BRICSPULSE
$1 = 71.01 $1 = 6.79 ¥$1 = 95.81
Back
in flagIndiaSoftwareDirectiveActive

CERT-In Directions 2022

Apr 28, 2022
EnglishRussian

Executive Summary

The CERT-In Directions of April 28, 2022, issued under Section 70B(6) of the Information Technology Act, 2000, represent a decisive regulatory intervention by India's national cybersecurity agency to strengthen incident response and cyber resilience across the digital ecosystem. Issued by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology, these six directions impose mandatory obligations on a wide range of entities -- service providers, intermediaries, data centres, government organisations, VPN and cloud providers, and virtual asset service providers. The centrepiece requirement is a stringent six-hour mandatory incident reporting window, which stands among the shortest globally. Together with requirements for NTP clock synchronization, 180-day log retention, and five-year customer registration records for infrastructure providers, these directions fundamentally reshape India's cybersecurity compliance landscape.

Key Provisions

Direction I -- NTP Clock Synchronization. All covered entities must synchronize their ICT system clocks with NTP servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers traceable to these sources. For entities with multi-geography infrastructure, alternative accurate time sources are permitted provided they remain aligned with NPL/NIC standards. This provision ensures forensic accuracy and enables correlated analysis across multiple incident reports.

Direction II -- Six-Hour Mandatory Incident Reporting. All service providers, intermediaries, data centres, body corporates, and government organisations must report cyber incidents to CERT-In within six hours of noticing or being informed of such incidents. The directive covers twenty enumerated categories of incidents (detailed in Annexure I), ranging from targeted scanning and ransomware attacks to data breaches, IoT compromises, and attacks on AI/ML systems. Reports may be submitted via email, phone, or fax using the standardized format prescribed in Annexure II.

Direction III -- Compliance with Information Requests. When CERT-In directs any entity to provide information or assistance for cybersecurity mitigation and situational awareness, the entity must comply within the timeframe specified in the direction. This grants CERT-In broad authority to demand real-time cooperation during active incidents.

Direction IV -- 180-Day Log Retention. All covered entities must enable and maintain logs of all ICT systems securely for a rolling period of 180 days. Critically, these logs must be stored within Indian jurisdiction and must be furnished to CERT-In upon incident reporting or upon specific direction.

Direction V -- Five-Year Customer Data Retention for Infrastructure Providers. Data centres, VPS providers, cloud service providers, and VPN providers must collect and retain validated subscriber information for five years after service cancellation. Required records include validated customer names, service periods, allocated IPs, registration email addresses and IP addresses with timestamps, purpose of service hire, validated addresses, contact numbers, and ownership patterns.

Direction VI -- KYC for Virtual Asset Service Providers. Virtual asset exchanges, custodian wallet providers, and virtual asset service providers must maintain all KYC information and financial transaction records for five years, including customer identification data obtained through due diligence, transaction records (type, amount, currency, dates, parties, IP addresses, wallet addresses), and originator/beneficiary information on virtual asset transfers.

Goals and Timelines

The Directions were issued on April 28, 2022, with an effective date 60 days from issuance (June 27, 2022). The goals are clear and immediate: close the identified gaps in incident analysis that were hampering CERT-In's ability to coordinate response activities. By establishing a six-hour reporting window -- down from the previously informal and inconsistent practices -- CERT-In aimed to dramatically reduce the time between incident detection and national-level awareness and coordination. The 180-day log retention requirement provides investigators with a sufficient forensic window, while the five-year data retention for infrastructure providers supports long-term investigation and attribution efforts.

Implementation Mechanisms

Centralized Reporting System. CERT-In established a multi-channel incident reporting system accessible via email ([email protected]), phone (1800-11-4949), and fax (1800-11-6969). The standardized reporting format in Annexure II requires general organizational information, incident details (date, time, location, affected systems, description), remedial actions taken, and relevant log files.

Broad Jurisdictional Scope. The Directions apply universally to service providers, intermediaries, data centres, body corporates, and government organisations, creating a comprehensive compliance net across all sectors of the economy. This includes Indian subsidiaries of foreign companies and foreign entities offering services within India.

Self-Compliance Model with Enforcement Backing. While the Directions establish mandatory obligations, the enforcement mechanism relies on CERT-In's authority under the Information Technology Act to issue binding orders and, in cases of non-compliance, invoke penalties under existing statutory provisions. The power to demand information and assistance within specified timeframes provides CERT-In with operational enforcement capability.

Infrastructure Mandates. The NTP synchronization and log retention requirements impose specific technical infrastructure mandates that require organizations to invest in systems, storage, and processes. The requirement to maintain logs within Indian jurisdiction necessitates local data storage capabilities.

Industry Impact

The CERT-In Directions triggered significant upheaval across India's technology industry, particularly in several key areas.

VPN and Cloud Providers. The customer data retention requirements for VPN providers proved most controversial. Several international VPN providers, whose business models depend on not retaining user data, announced the removal of their servers from India rather than comply. This created a notable tension between India's cybersecurity objectives and the privacy-oriented services sector.

Startups and SMEs. The six-hour reporting deadline and 180-day log retention requirements imposed substantial operational and cost burdens on smaller organizations. Many SMEs lacked the technical infrastructure, cybersecurity expertise, and storage capacity necessary for compliance, driving demand for managed security services and compliance-as-a-service offerings.

IT Services Industry. Major IT services companies, already accustomed to incident management frameworks, adapted relatively smoothly but faced challenges in propagating compliance requirements through their supply chains and to clients operating within India.

Cryptocurrency and Virtual Assets. The KYC and transaction record requirements for virtual asset providers aligned with the broader global trend toward cryptocurrency regulation and complemented the Reserve Bank of India's evolving stance on digital assets.

Cybersecurity Market Growth. The Directions catalyzed growth in India's cybersecurity market, driving demand for SIEM (Security Information and Event Management) solutions, incident response retainers, compliance consulting, and managed detection and response (MDR) services.

The Directions also generated significant public debate about the balance between national security imperatives and individual privacy, particularly concerning the VPN data retention requirements and the breadth of information CERT-In can demand.

Amendment History

The CERT-In Directions of April 28, 2022 were issued as a standalone regulatory instrument under Section 70B(6) of the Information Technology Act, 2000. Following the initial issuance, CERT-In published a set of Frequently Asked Questions (FAQs) in May 2022 to clarify certain compliance requirements, particularly around the scope of applicability to VPN services and the interpretation of the six-hour reporting window. The effective date was set at 60 days from issuance. No formal amendments to the Directions themselves have been issued; however, ongoing regulatory guidance through CERT-In's advisories and the subsequent enactment of the Digital Personal Data Protection Act, 2023, have created an evolving compliance context in which these Directions operate.

Related Documents

  • Information Technology Act, 2000 -- The parent statute under which CERT-In operates and from which its direction-issuing authority (Section 70B) derives.
  • Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 -- The operational rules governing CERT-In's functions.
  • Digital Personal Data Protection Act, 2023 (DPDPA) -- Complementary legislation governing personal data processing, with breach notification obligations that intersect with CERT-In's incident reporting requirements.
  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 -- Related rules imposing due diligence obligations on intermediaries, including data retention and law enforcement cooperation requirements.
  • Reserve Bank of India Circulars on Virtual Digital Assets -- Regulatory framework for the financial aspects of cryptocurrency and virtual asset transactions, complementing CERT-In's cybersecurity requirements for virtual asset service providers.
  • EU NIS2 Directive / US CIRCIA Act -- International comparators for mandatory incident reporting frameworks, useful for benchmarking CERT-In's six-hour reporting window against global norms.