Introduction
The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), has fundamentally reshaped the cybersecurity compliance landscape in India through its April 2022 directions. These directions, which came into full effect in late 2022, impose stringent obligations on every organisation operating digital infrastructure in India - from large enterprises and government agencies to data centres, cloud service providers, VPN providers, and managed security service providers. As we head into 2025, enforcement has intensified, and organisations that have not yet aligned their incident response, logging, and audit practices face significant regulatory and operational risk. Understanding and implementing CERT-In compliance is no longer optional; it is a foundational requirement for doing business in India's digital economy.
What Are the CERT-In Directions?
The CERT-In directions issued on 28 April 2022 represent India's most aggressive cybersecurity regulation to date. They apply to all service providers, intermediaries, data centres, body corporates, and government organisations. The directions mandate specific actions around incident reporting, log retention, time synchronisation, KYC for certain digital services, and cooperation with CERT-In during investigations. Unlike sector-specific regulations from RBI or SEBI, the CERT-In directions have universal applicability - any entity with digital infrastructure in India must comply. The directions were introduced in response to rising cyber threats targeting Indian organisations, supply chain attacks, and the increasing sophistication of state-sponsored threat actors operating in the region.
- Universal applicability to all organisations with digital infrastructure in India
- Mandatory reporting of 20 categories of cybersecurity incidents
- Strict 6-hour reporting timeline from awareness of the incident
- 180-day rolling log retention within Indian jurisdiction
- ICT system clock synchronisation with NTP servers from NIC or IDRBT
- KYC requirements for VPN providers, cloud service providers, and virtual asset service providers
The 6-Hour Incident Reporting Requirement
The most discussed and operationally challenging requirement under the CERT-In directions is the mandatory 6-hour incident reporting window. When an organisation becomes aware of a cybersecurity incident falling under any of the 20 specified categories, it must report the incident to CERT-In within six hours. This is among the shortest mandatory reporting timelines globally - GDPR allows 72 hours, and many jurisdictions have no fixed timeline at all. The 6-hour clock starts not from when the incident occurred but from when the organisation became aware of it, which places a premium on having robust detection and monitoring capabilities. Organisations must report incidents through the designated channels - email, phone, or the CERT-In web portal - using the prescribed format that includes details of the affected systems, the nature of the incident, the scope of impact, and remediation actions being taken.
- Targeted scanning or probing of critical networks and systems
- Compromise of critical systems or information
- Unauthorised access to IT systems or data
- Defacement of websites or intrusion into websites
- Malicious code attacks such as spreading viruses, worms, trojans, botnets, and spyware
- Attacks on servers including database, mail, and DNS, and network devices like routers
- Data breaches or data leaks
- Attacks on critical infrastructure, including SCADA and operational technology systems
Annual Cybersecurity Audit Requirements
CERT-In mandates that organisations, particularly those designated as part of critical information infrastructure or those providing digital services at scale, undergo annual cybersecurity audits conducted by CERT-In empanelled auditors. These audits assess the organisation's cybersecurity posture, incident response readiness, compliance with the CERT-In directions, and overall maturity of security controls. The audit covers network security architecture, access control mechanisms, vulnerability management practices, patch management, data protection measures, backup and recovery capabilities, and the effectiveness of the incident response plan. Audit findings must be documented, and remediation plans for identified gaps must be submitted. Organisations that fail to address critical audit findings within specified timelines face escalated regulatory scrutiny and potential penalties. The list of CERT-In empanelled auditors is published on the CERT-In website, and organisations must engage only empanelled auditors for compliance audits.
Log Retention and Time Synchronisation
The CERT-In directions require organisations to maintain logs of all ICT systems for a rolling period of 180 days. These logs must be stored within Indian jurisdiction and must be available for inspection by CERT-In or its authorised agencies upon request. The types of logs required include firewall logs, intrusion detection and prevention system logs, web server access logs, application logs, database access logs, mail server logs, and any other logs relevant to cybersecurity incident investigation. Additionally, all organisations must synchronise their ICT system clocks with the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers traceable to these sources. For organisations in the financial sector, synchronisation with the Indian Computer Emergency Response Team in the Financial Sector (CERT-In-FS) or the Institute for Development and Research in Banking Technology (IDRBT) time sources is also acceptable. This synchronisation is critical for accurate incident timelines during forensic investigations.
KYC and Registration Requirements
The CERT-In directions impose specific Know Your Customer (KYC) obligations on certain categories of service providers. Virtual Private Network (VPN) providers, cloud service providers, data centre operators, and virtual private server providers must maintain detailed KYC records of their subscribers and customers. These records must include validated names, addresses, contact numbers, email addresses, and the purpose for which the service is being used. The records must be retained for a period of five years even after the cancellation or withdrawal of the service. Virtual asset service providers and custodian wallet providers must additionally maintain all information obtained as part of KYC processes and records of financial transactions for a period of five years. These requirements are designed to ensure traceability in the event of cyber incidents and to support law enforcement investigations.
- VPN providers must maintain validated subscriber records for five years post-cancellation
- Cloud providers must record customer identity, IP addresses allocated, and purpose of use
- Data centres must maintain subscriber records including contact details and validated addresses
- Virtual asset service providers must retain KYC and transaction records for five years
Penalties for Non-Compliance
Non-compliance with the CERT-In directions carries penalties under the Information Technology Act, 2000. Section 70B of the IT Act, which establishes CERT-In's authority, empowers the government to impose penalties for failure to comply with directions issued by CERT-In. Penalties can include fines up to one crore rupees and imprisonment up to one year for individuals responsible for compliance failures. Beyond statutory penalties, non-compliance can result in operational consequences - CERT-In can direct ISPs to block access to the organisation's services, revoke security clearances, and publicise non-compliance findings. For organisations in regulated sectors, CERT-In non-compliance can trigger additional actions from sectoral regulators such as RBI, SEBI, or IRDAI, compounding the regulatory impact. The reputational damage from a publicised CERT-In compliance failure can be particularly damaging for technology companies and service providers.
Building a CERT-In Compliance Programme
Establishing a robust CERT-In compliance programme requires a structured approach that addresses people, processes, and technology. Organisations should begin with a gap assessment against the CERT-In directions, identify areas of non-compliance, and develop a prioritised remediation roadmap.
- Establish a dedicated incident response team with clear roles, escalation paths, and 24/7 availability
- Deploy Security Information and Event Management (SIEM) solutions for real-time incident detection
- Implement centralised log management with automated retention policies meeting the 180-day requirement
- Create pre-formatted incident report templates aligned with CERT-In's prescribed reporting format
- Conduct quarterly incident response drills to ensure the 6-hour reporting timeline can be met
- Engage CERT-In empanelled auditors for annual cybersecurity audits well in advance of deadlines
- Synchronise all ICT system clocks with NIC or NPL NTP servers and monitor synchronisation continuously
- Maintain a compliance dashboard that tracks log retention, audit findings, and incident reporting metrics
How Kraver.ai Streamlines CERT-In Compliance
Kraver.ai's platform integrates CERT-In compliance requirements directly into your cybersecurity operations workflow. Our AI-powered incident detection engine continuously monitors your infrastructure and automatically classifies incidents against CERT-In's 20 reportable categories. When an incident is detected, Kraver.ai generates pre-populated CERT-In incident reports, triggers escalation workflows to meet the 6-hour reporting timeline, and maintains a complete audit trail of the detection-to-reporting chain. Our centralised log management module ensures 180-day rolling retention within Indian jurisdiction with automated archival and retrieval capabilities. For annual audits, Kraver.ai generates audit-ready compliance reports that map your security controls directly to CERT-In requirements, reducing the time and cost of audit preparation by up to 70 percent.