CERT-In 6-Hour Incident Reporting: Two Years On

Compliance

The April 2022 CERT-In directions imposed a 6-hour incident reporting window on Indian organizations. Two years later, the enforcement reality is more nuanced than the original panic suggested.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 16, 2024 · 7 min read

When CERT-In published the cyber incident reporting directions in April 2022, most security teams I spoke to assumed the 6-hour window was theatrical. Two years later, the rules are still on the books, the enforcement has been patchy, and the operational impact is real but uneven. Here is what we have learned working with Indian financial services and fintech clients.

What counts as reportable

The Annexure I list runs to twenty categories and is broader than most people realize. The headline items are unauthorized access to IT systems, identity theft, phishing attacks, denial of service incidents, attacks on critical infrastructure, and ransomware. The less-cited but operationally important ones include data breach or data leak, attacks on application servers, fake mobile apps, attacks targeting IoT devices, and attacks on cloud computing systems.

The list is descriptive rather than precise. CERT-In has not published meaningful thresholds. A single phishing email that nobody clicked is technically reportable. In practice, organizations report material incidents and CERT-In has not enforced against minor non-reports.

The form and the timer

Reports go through the form at incident.cert-in.org.in or by email to incident@cert-in.org.in. The 6-hour clock starts at the time of noticing the incident, which is defined as discovery, not initial occurrence. The form asks for incident description, affected systems, point of contact, and known artifacts. There is no requirement to complete forensic analysis before reporting. A skeleton initial report with follow-up updates is acceptable.

Log retention requirements

The directions require all service providers, intermediaries, data centers, body corporates, and government organizations to maintain logs for 180 days within Indian jurisdiction. This was the most operationally disruptive element. Cloud-native organizations had to either prove their logging infrastructure was hosted in India or implement parallel logging into Indian regions.

• Application logs, server logs, network device logs all in scope
• Logs must be accessible within Indian jurisdiction (cloud regions in Mumbai or Hyderabad satisfy this)
• VPN providers, data center operators, and intermediaries face the strictest interpretations
• Crypto exchanges have additional KYC retention obligations under separate directions

Enforcement reality

In two years, public enforcement actions have been minimal. CERT-In has issued advisories, conducted closed-door reviews with sectoral regulators like the RBI and SEBI, and built up a confidential view of which organizations are responsive. The unstated penalty structure is reputational and regulatory rather than direct fines.

RBI examinations now routinely ask whether the regulated entity has filed CERT-In reports for known incidents. SEBI has integrated similar checks. NPCI has tightened expectations for UPI ecosystem participants. The chain effect is more impactful than direct CERT-In enforcement.

Operational recommendations

1. Pre-register your point of contact with CERT-In and keep it current
2. Build a playbook with a 4-hour internal triage target and a 5-hour escalation gate
3. Maintain a templated initial report with placeholders for incident type, affected systems, and known IoCs
4. Run a tabletop exercise twice a year to test the reporting workflow under time pressure
5. Coordinate with your acquirer, regulator, and customers in parallel, not sequentially

What changes in the next year

The DPDPA 2023 introduces a parallel breach notification regime through the Data Protection Board. Once the rules are notified, organizations will face dual reporting obligations for incidents involving personal data. The two regimes will overlap but not align. Build your incident response to satisfy the stricter interpretation of both.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.