Scroll to top

CERT-In Directive 2022 Explained

March 25, 2026 CERT-In

The CERT-In directive of April 28, 2022 introduced specific technical obligations for every service provider, intermediary, data center, body corporate, and government organization in India. Non-compliance is a criminal offence under Section 70B(7) of the IT Act. Here's what the directive actually requires — in plain terms.

  1. Who Must Comply

    The directive applies broadly: service providers, intermediaries, data centers, body corporates, and government organizations. 'Body corporate' is defined widely in the IT Act — it includes any company, firm, or association of individuals. If you process, transmit, or store digital information in India and are organized as a body corporate, the CERT-In directive applies to you.

  2. The 6-Hour Incident Reporting Window

    Organizations must report 20 categories of cyber incidents to CERT-In within 6 hours of 'first knowledge' of the incident — not when the full scope is assessed, not after containment, but from the moment of first detection. The 20 reportable categories include: ransomware attacks, data breaches, unauthorized access to computer systems, website defacement, DoS/DDoS attacks, attacks on critical infrastructure, SCADA/ICS attacks, and several others.

  3. 180-Day Log Retention in India

    All ICT system logs, including network device logs and server logs, must be retained for 180 days — and that retention must be within Indian jurisdiction. Logs cannot be stored on foreign cloud regions or edge caches. For organizations using AWS or Azure, this means retention in Mumbai (ap-south-1) or Hyderabad regions, or Azure Central India or South India regions — enforced by IaC policy so logs cannot be incorrectly routed.

  4. NTP Synchronization

    All system clocks must be synchronized with NTP servers of NIC (National Informatics Centre) or NPCI, or other servers traceable to India's National Physical Laboratory (NPL) or NIST. Unsynchronized clocks destroy log correlation — a 1-second drift makes it impossible to reconstruct an incident timeline accurately. VinfraSec configures all systems to use NIC's NTP server (time.nic.in) via Terraform and Ansible.

  5. Verifiable System Identity

    VPN users, cloud accounts, and services must have traceable, verifiable identities. Anonymous accounts, shared credentials, and unattributed network identities do not comply with the CERT-In directive's verifiable identity requirements. IAM roles, managed identities, and certificate-based authentication must be implemented systematically.

  6. Criminal Liability for Non-Compliance

    Non-compliance is punishable by imprisonment up to one year, a fine of up to ₹1 lakh, or both — with liability falling on the officer responsible for the organization's IT. The fine ceiling is low, but CERT-In's power to conduct investigations and publish non-compliance findings creates significant reputational and regulatory risk beyond the statutory penalty.

Need India Compliance Help?

Book a free gap assessment with VinfraSec.

Book Free Assessment

Free India Compliance Assessment

VinfraSec offers a free DPDPA, CERT-In, or RBI gap assessment. Book a 30-minute call.

Book Now