Compliance Briefing — April 28, 2022
India’s CERT-In issued mandatory directions on 28 April 2022, imposing six-hour incident reporting, log retention, and KYC obligations on service providers and intermediaries.
Executive briefing: 28 April 2022 saw the publication of CERT-In Directions under section 70B(6) of the IT Act. Regulated entities—including data centres, VPN providers, cloud services, and cryptocurrency exchanges—must report specified incidents within six hours, retain logs for 180 days, and validate customer identities.
Key compliance checkpoints
- Incident timelines. Update playbooks to notify CERT-In within six hours of noticing incidents such as targeted scanning, DDoS attacks, data breaches, or unauthorized access.
- Log retention. Maintain ICT system logs within India for 180 days, ensuring integrity and accessibility during investigations.
- KYC documentation. Collect and retain verified subscriber details, including IP addresses and timestamps, for VPN and cloud services.
Operational priorities
- Process integration. Embed CERT-In notification into incident response orchestration, including duty rosters and escalation matrices.
- Data localisation. Confirm log storage within India and ensure third parties comply with retention requirements.
- Customer onboarding. Adapt KYC workflows to capture validated names, contact information, and periods of service for designated services.
Enablement moves
- Deploy SIEM dashboards monitoring for reportable events and automating initial incident summaries.
- Implement secure evidence vaults with tamper-proof audit trails for 180-day log retention.
- Train support teams on CERT-In FAQs to address customer queries about data retention and verification.
Sources
Zeph Tech operationalises CERT-In mandates with rapid incident response workflows, KYC documentation, and India-hosted log retention controls.