On 28 April 2022, the Ministry of Electronics and Information Technology (MeitY) published the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Amendment Rules, 2022 — commonly called the CERT-In Directions 2022. The rules came into force on 27 June 2022 and fundamentally changed how Indian organisations must respond to, document, and report cyber incidents.

The headline requirement is a 6-hour mandatory reporting window. From the moment an organisation detects or becomes aware of any of 11 specified incident types, it has six hours to file an initial report with CERT-In. This is not a disclosure window — it is a report-by window. The clock starts at detection, not at confirmation of impact. Organisations that wait to scope the full breach before filing routinely miss the deadline.

The 11 Categories of Notifiable Incidents

The directions define a precise taxonomy of what must be reported. Misclassifying an incident — or failing to recognise it belongs to a notifiable category — is the single most common gap practitioners identify during readiness assessments.

📋

CERT-In Notifiable Incident Types

Per IT (CERT-In) Amendment Rules 2022 — all 11 categories trigger 6-hour reporting

  • 01Targeted scanning/probing of critical networks and systems
  • 02Compromise of critical systems or information
  • 03Unauthorised access to IT systems / data
  • 04Defacement of websites or intrusion into a website and unauthorised changes
  • 05Malicious code attacks (virus, worm, Trojan, bots, spyware, ransomware, cryptominers)
  • 06Attacks on servers such as Database, Mail and DNS, and network devices such as Routers
  • 07Identity theft, spoofing, and phishing attacks
  • 08Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • 09Attacks on critical infrastructure (power, banking, telecom, transport)
  • 10Attacks on applications such as E-Governance and E-Commerce
  • 11Data breaches and data leaks

What Changed — Before and After CERT-In 2022

The directions introduced obligations that had no equivalent in prior Indian law. The shift is not marginal — it represents a structural change in how security operations must be designed and documented.

Before — Pre-2022 Voluntary / Best Effort
  • No mandatory reporting timeline — organisations reported at their own pace
  • No prescribed incident categories — scope left to interpretation
  • Log retention was a best-practice recommendation, not a legal requirement
  • No NTP synchronisation mandate — timestamps were unreliable across systems
  • VPN and cloud service providers had no explicit reporting obligations
  • No minimum log retention period specified for any sector
After — CERT-In 2022 Legally Mandated
  • 6-hour mandatory reporting from time of detection for 11 incident types
  • Explicit taxonomy of 11 notifiable incident categories with no grey area
  • Mandatory 180-day log retention for all service providers and intermediaries
  • NTP synchronisation required — all systems must sync to NIC/NPTEL NTP servers
  • VPN providers, cloud providers, and data centres explicitly covered
  • CERT-In can direct organisations to conduct forensic audits

Why 72% of Organisations Miss the 6-Hour Window

Field experience across regulated organisations consistently surfaces the same failure pattern. Detection systems exist but are not tuned to produce high-confidence alerts within minutes of an incident. Alert queues are long, triage is manual, and the internal escalation path to the person authorised to file a CERT-In report is undocumented or untested. By the time an analyst confirms the incident and finds the right CERT-In portal credentials, the clock has already expired.

Three structural gaps drive the majority of failures: absence of a pre-designated CERT-In reporting owner, no pre-tested incident classification matrix aligned to the 11 notifiable types, and no rehearsed escalation path from Tier 1 SOC to C-suite within the required window. Organisations that run annual tabletop exercises specifically against the 6-hour constraint are significantly more likely to meet the deadline in live incidents.

What Audit-Grade Documentation Looks Like

CERT-In does not prescribe a documentation format, but enforcement actions and advisories make the expectations clear. Audit-grade readiness requires three categories of documented evidence: operational artefacts (incident log with NTP-synchronised timestamps, classification decision trail, escalation call log), process artefacts (incident response playbook with CERT-In reporting as a named step, roles matrix, portal access credentials under change management), and test artefacts (tabletop exercise records, report drill completion timestamps, post-exercise gap closure evidence).

Organisations presenting these three categories during a CERT-In audit or regulatory inspection can demonstrate not just compliance intent but operational capability — the standard regulators apply when assessing whether a missed reporting deadline was a systemic failure or an isolated lapse.

"Non-compliance with CERT-In directions is punishable under Section 70B(7) of the IT Act, 2000 — imprisonment up to one year, a fine up to ₹1 lakh, or both. For corporate entities, the liability attaches to the person in charge of, and responsible for, the conduct of business."
— IT (CERT-In) Amendment Rules 2022, read with IT Act Section 70B(7)

The NTP and Log Retention Requirements in Practice

Two obligations that organisations consistently underestimate are NTP synchronisation and log retention. CERT-In requires all ICT infrastructure to be synchronised with the National Informatics Centre (NIC) or NPTEL NTP servers. This is not a checkbox — it means every server, firewall, endpoint, and cloud workload must be verifiably synchronised, and that synchronisation must be auditable. Organisations running hybrid environments or consuming third-party SaaS need contractual confirmation that their providers are similarly synchronised, because incident timelines drawn from unsynchronised logs are inadmissible for CERT-In reporting purposes.

The 180-day log retention requirement applies to all service providers, intermediaries, data centres, body corporates, and government organisations. It covers ICT system logs, network logs, and application transaction logs. Organisations must ensure logs are tamper-evident, accessible within hours (not days), and stored with sufficient fidelity to reconstruct the incident timeline demanded by CERT-In in their acknowledgement process.