Regulatory Guide · India

CERT-In Directions 2022:
What every Indian business must do

The CERT-In Directions 2022 are legally binding on every entity operating in India — no size threshold, no sector carve-out. Here is what they require and where most businesses fall short.

Last updated: May 2026

Who does this apply to?

Every entity that owns, operates, or uses computer resources in India. That includes startups, SMEs, enterprises, government bodies, NGOs, and individuals conducting business online. If your servers are in India, your users are in India, or your business is registered in India — these directions apply to you.

There is no minimum revenue, employee count, or data volume that exempts you. This is the most commonly misunderstood aspect of the Directions — many founders assume they are too small to be in scope. They are not.

The four core obligations

CRITICAL

1. Incident reporting — 6-hour rule

Report any cyber incident to CERT-In within 6 hours of detection. The clock starts when you become aware of the incident — not when it is confirmed, not when you have completed your investigation, and not when you decide it is serious enough. Detection starts the clock.

Reports are submitted at cert-in.org.in or by email to incident@cert-in.org.in. The report must include: nature of the incident, systems affected, time of detection, impact assessment, and steps taken or planned.

This requires a documented incident response procedure before an incident happens — not improvised in the middle of one.

CRITICAL

2. 180-day log retention

All ICT system logs must be retained for a minimum of 180 days and stored in India. This covers application logs, server logs, access logs, network logs, and any other system event data.

AWS CloudWatch defaults to 90 days. GCP Cloud Logging defaults to 30 days (_Default bucket) or 400 days (_Required bucket for audit logs only). Neither default is compliant without explicit configuration.

Fix: Set CloudWatch log group retention to 180+ days. Set GCP log bucket retention to 180+ days. Ensure the log storage bucket is in ap-south-1 or asia-south1.

HIGH

3. NTP synchronisation

All servers and systems must be synchronised to Indian NTP servers: samay1.nic.in, samay2.nic.in, or time.nptel.ac.in.

This matters for incident correlation. When logs from different systems have accurate, consistent timestamps, investigators can reconstruct what happened and when. Inaccurate timestamps can make an incident investigation impossible.

CRITICAL

4. Data residency — primary systems in India

Primary servers, databases, and log storage must be located in India. For AWS this means ap-south-1 (Mumbai). For GCP: asia-south1 (Mumbai) or asia-south2 (Delhi). For Azure: centralindia or southindia.

What incidents must be reported?

CERT-In specifies 20 categories of reportable incidents. This is a broader list than most people expect — it goes well beyond data breaches:

Targeted scanning or probing of critical networks or systems
Compromise of critical systems or information
Unauthorised access to IT systems or data
Defacement of websites or intrusion into a website
Malicious code attacks — viruses, ransomware, worms, trojans, bots, spyware, rootkits
Attacks on servers — database, mail, DNS, network devices
Identity theft, spoofing, phishing attacks
Denial of Service (DoS) and Distributed DoS attacks
Data breach and data leakage
Attacks on internet infrastructure — internet exchange points, ISPs, network providers
Attacks on critical infrastructure — power, water, banking, telecom, transport
Fake mobile apps
Rogue / fraudulent websites
Supply chain attacks
Attacks on cloud computing infrastructure
Cryptocurrency theft
Virtual asset fraud
Attacks on financial systems
Data exfiltration

Where most businesses fall short

No incident response procedure

When an incident happens, there is no defined owner, no escalation path, and no way to meet the 6-hour clock. By the time someone decides what to do, the deadline has passed.

Logs stored outside India

Many startups use GCP or AWS and default to us-east-1 or europe-west1. Logs stored outside India violate both the data residency and log retention requirements simultaneously.

No log retention policy configured

Default CloudWatch or GCP Logging retention is 30–90 days. CERT-In requires 180 days minimum. This is a configuration change that takes 10 minutes — but most startups have never made it.

NTP not configured to Indian servers

Servers synced to pool.ntp.org or AWS/GCP internal NTP are non-compliant. CERT-In requires samay1.nic.in, samay2.nic.in, or time.nptel.ac.in.

No designated CERT-In reporting contact

CERT-In requires a designated point of contact. If no one is named, no one owns the 6-hour obligation — and it falls through the gap.

What happens if you don't comply?

Non-compliance with CERT-In Directions can result in imprisonment of up to one year and/or a fine under the IT Act 2000. More practically: if you experience a breach and cannot demonstrate compliance — no incident report filed within 6 hours, no 180-day logs, no NTP config — the regulatory and legal exposure compounds significantly.

CERT-In enforcement is still maturing, but the risk of being caught unprepared during or after a breach is real. The Directions are not a box-ticking exercise — they exist because log retention and incident reporting are what make incident investigation and recovery possible.

Get compliant

Check your CERT-In posture for free

Run a free domain scan on kawacha.com/scan — we check your HTTPS, security headers, email security, and DPDP Act compliance signals in under 2 minutes. For CERT-In implementation (log retention, NTP, incident response SOP, data residency) we offer fixed-fee engagements.

Run a free scan →Talk to us about CERT-In →