy—including unauthorized access, targeted scanning, malware attacks, identity theft, data breaches, denial-of-service, and infrastructure disruptions—against existing severity matrices.

Many Indian subsidiaries rely on global security operation centers (SOCs); playbooks should specify India-based accountable leads capable of submitting Form I or the online incident report within six hours of detection or notification, whichever is earlier. For multinational VPN, cloud, and crypto service providers, aligning Indian customer onboarding, network logging, and customer identity verification workflows with global privacy and consent regimes is essential to avoid conflicting data minimization obligations.

Log retention demands warrant dedicated engineering effort. CERT-In expects maintenance of ICT system logs in India, in a secure, tamper-evident repository, for at least 180 days.

Companies should review their security information and event management (SIEM) retention tiers, confirm that logs from firewalls, intrusion detection systems, authentication services, and application gateways are replicated to India-based storage, and implement data destruction timers to purge records beyond the mandated window. Where global retention exceeds 180 days, teams can document the rationale—such as sectoral regulators (RBI, SEBI, IRDAI) requiring longer spans—and ensure consistency in their record-of-processing activities under India’s upcoming Digital Personal Data Protection Act.

Customer identification requirements extend beyond consumer VPNs. CERT-In prescribes storing validated subscriber information—including names, addresses, contact details, IP allocations, timestamps, and usage patterns—for a minimum of five years even after service termination.

Cloud service providers must capture onboarding details, purpose of hiring services, and ownership patterns; virtual asset exchanges must store know-your-customer records consonant with Prevention of Money Laundering Act guidelines. Firms should integrate these data points into customer relationship management systems, enforce retention policies, and implement access controls to prevent unauthorized exposure of sensitive identity artifacts.

Governance and accountability

Boards and risk committees should recognize that CERT-In’s directions carry statutory compulsion: non-compliance can attract penalties under the IT Act, including fines and potential imprisonment for responsible officers.

Senior leadership must assign a nodal point of contact—often the Chief Information Security Officer—for all CERT-In correspondence and ensure that power-of-attorney documents authorize deputised responders. Governance charters should align CERT-In obligations with other frameworks, such as the Reserve Bank of India’s cybersecurity directives for payment system operators, the Securities and Exchange Board of India’s requirements for market intermediaries, and sectoral Computer Emergency Response Teams.

Audit committees should oversee readiness assessments covering people, process, and technology dimensions. Conduct tabletop exercises simulating a ransomware event affecting Indian infrastructure, verifying that detection, triage, legal review, and CERT-In notification steps fit within the six-hour window.

Ensure that breach response plans incorporate bilingual communication templates and escalation to public relations teams when incidents trigger mandatory public disclosure under other statutes (for example, India’s Companies Act or SEBI’s listing obligations). Periodic internal audits should verify that log repositories meet integrity expectations, that access is monitored, and that customer data retention registers reflect ongoing obligations.

Sourcing and vendor management

Procurement teams must evaluate managed security service providers, cloud vendors, and VPN partners for CERT-In alignment. Contracts signed after April 2022 should reference the directions explicitly, obligating service providers to supply log data, incident notifications, and subscriber information to customers within contractual timelines that enable six-hour reporting.

For legacy agreements, issue contract amendments or supplier notices referencing clause 5 of the directions, which compels entities to report incidents even when systems are managed by third parties. Multinationals should negotiate data processing addenda clarifying responsibilities for storing logs in India, verifying that storage regions comply with localization requirements without undermining disaster recovery plans.

Vendor due diligence questionnaires ought to include specific controls: whether the provider can furnish raw network traffic logs, maintain audit trails for remote access, and authenticate subscribers using verifiable government-issued identity. Crypto exchanges should evidence adherence to Financial Intelligence Unit (FIU-IND) obligations, ensuring that KYC artifacts can be shared with CERT-In upon demand. Firms relying on anonymising VPN services for consumer privacy features need documented risk acceptances that explain how they reconcile service offerings with subscriber traceability mandates, or whether they will geofence Indian traffic into compliant infrastructure.

Sectoral considerations

Financial institutions already subject to Reserve Bank of India circulars may find overlapping requirements but must harmonize reporting channels: RBI and CERT-In both expect prompt notice of significant incidents. Banks should adopt a single incident intake process that categorizes events by regulator, triggers consolidated reporting packs, and maintains evidence of submission timestamps.

Telecommunications providers must align Department of Telecommunications license conditions—such as lawful interception readiness—with CERT-In’s log and KYC obligations. For critical infrastructure operators under the National Critical Information Infrastructure Protection center, double-check that redundancies built for Section 70 safeguards extend to the broader set of reportable incidents introduced by the 2022 directions.

Information technology service companies hosting offshore delivery centers in India should train onsite response teams to differentiate between client-owned and provider-owned assets.

Contracts with overseas customers may require that the client retains incident reporting authority; however, CERT-In directions make the Indian service provider directly responsible for reporting incidents occurring on infrastructure they operate. Establish joint operating procedures with clients to avoid conflicting disclosures, especially when incidents are also notifiable to the client’s domestic regulator, such as the EU’s Network and Information Security Directive or the United States’ state-level breach notification laws.

Regulatory outlook

While CERT-In’s FAQs softened certain edges—clarifying that enterprise VPNs used solely for internal corporate purposes are out of scope and that log retention can use cloud storage located within India—the government signaled that strict enforcement will begin after 27 June 2022.

Industry bodies like NASSCOM and the Asia Internet Coalition continue to engage with MeitY seeking proportional setup, particularly around data localization and subscriber verification for enterprise SaaS providers. Teams should monitor further clarifications, especially as India finalizes the Digital Personal Data Protection Bill and drafts a new national cybersecurity strategy, both of which could entrench or expand CERT-In’s authority.

Path to implementation

In the immediate term (weeks one to six), compile an inventory of Indian infrastructure, assess current incident response flows, and initiate log replication to an India-based SIEM cluster or object storage bucket with retention automation. Update customer onboarding forms to capture required identity fields, and configure secure document vaults with encryption and access logging. Simultaneously, develop CERT-In submission templates, translating the specified incident categories into drop-down selections within the case management system to avoid delays.

Over the medium term (two to six months), set up a governance forum involving security, legal, privacy, and compliance leaders to review CERT-In submissions, root-cause analyzes, and remediation status. Deploy automated detection rules that flag incidents matching CERT-In’s list, integrate with ticketing systems, and generate metrics on mean time to notify. Align training for customer support and sales engineering teams so that they can answer subscriber questions about data collection, particularly given India’s forthcoming data protection law and global regimes like the EU’s GDPR.

Longer term (six to twelve months), embed CERT-In considerations into technology roadmaps. Evaluate endpoint detection and response tooling that can export telemetry to India without breaching cross-border data transfer commitments. Consider establishing a dedicated India cyber fusion cell to coordinate with sectoral CERTs and intelligence-sharing groups. Maintain a regulatory watchlist tracking developments such as the draft Digital India Bill, amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, and cross-border data flow negotiations that could impact log localization strategies.

Metrics and evidence

Key performance indicators should quantify compliance and resilience. Track the percentage of incidents reported within six hours, the completeness of log sources ingested into India-based repositories, and the proportion of subscriber records with verified identity attributes. Monitor outstanding CERT-In queries and response times, ensuring closure within stipulated deadlines. Maintain evidence folders containing submission receipts, log integrity attestations, and training rosters, ready for inspection by regulators or statutory auditors.

By treating CERT-In’s 2022 directions as a catalyst for disciplined incident response, log governance, and customer transparency, teams can improve cyber resilience while reducing enforcement risk. Leadership attention, targeted investment in logging and KYC infrastructure, and close coordination with suppliers will position Indian and multinational teams to meet the mandate confidently and sustainably.

See also

Selected articles on related subjects.

Compliance · Credibility 87/100 · October 6, 2021

U.S. DOJ Civil Cyber-Fraud Initiative

The U.S. Department of Justice launched the Civil Cyber-Fraud Initiative on October 6, 2021, signaling False Claims Act enforcement against contractors that misrepresent cybersecurity posture or incident reporting.

Compliance · Credibility 88/100 · December 27, 2022

EU Dora Implementation Roadmap

Regulation (EU) 2022/2554 (DORA) is now in force, giving financial entities until 17 January 2025 to operationalize ICT risk governance, incident reporting, resilience testing, and third-party oversight under a single EU…

Compliance · Credibility 73/100 · May 27, 2021

TSA mandates incident reporting for critical pipelines

The Transportation Security Administration issued an emergency directive requiring critical pipeline operators to report confirmed and potential cybersecurity incidents within 12 hours and designate a 24/7 cybersecurity…

Compliance · Credibility 89/100 · July 26, 2023

SEC cybersecurity disclosure

SEC Item 1.05 and Item 106 trigger an enterprise-wide compliance sprint: issuers must rehearse four-day incident disclosures, document cyber risk management programs, and align DSAR evidence so Form 10-K and investor…

Compliance · Credibility 90/100 · September 22, 2023

Quebec Law 25

Phase two of Quebec's Law 25 now enforces privacy officer designation, PIA, and incident reporting rules, requiring boards to tighten governance, embed setup sprints across systems and vendors, and elevate DSAR and…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

April 28, 2022

Coverage pillar

Compliance

Source credibility

86/100 — high confidence

Topics

CERT-In directions · Incident reporting · Log retention · India cybersecurity compliance

Sources cited

3 sources (cert-in.org.in, iso.org)

Reading time

7 min

Cited sources

1. CERT-In Directions under Section 70B(6) — Indian Computer Emergency Response Team
2. CERT-In FAQs on the April 2022 Directions — Indian Computer Emergency Response Team
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization