CERT-In Compliance: Six-Hour Reporting, Continuous Readiness
CERT-In empanelled audit, compliance, and incident response services that turn the 2022 Directions from a compliance burden into operational security maturity.
Why This
Matters Now
The CERT-In Directions of April 2022 changed the compliance landscape for Indian organizations more than any cybersecurity regulation in the previous decade. Organizations now face mandatory breach reporting within six hours of awareness, log retention for 180 days within Indian jurisdiction, mandatory time synchronization with NIC or NPL servers, and a list of specific incidents that must be reported regardless of severity. The Directions apply to service providers, intermediaries, data centers, body corporates, and government organizations, with penalties for non-compliance under the Information Technology Act.
The six-hour reporting window is the requirement that gets attention, and it is the requirement most organizations are not prepared to meet. Six hours is not enough time to investigate, validate, and document an incident through the processes most organizations currently use. By the time legal review, executive notification, and incident classification happen, the window has closed. Organizations either miss the deadline entirely or report incomplete information that creates compliance exposure of a different kind.
Beyond the reporting requirement, the Directions impose ongoing operational obligations that are easier to overlook but harder to remediate. Log retention requires storage infrastructure designed for the volume and retention period specified. Time synchronization requires changes to network infrastructure across the enterprise. Customer KYC requirements for VPN and crypto exchange providers require data collection and storage capabilities that did not previously exist. Each obligation, on its own, is manageable. Together, they require coordinated effort across security, IT operations, legal, and compliance functions.
The deeper challenge is that CERT-In compliance is not a one-time exercise. The Directions establish ongoing obligations that require continuous operational discipline. Organizations that treat compliance as a project rather than a program end up rebuilding capabilities every year as audit cycles approach.
How We
Deliver
A structured methodology that ensures rigour, transparency, and measurable outcomes at every stage.
CERT-In Readiness Assessment
We conduct a comprehensive assessment of the organization's current state against all CERT-In requirements: incident reporting processes, log retention infrastructure, time synchronization, customer KYC obligations (where applicable), and audit readiness. The assessment produces a gap analysis with specific remediation requirements and effort estimates.
Incident Response Capability Build
The six-hour reporting requirement demands incident response capability that most organizations need to build or significantly enhance. We design and implement incident response procedures that compress detection, validation, and reporting into the available window. This includes runbooks, communication templates, escalation procedures, and the integration between security operations and legal review that determines whether the reporting deadline is achievable.
Logging and Monitoring Infrastructure
CERT-In's 180-day log retention requirement, combined with the requirement to retain logs within Indian jurisdiction, has implications for SIEM architecture, storage infrastructure, and cloud provider selection. We help design logging architectures that satisfy retention requirements while supporting incident investigation, threat hunting, and operational use cases.
Compliance Documentation
CERT-In auditors expect documentation that demonstrates ongoing compliance, not just point-in-time compliance. We develop policy documents, procedures, evidence collection mechanisms, and audit-ready records that satisfy auditor requirements and serve as operational reference materials for the security team.
Tabletop Exercises and Validation
Incident response capability is only as good as the team's ability to execute under pressure. We conduct tabletop exercises that simulate the scenarios most likely to trigger CERT-In reporting obligations, validating that the team can detect, classify, escalate, and report within the required window. Exercise outcomes inform refinements to procedures and identify capability gaps that need closure.
Ongoing Compliance Operations
CERT-In compliance requires continuous attention. We provide ongoing support for compliance operations including periodic review of procedures, updates to runbooks as the threat landscape evolves, support during actual incidents, and preparation for compliance audits.
Why the Six-Hour Window Is Less Impossible Than It Sounds
The six-hour reporting requirement gets framed as unreasonable, and the framing has produced widespread compliance theater rather than capability building. Organizations design processes that they know cannot meet the deadline, then plan to negotiate retroactively if an incident actually occurs. This approach satisfies compliance documentation requirements while failing the actual obligation.
The organizations meeting the six-hour window successfully share three characteristics. First, they have incident response procedures that begin reporting preparation immediately upon detection, in parallel with investigation, rather than sequentially after investigation completes. Second, they have pre-approved templates for common incident types that can be populated quickly, reducing the legal review time that often consumes the available window. Third, they have established CERT-In as a normal operational counterparty, with established communication channels and clear escalation paths, rather than an unknown regulatory authority that the organization has never interacted with.
The deeper insight is that CERT-In compliance, done properly, produces capabilities that improve security regardless of the compliance requirement. The discipline of compressed reporting forces incident response programs to actually work under pressure. The log retention requirement produces audit trails that enable threat hunting and forensics beyond the regulatory minimum. The time synchronization requirement eliminates a category of forensic ambiguity that has historically complicated incident investigation. Organizations that approach CERT-In as a forcing function for security maturity get more value than organizations that approach it as a checkbox.
CERT-In Compliance & Incident Response
Capabilities
Comprehensive solutions designed to address your most critical challenges and unlock lasting value.
CERT-In Empanelled Audits
Comprehensive cybersecurity audits conducted by CERT-In empanelled assessors, satisfying regulatory requirements for periodic third-party assessment.
CERT-In Readiness Assessment
Gap analysis against all 2022 Directions requirements with prioritized remediation roadmap.
Incident Response Program Design
Incident response capability tailored to the six-hour reporting requirement.
Log Retention Architecture
Design and implementation of logging infrastructure satisfying 180-day retention in Indian jurisdiction.
Time Synchronization Implementation
NTP architecture aligned with NIC and NPL requirements.
Tabletop Exercises
Scenario-based incident response validation focused on CERT-In reporting obligations.
Incident Response Retainer
On-demand incident response support including breach investigation, containment, and CERT-In notification.
Forensic Investigation
Digital forensics for incident response, internal investigations, and litigation support.
Security Audit Documentation
Policy, procedure, and evidence documentation that satisfies audit requirements.
Customer KYC Compliance
VPN and crypto provider obligations under the 2022 Directions.
CERT-In Liaison Support
Ongoing relationship management with CERT-In during incidents and compliance interactions.
Where This Applies
Regulatory-mandated CERT-In compliance combined with RBI, SEBI, IRDAI requirements
Critical information infrastructure protection, government compliance obligations
Service provider compliance, customer trust assurance, incident response readiness
Intermediary obligations under the Directions
Patient data protection combined with sectoral regulatory requirements
Combined CERT-In and sectoral compliance obligations
Common Questions
The CERT-In Directions issued in April 2022 establish mandatory cybersecurity obligations under Section 70B(6) of the Information Technology Act. They apply broadly to service providers, intermediaries, data centers, body corporates, and government organizations operating in India. Key requirements include mandatory breach reporting within six hours, log retention for 180 days within Indian jurisdiction, time synchronization with NIC or NPL servers, and specific obligations for VPN providers, crypto exchanges, and cloud service providers. The Directions carry enforcement weight under the IT Act, including penalties for non-compliance.
CERT-In incident reporting happens through specific channels including email and the CERT-In incident reporting form. The challenge is not the mechanical act of reporting but having the information ready within six hours of incident detection. This requires incident response procedures designed around compressed timelines, pre-approved reporting templates, parallel rather than sequential processes, and clear escalation authority that does not require multiple approval cycles. SARC helps organizations build incident response capability that makes the six-hour window achievable rather than aspirational.
The CERT-In Directions specify a list of incident types that must be reported, including targeted scanning and probing, compromise of critical systems, unauthorized access to IT systems, defacement of websites, malicious code attacks, attacks on servers and network appliances, identity theft and phishing, denial of service attacks, attacks on cloud infrastructure, attacks on critical information infrastructure, and several other categories. The list is broad and includes incidents that some organizations might consider routine. This is intentional, as CERT-In's mandate includes building national threat intelligence from incident reporting.
CERT-In maintains a list of empanelled information security auditors that meet specific qualification and capability requirements. Certain organizations are required by regulation to use CERT-In empanelled auditors for compliance assessments, and many other organizations prefer empanelled auditors because of the credibility the empanelment provides. SARC is CERT-In empanelled, which means our cybersecurity audits satisfy regulatory requirements that mandate empanelled assessment and provide audit evidence that auditors and regulators recognize.
CERT-In requires log retention for 180 days, with logs maintained within Indian jurisdiction. This applies to a broad range of logs including system logs, application logs, network logs, and security event logs. The 180-day requirement is a minimum, and many organizations maintain longer retention for security operations and forensic investigation purposes. The Indian jurisdiction requirement has implications for cloud architecture, particularly for organizations using global cloud providers, and requires careful attention to where log data is actually stored.
CERT-In and DPDP are separate regulatory frameworks with overlapping obligations. CERT-In focuses on cybersecurity incident reporting and operational security. DPDP focuses on personal data protection and data subject rights. Both include incident reporting requirements, but the timelines, content, and recipients differ. Most organizations subject to CERT-In are also subject to DPDP, and effective compliance programs address both frameworks through unified processes that produce evidence usable for both. The technical infrastructure required by one framework typically supports the other, but the legal and procedural elements are distinct and require separate attention.
Most organizations conduct comprehensive CERT-In compliance assessments annually, with ongoing operational reviews more frequently. Regulated organizations may have additional sectoral requirements that drive more frequent audit cycles. Beyond formal audits, the dynamic nature of the threat landscape and the evolution of CERT-In guidance means that compliance programs need continuous attention. Organizations that audit annually but operate compliance programs continuously find themselves better prepared than organizations that treat audit cycles as the only compliance touchpoint.
Build CERT-In Compliance That Works Under Pressure
The six-hour reporting window is achievable for organizations that have built the right incident response capability. SARC's CERT-In empanelled team brings the methodology, audit credibility, and operational support to turn compliance obligations into security maturity.
Schedule a CERT-In Readiness Discussion500+ Professionals · 40+ Years · Global Presence