By Sneha Iyer | Updated March 2026
What Is CERT-In?
The Indian Computer Emergency Response Team (CERT-In) is the national nodal agency for cybersecurity, established under Section 70B of the Information Technology Act, 2000. It functions under the Ministry of Electronics and Information Technology (MeitY) and serves as the single authoritative body for collecting, analyzing, and disseminating information on cyber incidents affecting Indian networks. Every entity operating digital infrastructure in India — including foreign subsidiaries, branch offices, and liaison offices — falls within CERT-In's jurisdiction.
On April 28, 2022, CERT-In issued a landmark directive (No. 20(3)/2022-CERT-In) that fundamentally changed cybersecurity compliance in India. The Directions, effective from June 28, 2022, impose the world's strictest incident reporting timeline — 6 hours from detection — along with mandatory log retention, NTP synchronization, and extensive record-keeping obligations for VPN providers, cloud services, and data centres. For foreign companies with India operations, these Directions create compliance obligations that are significantly more onerous than GDPR's 72-hour breach notification or the US CIRCIA's 72-hour reporting requirement.
Non-compliance carries penalties under Section 70B(7) of the IT Act: imprisonment up to 1 year and/or fine up to INR 1 lakh, with proposed amendments under the Jan Vishwas Bill 2023 seeking to increase fines to INR 1 crore.
Legal Basis
The cybersecurity compliance framework rests on these legal foundations:
- Section 70B of the Information Technology Act, 2000 — Establishes CERT-In as the national incident response agency, empowers it to issue directions, and prescribes penalties for non-compliance (imprisonment up to 1 year, fine up to INR 1 lakh)
- CERT-In Directions dated April 28, 2022 (No. 20(3)/2022-CERT-In) — Issued under Section 70B(6), effective June 28, 2022. Mandates 6-hour incident reporting, 180-day log retention, NTP synchronization, and VPN/cloud provider obligations
- Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 — Original rules that prescribed 10 reportable incident types (now expanded to 20 by the 2022 Directions)
- Section 43A of the IT Act — Requires body corporates to implement reasonable security practices for sensitive personal data. Failure to do so makes them liable for compensation to affected individuals
- Jan Vishwas (Amendment of Provisions) Bill, 2023 — Proposes increasing the fine under Section 70B(7) from INR 1 lakh to INR 1 crore (not yet in effect as of March 2026)
The 2022 Directions: Core Requirements
1. Mandatory 6-Hour Incident Reporting
The most significant change: all covered entities must report cyber incidents to CERT-In within 6 hours of noticing or being notified of the incident. This applies to 20 categories of incidents (up from 10 under the 2013 Rules). The 6-hour clock starts from awareness, not from the incident itself — a critical distinction for incident response planning.
Reports must be filed via email to [email protected] or through the CERT-In portal, using the prescribed format. The report must include: type of incident, date and time of detection, number of systems/networks affected, information about the affected organization, and remediation steps taken.
2. Twenty Reportable Incident Categories
The Directions mandate reporting for these specific incident types:
| # | Incident Category | Examples |
|---|---|---|
| 1 | Targeted scanning/probing of critical networks | Port scanning, vulnerability probing of critical infrastructure |
| 2 | Compromise of critical systems/information | Unauthorized access to SCADA, government networks |
| 3 | Unauthorized access to IT systems/data | Credential theft, privilege escalation |
| 4 | Website defacement | Unauthorized modification of web content |
| 5 | Malicious code attacks | Viruses, worms, trojans, ransomware, crypto miners, botnets |
| 6 | Attacks on servers and network infrastructure | Database, mail, DNS, router compromises |
| 7 | Identity theft, spoofing, phishing | Email spoofing, credential phishing, social engineering |
| 8 | Denial of Service (DoS/DDoS) attacks | Network flooding, application-layer attacks |
| 9 | Attacks on critical infrastructure and SCADA | Power grid, transport, telecom infrastructure attacks |
| 10 | Attacks on e-Governance/e-Commerce applications | Government portal breaches, payment platform attacks |
| 11 | Data breach | Unauthorized exposure of personal or corporate data |
| 12 | Data leak | Accidental or deliberate data disclosure |
| 13 | Attacks on IoT devices and systems | Smart device compromises, sensor network attacks |
| 14 | Attacks on digital payment systems | UPI fraud, POS malware, payment gateway breaches |
| 15 | Attacks through malicious mobile apps | Trojaned apps, spyware, stalkerware |
| 16 | Fake mobile applications | Impersonation of legitimate apps |
| 17 | Unauthorized access to social media accounts | Corporate social media account takeover |
| 18 | Attacks on cloud computing systems | Cloud instance compromises, misconfiguration exploitation |
| 19 | Attacks on AI/ML, big data, blockchain, virtual assets | Model poisoning, exchange hacks, smart contract exploits |
| 20 | Attacks on drones, 3D/4D printing, robotics | Industrial control system attacks, drone hijacking |
3. Log Retention: 180 Days Within India
All covered entities must securely maintain logs of all ICT systems for a rolling period of 180 days. These logs must be stored within Indian jurisdiction — not on overseas servers. Logs must be provided to CERT-In upon request or when reporting an incident. This includes firewall logs, IDS/IPS logs, application server logs, web server logs, database logs, mail server logs, and proxy server logs.
4. NTP Synchronization
All covered entities must synchronize their ICT system clocks to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or to NTP servers traceable to these sources. This ensures standardized timestamps across all incident reports and log files — critical for forensic investigation and cross-entity incident correlation.
VPN, Cloud, and Data Centre Provider Obligations
The 2022 Directions impose specific obligations on service infrastructure providers that go well beyond standard cybersecurity requirements:
| Obligation | Applicable To | Retention Period |
|---|---|---|
| Maintain validated subscriber/customer names, contact details, email addresses | VPN, VPS, Cloud, Data Centre providers | 5 years (even after service termination) |
| Record IP addresses allocated, with timestamps | VPN, VPS, Cloud, Data Centre providers | 5 years |
| Document purpose of hiring/using services | VPN, VPS, Cloud, Data Centre providers | 5 years |
| Record ownership patterns of subscribers | VPN, VPS, Cloud, Data Centre providers | 5 years |
| KYC of customers (validated names, addresses, contact numbers) | Virtual asset service providers, exchanges, custodian wallets | 5 years |
| Financial transaction records | Virtual asset service providers, exchanges | 5 years |
| Appoint a Point of Contact (PoC) for CERT-In liaison | All covered entities | Ongoing (updated within 30 days of change) |
Several international VPN providers (including ExpressVPN, NordVPN, and Surfshark) removed their physical Indian servers following these Directions, citing privacy concerns. They now offer Indian IP addresses through virtual servers located outside India — a move that technically places them outside direct CERT-In enforcement but raises questions about service continuity for Indian business users.
How This Affects Foreign Companies in India
If your company has any digital operations in India, CERT-In compliance is mandatory:
- Indian subsidiaries and offices: A private limited company registered in India is a "body corporate" directly covered by the Directions. You must implement 6-hour incident reporting procedures, maintain 180 days of logs within India, and designate a Point of Contact for CERT-In
- Cloud infrastructure: If you use AWS (Mumbai region), Azure (Central India), or GCP (Mumbai) for Indian operations, ensure your cloud provider's compliance does not eliminate your own reporting obligations. You are independently required to report incidents affecting your systems
- VPN usage: If your company uses corporate VPN infrastructure for India operations, the Indian VPN gateway must maintain subscriber logs and IP allocation records for 5 years. Consider this when designing your India network architecture
- Incident response teams: A 6-hour reporting window means your global SOC or incident response team must be equipped to file CERT-In reports. If your SOC is in the US (PST/EST), a midnight India-time incident leaves approximately 3 hours of US business hours to detect, assess, and file. Build automated detection and templated reporting into your India incident response playbook
- Interaction with FEMA and RBI: Financial sector entities (including NBFCs and payment aggregators) face overlapping cybersecurity requirements from RBI's cybersecurity framework (2016) in addition to CERT-In Directions
Comparison with Global Incident Reporting Requirements
| Jurisdiction | Regulation | Reporting Timeline | Scope |
|---|---|---|---|
| India | CERT-In Directions 2022 | 6 hours from detection | 20 incident categories, all entities |
| EU | GDPR Article 33 | 72 hours from awareness | Personal data breaches to supervisory authority |
| US | CIRCIA (CISA) 2022 | 72 hours (incidents), 24 hours (ransom payments) | Critical infrastructure entities |
| Singapore | PDPA 2012 (amended) | 3 days from assessment | Notifiable data breaches (500+ individuals or significant harm) |
| Australia | NDB Scheme (Privacy Act) | 30 days from awareness | Eligible data breaches likely to cause serious harm |
India's 6-hour window is the most aggressive globally. While GDPR and CIRCIA allow 72 hours and focus primarily on data breaches or critical infrastructure, CERT-In requires reporting of 20 broad incident categories from all types of entities.
Practical Compliance Checklist
A step-by-step guide for foreign companies establishing cybersecurity compliance in India:
- Designate a CERT-In Point of Contact — An employee based in India with direct communication channel to CERT-In. Submit PoC details via the CERT-In portal
- Implement 6-hour incident detection and reporting — Deploy SIEM/SOC monitoring with automated alerting. Pre-draft incident report templates in CERT-In's prescribed format
- Configure NTP synchronization — Point all India-based systems to NIC (time.nic.in) or NPL NTP servers. Document synchronization configuration
- Establish 180-day log retention — Centralize logs from all ICT systems (firewalls, servers, applications, databases). Ensure storage is within Indian jurisdiction
- Document VPN/cloud subscriber records — If you operate VPN or cloud services, implement KYC for all subscribers with 5-year retention
- Train incident response team — Conduct tabletop exercises simulating the 6-hour reporting window. Include time-zone considerations for global SOC teams
- Annual audit — Review log retention, NTP synchronization, and incident response procedures annually
Common Mistakes
- Assuming cloud provider compliance covers you. AWS, Azure, and GCP maintain their own CERT-In compliance for infrastructure-level incidents. But your application-level incidents (data leaks, unauthorized access to your databases, malware on your instances) are your responsibility to report within 6 hours. Shared responsibility models do not eliminate your reporting obligation.
- Storing logs on overseas servers. The 180-day log retention requirement explicitly mandates storage within Indian jurisdiction. Companies that centralize all logs to a US or EU SIEM without maintaining copies in India are non-compliant. Set up an India-based log aggregator or use your cloud provider's India region for log storage.
- Not accounting for time zones in the 6-hour window. If your SOC is in San Francisco (13.5 hours behind IST), a Friday evening IST incident may not be noticed until Monday US time — well past the 6-hour window. You need 24/7 monitoring coverage for India infrastructure, either through an India-based SOC, a follow-the-sun model, or automated alerting.
- Treating the 20 incident categories as equivalent to GDPR breach definitions. CERT-In's categories are far broader than personal data breaches. A DDoS attack on your India servers is reportable to CERT-In even if no personal data is compromised. Targeted scanning of your network is reportable. Map all 20 categories into your incident response playbook.
- Ignoring the 5-year subscriber record requirement for VPN/cloud services. If your company provides internal VPN access to India-based employees, you may qualify as a "VPN service provider" under the Directions. Maintain employee VPN connection logs (IP addresses, timestamps, user identities) for 5 years. Consult legal counsel on whether your corporate VPN falls within scope.
Practical Example
CirrusNet GmbH, a German cloud infrastructure company, operates a data centre in Mumbai serving 200 enterprise clients across India. In January 2026, its security team detected ransomware on three client-facing servers at 2:00 AM IST (8:30 PM CET the previous day).
Under the CERT-In Directions:
- CirrusNet had until 8:00 AM IST to file an incident report with CERT-In — a 6-hour window
- The Germany-based SOC team (alerted at 8:30 PM CET) had to assess the incident, identify affected systems, and prepare the CERT-In report within 3.5 hours of their local business day
- CirrusNet filed the report at 7:45 AM IST via email to [email protected], including: incident type (malicious code — ransomware), affected systems (3 servers, 12 client environments), detection method (EDR alert), and initial containment steps
- CirrusNet also had to provide 180 days of server logs from its Mumbai data centre to CERT-In investigators within 24 hours of the request
- As a data centre provider, CirrusNet was additionally required to produce validated subscriber records (names, IP allocations, service purposes) for all 200 clients — records it was required to maintain for 5 years
Had CirrusNet missed the 6-hour window, the penalty under Section 70B(7) would be imprisonment up to 1 year and/or fine up to INR 1 lakh for the responsible officer. Additionally, failure to maintain logs or subscriber records could trigger separate penalties.
CirrusNet's compliance cost: INR 35 lakh for SIEM deployment in India, INR 8 lakh annually for 24/7 SOC coverage during IST hours, and INR 5 lakh for NTP synchronization and log storage infrastructure.
Key Takeaways
- CERT-In Directions (April 28, 2022) impose the world's strictest cyber incident reporting timeline: 6 hours from detection for 20 categories of incidents
- All entities operating in India — including foreign subsidiaries, branch offices, and cloud/VPN providers — must comply
- ICT system logs must be retained for 180 days within Indian jurisdiction; VPN/cloud/data centre providers must keep subscriber records for 5 years
- All systems must synchronize to NIC or NPL NTP servers for standardized forensic timestamps
- Non-compliance penalties: imprisonment up to 1 year and/or fine up to INR 1 lakh under Section 70B(7) of the IT Act (proposed increase to INR 1 crore under Jan Vishwas Bill)
- Foreign companies must build India-specific incident response playbooks accounting for time zones, the 6-hour window, and the 20 broad incident categories
Need help establishing cybersecurity compliance for your India operations? Beacon Filing provides compliance outsourcing services including CERT-In liaison, incident response framework setup, and regulatory reporting for foreign companies in India.