CERT-In 2022 Directions, Logging, Incident Reporting, Point-of-Contact
Detect. Log. Report. Stand.
India's CERT-In directions require 180-day log retention, 6-hour incident reporting and named points of contact. Mandatory for most Indian businesses, and applicable to foreign businesses serving Indian users. We get you compliant, properly, before the breach you can't report on time.
Operational readiness, not just paperwork.
Logging & retention setup
Logs from servers, network devices, applications and ICT systems retained for the mandated 180 days inside Indian jurisdiction. Centralised aggregation, secure storage, tamper detection.
Incident response playbook
Written playbook for the CERT-In 6-hour incident reporting window. Who decides, who reports, what gets sent, escalation paths, evidence preservation.
CERT-In point-of-contact
A named, registered point-of-contact with CERT-In, required for VPN providers, data centres, virtual asset service providers, and recommended for all regulated entities.
KYC & customer data controls
For categories where CERT-In requires KYC retention (5 years post-termination), data classification, secure storage, retention enforcement.
Annual review & tabletop drill
A simulated incident drill once a year to test the playbook, train the team, and prove operational readiness. Required posture, not just paperwork.
CERT-In + DPDP + ISO alignment
CERT-In overlaps with DPDP breach notification and ISO 27001 incident management. We align the documentation so one workstream serves multiple regimes.
Four phases, four to eight weeks for most businesses.
Detect
A two-week assessment of your current logging, monitoring and incident-detection capability. Output: a gap report mapped to CERT-In Direction 20(3)/2022.
Log
Implement centralised logging with 180-day retention inside Indian jurisdiction (or with appropriate transfer mechanisms). Cover servers, network devices, ICT systems.
Report
Stand up the 6-hour incident-reporting workflow. Pre-fill the CERT-In incident report template. Train the team. Register the point-of-contact.
Stand
An annual tabletop drill, documentation refresh, and CERT-In point-of-contact update. Stand ready, not just compliant on paper.
CERT-In directions, plainly answered.
What are CERT-In directions and who do they apply to?
+
The Indian Computer Emergency Response Team (CERT-In) issued binding directions under Section 70B(6) of the IT Act in April 2022, effective from September 2022. They apply to service providers, intermediaries, data centres, body corporates and government organisations operating in India, and to foreign entities offering services to Indian users. The directions cover incident reporting (6-hour window), log retention (180 days inside India), time synchronisation (to NIC/NPL NTP), KYC retention for specific categories, and named point-of-contact registration.
Do CERT-In directions apply to my foreign business if I have Indian users?
+
Yes, in many cases. The directions explicitly extend to foreign service providers and intermediaries offering services to users located in India. VPN providers, virtual asset service providers (crypto exchanges), and data-centre operators have specific obligations. SaaS, e-commerce, social platforms and any business processing data of Indian users fall under the broader body-corporate provisions. Several major foreign VPN providers exited the Indian market after the directions came into force rather than comply, a sign of how serious the enforcement intent is.
What is the 6-hour reporting window?
+
For any cybersecurity incident affecting your systems or your Indian users, you must report to CERT-In within 6 hours of becoming aware. Reportable incidents include unauthorised access, data breaches, ransomware, identity theft, phishing affecting your systems, DDoS attacks, malicious code detection, and many others. This is one of the strictest reporting windows in the world. GDPR allows 72 hours; DPDP is similar; CERT-In demands 6.
How much does CERT-In compliance cost?
+
RoseLeap's CERT-In compliance setup runs ₹1.5 lakh to ₹6 lakh ($1,800–$7,000 USD) depending on your existing logging maturity and the volume of in-scope systems. Annual review and drill retainer is ₹40,000 to ₹1.5 lakh per year ($500–$1,800 USD). Larger enterprises with multi-site logging requirements run higher. We work in USD, GBP, EUR and INR depending on client preference.
What are the penalties for non-compliance?
+
Under Section 70B(7) of the IT Act, failure to comply with CERT-In directions is punishable with imprisonment up to one year, or a fine up to ₹1 lakh, or both. For body corporates, additional penalties under Section 43A apply for inadequate security safeguards leading to wrongful loss or gain, up to ₹5 crore in damages plus separate proceedings. More importantly, CERT-In can take down or restrict services that fail to comply. Several VPN providers left the Indian market rather than risk this.
Where do logs need to be stored?
+
CERT-In directions require logs to be maintained in Indian jurisdiction. In practice this means storage in an Indian data centre or on Indian cloud infrastructure (AWS Mumbai, Azure India, Google Cloud Mumbai, or local providers). Foreign businesses serving Indian users typically set up an India-resident logging tier mirroring their global infrastructure. We help architect this efficiently.
How does CERT-In relate to DPDP and other regimes?
+
CERT-In governs cybersecurity incident reporting and forensic readiness. DPDP governs personal data protection and breach notification to Data Principals. ISO 27001 covers information security management generally. The three overlap meaningfully in technical controls (logging, monitoring, incident response) but have distinct reporting obligations. A well-designed compliance posture covers all three with a single underlying control framework. We package them together for clients who need multi-regime coverage.
Six hours is not enough time to figure this out during a breach.
Tell us about your systems and your Indian footprint. We come back with a fixed-fee scope and a date you can be CERT-In-ready by.