Blog · ComplianceCERT-In 2022 directions: what businesses must do
CERT-In April 2022 directions in plain English, who they apply to, 180-day log retention, the 6-hour incident window, point-of-contact rules, and penalties.
India's CERT-In Directions under Sub-section (6) of Section 70B of the Information Technology Act, 2000 (No. 20(3)/2022-CERT-In)have been law since September 2022. They have teeth most Indian businesses still don't take seriously, they apply broadly, and they extend to foreign businesses serving Indian users.
Two summers in, the headlines from the directions are still the same:180-day log retention. 6-hour incident reporting. Named point-of-contact. Logs stored in Indian jurisdiction.Get those four right and you've covered 80% of CERT-In compliance.
This guide is the plain-English walkthrough, what the directions require, who they apply to (Indian and foreign businesses both), penalties for getting it wrong, and how to comply without grinding operations to a halt.
Who CERT-In directions apply to
The directions are broad. They explicitly cover:
- Service providers: broadly defined; includes most B2B and B2C tech businesses.
- Intermediaries: platforms hosting third-party content (social networks, marketplaces, hosting providers).
- Data centres: colocation and managed hosting facilities.
- Body corporates: any company processing personal information.
- Government organisations.
Three categories have additional, more onerous obligations:
- Virtual Asset Service Providers (VASPs): crypto exchanges, wallets, custodians, trading platforms.
- Data centres, virtual private servers, cloud service providers, VPN providers: must register KYC for all customers and retain it for 5 years after termination.
- Critical Information Infrastructure (CII): designated systems in power, telecom, banking, transport, etc.
Critically, the directions apply extraterritorially: foreign businesses offering services to users in India fall within scope. This is why several major VPN providers exited India in 2022 rather than comply with KYC and logging requirements, the directions reach them even though they're not Indian companies.
The five operational requirements
1. Time synchronisation
All ICT systems connected to the internet must synchronise their system clocks with the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers traceable to these. In practice: configure your chrony or ntpd to point to time.nplindia.org or time.nic.in.
This is the easiest direction to comply with, a 5-line configuration change on each server. Almost no one does it.
2. Incident reporting, the 6-hour window
Any cybersecurity incident, broadly defined, must be reported to CERT-In within6 hours of notice or detection. Reportable incidents include:
- Unauthorised access to IT systems / data.
- Compromise of critical systems / information.
- Data breaches and data leaks.
- Ransomware attacks.
- Identity theft, phishing affecting your systems, account compromise.
- DoS / DDoS attacks.
- Malicious code detection in systems.
- Attacks on IoT devices, payment systems, social media, or fake mobile apps.
- Attacks targeting biometric data, blockchain, virtual assets.
- And ~10 more categories, the list is intentionally broad.
6 hours is one of the strictest reporting windows in the world. GDPR allows 72 hours; most US state laws allow days; CERT-In demands 6. The only way to meet this is to have a pre-built reporting workflow with named decision-makers, a template incident report, and clear escalation paths.
3. Log retention, 180 days
All logs from ICT systems must be securely retained for 180 days, and must be made available to CERT-In on request. Logs must be maintained in Indian jurisdiction.
In practice this means:
- Centralised log aggregation (a SIEM or dedicated log infrastructure).
- Storage in an Indian data centre or Indian cloud region (AWS Mumbai, Azure India Central, GCP Mumbai, or domestic providers).
- Tamper detection / write-once storage where possible.
- Retention policy enforced, logs aren't deleted before 180 days.
- An on-request retrieval mechanism to provide logs to CERT-In within a reasonable window.
4. Point-of-contact registration
Service providers, intermediaries, data centres, and body corporates must designate a point of contact for cybersecurity matters and register this contact with CERT-In. The contact must be reachable 24×7. Updates to the contact must be communicated to CERT-In.
Most businesses skip this. CERT-In maintains a list of registered points of contact; being on it is a soft requirement and a defensible compliance posture.
5. KYC for specific categories
Data centres, VPN providers, virtual private server (VPS) providers, cloud service providers, and virtual asset service providers must maintain accurate KYC for all customers for a period of 5 years after the customer relationship ends. The KYC must be available to CERT-In on lawful order.
This is the direction that caused several major foreign VPN providers (ExpressVPN, NordVPN, Surfshark and others) to remove their Indian servers and physical presence rather than comply. If you operate in any of these categories, this requirement is non-negotiable.
Penalties
Under Section 70B(7) of the IT Act, failure to comply with CERT-In directions is punishable with:
- Imprisonment for up to 1 year, or
- Fine up to ₹1 lakh, or
- Both.
These are baseline penalties. Additional consequences:
- Section 43A penalties: body corporates can face damages up to ₹5 crore (and uncapped in some interpretations) for inadequate “reasonable security practices and procedures” leading to wrongful loss or gain.
- Service restrictions: CERT-In has the authority to direct ISPs to restrict or take down services that fail to comply.
- Reputational damage: a CERT-In non-compliance notice is publicly visible and damages credibility with enterprise and government clients.
- Downstream regulatory action: RBI, SEBI, IRDAI and other sector regulators frequently follow CERT-In enforcement with their own actions.
The directions also overlap with DPDP's breach notification requirements (also forthcoming Indian standards). A single breach may trigger reporting obligations under multiple regimes, CERT-In within 6 hours, DPDP to the Data Protection Board within a reasonable period, sector regulators on top.
How to actually comply
A realistic compliance program:
Week 1: Quick wins
- Configure NTP synchronisation to time.nplindia.org / time.nic.in on every system.
- Designate a CERT-In point of contact internally. Document the role.
- Audit current log retention, what's logged, where, for how long.
Weeks 2–6: Foundational setup
- Stand up centralised logging in Indian jurisdiction. AWS Mumbai with CloudWatch Logs + S3 with cross-region replication disabled outside India is the most common setup.
- Implement 180-day retention policy. Verify logs from every in-scope system flow in.
- Document the incident response playbook. Pre-build the CERT-In incident report template.
- Register the named CERT-In point of contact with CERT-In.
Weeks 6–8: Operational readiness
- Run a tabletop drill of the 6-hour incident reporting workflow.
- Validate retrieval workflows, can you produce logs from 175 days ago in under an hour?
- Document the compliance posture for procurement teams who ask.
Ongoing
- Annual tabletop drill.
- Refresh CERT-In point of contact if personnel change.
- Update incident response playbook when systems change.
- Coordinate with DPDP / sector-regulator compliance as those frameworks mature.
For foreign businesses with Indian users
If your business is based outside India but serves Indian users at meaningful scale, you have three realistic paths:
- Comply. Set up Indian-jurisdiction logging, designate a point of contact, build the 6-hour incident workflow. Costs more than ignoring it but vastly less than the regulatory and reputational exposure of non-compliance.
- Geo-block India. The path several VPN providers took. Drastic but unambiguous.
- Operate in grey zone. Most foreign B2C and B2B services do this currently. Enforcement against foreign businesses has been selective; the risk is real but unevenly distributed.
Path 1 (comply) is the right choice if India is a meaningful market for your business and you intend to grow it. Path 2 (block) makes sense only if Indian users are incidental to your business. Path 3 (grey zone) is increasingly risky as Indian enforcement capacity matures.
How RoseLeap can help
We offer CERT-In Compliance as a service for Indian businesses and for foreign businesses with Indian users. Logging setup, incident response playbook, point-of-contact registration, annual tabletop drill, packaged as a fixed-fee engagement with an ongoing retainer.
Tell us about your systems and your Indian footprint at the contact page. We come back with a fixed-fee scope and a date you can claim CERT-In readiness by, within one business day.
Rooted in Data · Built to Bloom
Need help with your own?
Tell us about your project. We come back with a clear, honest plan.