India CERT-In incident reporting directive

On 28 April 2022, India's Computer Emergency Response Team (CERT-In) issued new directions establishing mandatory cybersecurity measures for organizations operating in India. The directive requires reporting of 20 categories of cyber incidents to CERT-In within 6 hours, maintaining system logs for 180 days, and synchronizing ICT system clocks with NTP servers. The requirements took effect on 28 June 2022 and apply to all service providers, intermediaries, and corporate entities.

Incident reporting requirements

Organizations must report specified cyber incidents to CERT-In within 6 hours of noticing the incident—significantly faster than most international frameworks. Reportable incidents include data breaches, ransomware attacks, denial-of-service attacks, malware infections, unauthorized access, website defacement, attacks on critical infrastructure, and attacks targeting IoT devices and cloud systems.

Reports must include details about the affected systems, nature of the incident, impact assessment, and remediation steps taken. CERT-In may require additional information and mandate specific remediation actions. Organizations must cooperate with CERT-In investigations and provide requested data.

Log retention and technical requirements

The directive mandates 180-day log retention within Indian jurisdiction for data centers, cloud providers, virtual private server providers, and VPN service providers. This includes customer registration information, IP addresses, timestamps, and usage patterns. VPN providers must additionally maintain subscriber names, contact information, and purpose of subscription.

All ICT systems must synchronize clocks with National Informatics center (NIC) or National Physical Laboratory (NPL) NTP servers, or with approved international sources traceable to these references. Accurate time synchronization supports incident investigation and log correlation.

Compliance implications

Organizations with operations, customers, or infrastructure in India must assess compliance requirements. The 6-hour reporting window requires strong detection and escalation procedures. Implement monitoring capabilities that can identify reportable incidents rapidly and establish communication channels with CERT-In for incident reporting.

VPN and cloud service providers face particular challenges regarding log retention and customer data requirements. Some providers have modified service offerings or exited the Indian market rather than comply. Organizations using such services should evaluate provider compliance status and adjust architecture as needed.

Policy Development and Analysis

Policy analysis should assess the implications of this development for organizational operations, compliance obligations, and strategic positioning. Impact assessments should consider both direct requirements and indirect effects through industry practices, customer expectations, and competitive dynamics.

Policy development processes should engage relevant teams to ensure full consideration of diverse perspectives and practical setup constraints. Feedback mechanisms should capture lessons learned and drive policy refinements based on operational experience.

Policy Implementation Monitoring

Policy teams should track setup progress and monitor for developments that may affect requirements or interpretation. Stakeholder engagement should ensure relevant parties understand policy implications and their responsibilities for compliance. Documentation should support audit and examination processes by demonstrating timely awareness and appropriate response to policy developments.

Regular reviews should assess ongoing compliance status and identify any gaps requiring additional attention or resource allocation.

Implementation detail

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Compliance checking

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Third-party factors

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

Strategic factors

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

Key metrics

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

What this means for business

This development carries significant strategic implications for organizations across multiple sectors. Business leaders should evaluate how these changes affect their competitive positioning, operational models, and stakeholder relationships. Early adopters who address emerging requirements often gain advantages over competitors who delay action until compliance becomes mandatory.

Strategic planning should incorporate scenario analysis that considers various implementation approaches and their associated costs, benefits, and risks. Organizations should also consider how their response to this development affects relationships with customers, partners, regulators, and other key stakeholders.

Operational approach

Achieving operational excellence in response to this development requires systematic attention to process design, technology enablement, and workforce capabilities. Organizations should establish clear operational metrics that track both compliance outcomes and process efficiency, enabling continuous improvement over time.

Operational processes should be designed with appropriate controls, checkpoints, and escalation procedures to ensure consistent execution and timely issue resolution. Automation opportunities should be evaluated and prioritized based on their potential to improve accuracy, reduce costs, and enhance scalability.

Oversight approach

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Adapting over time

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

What to do now

• Assessment requirement: Evaluate current practices against the updated requirements outlined in this analysis.
• Documentation update: Review and update relevant policies, procedures, and technical documentation.
• Stakeholder communication: Brief affected teams on timeline implications and resource requirements.
• Compliance verification: Schedule internal review to confirm alignment with guidance.

You may also find useful

Hand-picked articles on adjacent topics.

Policy · Credibility 88/100 · April 28, 2022

India CERT-In Incident Reporting Directions

India’s April 28, 2022 CERT-In cybersecurity directions impose six-hour incident reporting, log retention, and KYC checks, forcing companies operating in India to revamp security operations, governance, and vendor…

Policy · Credibility 93/100 · May 13, 2022

EU NIS2 Directive provisional agreement reached

The EU agreed on NIS2 in May 2022. This is the cybersecurity directive that brings way more sectors under mandatory requirements—energy, transport, banking, health, digital infrastructure, and more. Much broader scope…

Policy · Credibility 93/100 · April 1, 2022

Australia SLACIP Act Receives Royal Assent

Australia’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, which received Royal Assent on April 1, 2022, significantly expands critical infrastructure obligations—demanding immediate…

Policy · Credibility 71/100 · March 21, 2022

White House warns of evolving Russian cyberattack risks

The White House issued a 21 March 2022 warning about potential Russian cyberattacks on U.S. critical infrastructure, urging companies to adopt CISA Shields Up practices and report incidents promptly.

Policy · Credibility 93/100 · March 15, 2022

Strengthening American Cybersecurity Act

The Strengthening American Cybersecurity Act bundles FISMA modernization, FedRAMP codification, and critical infrastructure incident reporting, pressing agencies and operators to modernize controls, accelerate zero…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

April 28, 2022

Coverage pillar

Policy

Source credibility

90/100 — high confidence

Topics

CERT-In · incident reporting · India cybersecurity · regulatory compliance

Sources cited

3 sources (cert-in.org.in, cvedetails.com, iso.org)

Reading time

6 min

Documentation

1. Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 — CERT-In
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization