Who do the CERT-In Directions apply to?

Service providers, intermediaries, data centres, body corporates, and government organizations operating in India — in practice, almost any organization running digital infrastructure that serves Indian users, including foreign companies doing so.

What incidents must be reported within six hours?

CERT-In specifies the reportable categories, including targeted scanning, compromise of critical systems, unauthorized access, website defacement, malware and ransomware attacks, identity theft and phishing, data breaches and data leaks, and attacks on cloud, IoT, and payment systems. Triage should answer "is this on the list?" in minutes — that's what classification mapping is for.

How does CERT-In reporting interact with DPDPA breach notification?

They're separate duties with separate recipients: CERT-In within six hours for cyber incidents, and the Data Protection Board plus affected individuals under DPDPA for personal-data breaches. One incident can trigger both. Running both clocks from one incident record is exactly what the platform's incident module does.

What are the log-retention requirements?

Security logs must be maintained for a rolling 180-day period and produced to CERT-In on request. The Logging & Monitoring module tracks these duties as controls with evidence, alongside the clock-synchronization requirement.

Framework · Compliance Enablers

CERT-InDirections

Six Hours to Report. Have the Clock Built In.

India's CERT-In Directions (April 2022) require specified cyber incidents to be reported to CERT-In within six hours of noticing them, alongside log retention and clock-synchronization duties. Run incident response with the reporting clock, playbooks, and evidence in one workflow.

Who needs it: Service providers, intermediaries, data centres, and body corporates operating in India — effectively every Indian company running digital infrastructure, plus foreign companies serving Indian users.

Start Free Trial

Book a Demo

Hours to Report

180

Days Log Retention

2,022

Directions in Force Since

Clocks per Breach (CERT-In + DPDPA)

The framework

What is CERT-In Directions?

The Indian Computer Emergency Response Team (CERT-In) issued binding Directions under Section 70B of the IT Act in April 2022. The headline obligation: specified categories of cyber security incidents — including data breaches, ransomware, identity theft, and attacks on critical systems — must be reported to CERT-In within six hours of noticing or being notified of them.

The Directions also impose operational duties: maintaining security logs for a rolling 180-day period, synchronizing system clocks to designated NTP sources, and (for certain providers) maintaining specified customer records. For organizations also in DPDPA scope, a personal-data breach can trigger both the CERT-In six-hour report and Data Protection Board notification — two clocks, two recipients, one incident.

Non-compliance carries penalties under the IT Act, and CERT-In has actively followed up on reporting practices. The practical takeaway: six hours is a workflow problem, not a policy problem.

The requirements

What you'll need to satisfy.

The core categories CERT-In Directions auditors evaluate — and what we ship to cover each one.

Incident Reporting

Report specified incident categories within 6 hours
Use prescribed reporting formats and channels
Designate a point of contact for CERT-In
Respond to CERT-In directions and information requests

Logging & Records

Maintain security logs for a rolling 180 days
Make logs available to CERT-In on request
Synchronize system clocks to designated NTP sources
Provider-specific record-keeping duties where applicable

Operational Readiness

Incident classification mapped to reportable categories
Response playbooks with reporting steps embedded
Evidence and timeline capture during response
Post-incident review and corrective action

Before → After

The problem we solve.

Why teams pick Compliance Enablers for CERT-In Directions compliance.

Common challenges

Six hours is brutally short when your incident process lives in email threads and a Word template
Teams discover the reporting obligation during the incident — the worst possible moment
Log retention and synchronization duties are nobody's explicit job until an auditor or regulator asks
DPDPA breach notification and CERT-In reporting overlap but have different clocks and recipients

What we provide

Incident management with playbooks — reporting steps and timelines embedded in the response workflow
Incident classification aligned to the CERT-In reportable-incident categories
One incident record feeding both clocks: CERT-In six-hour reporting and DPDPA Data Protection Board notification
Evidence and timeline capture during response — what happened, when, who acted, automatically logged
Logging & Monitoring module for log management and clock-synchronization duties (ISO A.8.15–A.8.16)
Post-incident review feeding nonconformity & CAPA, so the same incident doesn't happen twice

Your journey

From kickoff to
audit-ready.

Step-by-step, exactly how we'll get you there.

Classify & Map

Align your incident taxonomy to CERT-In reportable categories so triage answers "is this reportable?" immediately.

Playbooks with Clocks

Embed the six-hour reporting step, contacts, and format into response playbooks — visible from minute one.

Logging Duties

Track log-retention and clock-synchronization controls in the Logging & Monitoring module with evidence.

Dual-Clock Breaches

For personal-data incidents, run CERT-In and DPDPA notification duties from the same incident record.

Learn & Close

Post-incident reviews feed nonconformity & CAPA — tracked corrective actions, not lessons-learned theatre.

Time to value

Incident playbooks with reporting clocks live in days

The cost of a missed six-hour window — regulatory exposure plus the scramble — dwarfs the cost of having the workflow ready.

CERT-In Directions

Your existing
framework

Cross-framework

CERT-In duties overlap ISO 27001's incident-management and logging controls, and pair with DPDPA breach notification — one incident program covers all three.

How we're different

No global GRC platform ships CERT-In-aware incident response — six-hour reporting is an India-specific obligation the US tools have never had to think about. We built it in because our beachhead customers live under it.

Key modules for CERT-In Directions.

Everything these modules ship, included in every tier.

Incident ManagementLogging & MonitoringPrivacy ManagementBC/DR PlanningNonconformity & CAPA