
CERT-In 6-Hour Incident Reporting: What Indian Companies Must Do
CERT-In's 6-hour cyber incident reporting rule explained — who must comply, which incidents are reportable, 180-day log retention, how to report, penalties, and a practical readiness plan.
When a cyberattack hits an Indian organisation, the clock doesn't start ticking after the investigation — it starts the moment the incident is noticed. Under CERT-In's landmark 2022 directions, you have just six hours to report a broad range of cyber incidents to the national authority. Miss it, and non-compliance becomes a punishable offence under the IT Act.
The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), issued these directions under Section 70B(6) of the Information Technology Act, 2000. They apply to virtually every organisation operating in India — not just regulated sectors — and go far beyond reporting: mandatory log retention, clock synchronisation, KYC record-keeping, and a designated point of contact.
This guide explains exactly what the six-hour rule requires, who must comply, which incidents are reportable, the supporting obligations most teams overlook, the penalties for getting it wrong, and — crucially — how to build the detection and response capability that makes a six-hour deadline actually achievable.
- 01 Report listed cyber incidents to CERT-In within 6 hours of noticing them.
- 02 Applies to almost everyone — service providers, intermediaries, data centres, body corporates, and government organisations.
- 03 Beyond reporting: 180-day log retention in India, NTP clock sync to NIC/NPL, and a designated point of contact.
- 04 Data centres, VPS, cloud & VPN providers and virtual-asset businesses must keep KYC & records for 5 years.
- 05 Non-compliance is punishable under Section 70B(7) — the real challenge is detecting incidents fast enough to report in time.
What Are the CERT-In Directions? — The 30-Second Answer
On 28 April 2022, CERT-In issued directions under Section 70B(6) of the IT Act "relating to information security practices, procedure, prevention, response and reporting of cyber incidents." They came into force on 27 June 2022.
The headline requirement: mandatorily report a defined list of cyber incidents to CERT-In within 6 hours of noticing them (or being made aware of them).
But the directions also mandate synchronised clocks, 180-day log retention within India, five-year KYC records for certain providers, and a designated point of contact — turning incident reporting into an always-on operational capability, not a one-off form.
Who Must Comply?
The directions are deliberately broad. They apply to "any service provider, intermediary, data centre, body corporate and Government organisation" — which, in practice, means almost every organisation that runs IT systems in India, from startups to enterprises to public bodies.
Some categories carry additional obligations:
The 6-Hour Rule — How It Actually Works
The six-hour window starts when your organisation notices the incident or is brought to notice of it — not when your investigation concludes. That distinction is everything: it means the report is an early warning, not a post-mortem. You are expected to report what you know, then follow up with detail as the picture develops.
The hard part isn't the form — it's the clock. Six hours is trivial if you detect the incident in minutes through active monitoring. It's impossible if the first you hear of it is a customer complaint days later. CERT-In compliance is, in reality, a detection problem — which is why continuous SOC monitoring is the foundation of readiness.
Which Incidents Must Be Reported?
CERT-In's Annexure lists a wide range of mandatorily reportable incident types. The list is broad by design — when in doubt, report. Major categories include:
This is a representative summary. Refer to the current CERT-In directions and their annexure for the complete, authoritative list of reportable incident types.
The Obligations Beyond Reporting
Most organisations focus on the six-hour rule and miss the standing operational requirements. These are exactly what an inspection or post-incident review will test.
1. Log retention — 180 days, within India
Organisations must enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days, within Indian jurisdiction. These logs must be produced to CERT-In when ordered or directed. In practice this means centralised log collection, tamper-evident storage, and a retention policy — the natural output of a managed SOC or SOC-as-a-Service with a properly configured SIEM.
2. Time synchronisation — NIC / NPL
All ICT systems must synchronise their clocks to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or to servers traceable to them. Consistent, accurate timestamps are what make logs admissible and correlatable across systems during an investigation.
3. Designated point of contact (PoC)
Every organisation must nominate a point of contact to interface with CERT-In, and share (and keep updated) those details. When an incident lands, everyone must know who reports, how, and with what authority — a named role, not a scramble.
4. KYC & transaction records — 5 years
As noted above, data centres, VPS, cloud and VPN providers, and virtual-asset businesses must retain validated KYC and relevant records for at least five years, enabling traceability of misuse.
How to Report an Incident to CERT-In
CERT-In accepts incident reports via email, phone, and its incident-reporting portal; the methods and formats are published on the CERT-In website (the standard email is [email protected]). A useful initial report includes:
Practically, you should pre-build a reporting template and playbook so the PoC can file within minutes of confirmation — and treat the first report as preliminary, updating CERT-In as forensics progress. A tested digital forensics & incident response capability, or an IR retainer, is what turns this from theory into muscle memory.
Penalties for Non-Compliance
These directions have statutory teeth. Under Section 70B(7) of the IT Act, failure to comply with CERT-In's directions — including failing to report an incident or provide requested information — is a punishable offence, attracting imprisonment of up to one year and/or a fine of up to ₹1 lakh. Beyond the statutory penalty, non-reporting compounds regulatory exposure under sector rules (SEBI, RBI) and undermines your position in any subsequent dispute or investigation.
How CERT-In Fits With SEBI, RBI & Other Rules
CERT-In reporting is the common backbone of India's incident-reporting regime. Sector regulators build on top of it: SEBI's CSCRF and RBI's frameworks both require reporting to CERT-In plus reporting to the regulator within their own timelines. So an incident at a regulated entity often triggers parallel reporting obligations — CERT-In within 6 hours, and the sector regulator per its rules. Our guides to the RBI Master Direction and the CERT-In 2026 AI blueprint map how these layer together.
Building CERT-In Readiness — A Practical Plan
Compliance is achievable only if you can detect fast, respond calmly, and evidence everything. A pragmatic readiness programme:
- ✔ Real-time detection workflows enabled via continuous SOC monitoring
- ✔ Active threat hunting configured for legacy/critical endpoints
- ✔ Clocks time-synchronised traceable to NIC/NPL NTP servers
- ✔ Rolling 180-day log files securely stored inside Indian servers
- ✔ Designated CERT-In Point of Contact (PoC) assigned and registered
- ✔ Incident response playbooks with pre-filled reporting templates
- ✔ On-demand DFIR surge support contracted via IR retainers
- ✔ 5-year customer KYC record registers validated (where applicable)
- ✔ Tabletop exercises simulating 6-hour incident containment flows
- ✔ Annual CERT-In-aligned web app and API VAPT testing
- ✔ Breach & Attack Simulation (BAS) checks executed periodically
- ✔ Ransomware readiness and recovery testing complete
- ✔ Incident response capabilities reported directly to CISO/Board
- ✔ Root-cause analysis playbooks active to process post-breach lessons
- ✔ Outsourcing security GRC wrappers aligned with MeitY guidelines
- ✔ Staff security awareness training courses delivered regularly
Common Mistakes
1. No detection capability
You cannot report in 6 hours what you notice in 6 days. Without monitoring, the deadline is unmeetable by definition.
2. Waiting for full root-cause before reporting
The initial report is an early warning. File on time with what you know; update as forensics progress.
3. Logs missing, short-retained, or stored abroad
180-day, in-India, tamper-evident logs are a standing requirement — not something to arrange after an incident.
4. No named point of contact
When minutes matter, ambiguity about who reports (and how) burns the whole window.
5. Treating it as CERT-In only
Regulated entities often owe parallel reports to SEBI/RBI. Map every obligation an incident triggers, in advance.
How Adayptus Helps
Adayptus builds and operates the capability that makes the six-hour deadline realistic. On the detect side: managed SOC, SOC-as-a-Service, MDR, and threat hunting, with SIEM-based log collection and 180-day retention. On the respond side: digital forensics & incident response, an IR retainer for guaranteed surge support, and crisis simulations. On readiness: breach & attack simulation, continuous security validation, and ransomware readiness. And on prevention & governance: VAPT, penetration testing, red teaming, awareness training, and a GRC / vCISO wrapper so your CERT-In (and SEBI/RBI) obligations are provably met. See our SOC incident-management playbook for the operational detail.
Conclusion
CERT-In's six-hour rule reset the tempo of incident response in India: reporting is now a real-time obligation, backed by standing requirements for logging, time-sync, records, and a point of contact — and by statutory penalties. The organisations that stay compliant aren't the ones with the best forms; they're the ones that detect fast, respond with a rehearsed playbook, and evidence everything. Build that capability now, while the clock is calm.
Disclaimer: This article is an informational summary of CERT-In's directions dated 28 April 2022 (in force from 27 June 2022) and related obligations under Section 70B of the IT Act, 2000, as understood in 2025-2026. It is not legal advice. Reportable incident types, formats, timelines, and requirements are defined in the official CERT-In directions, FAQs, and subsequent notifications — always refer to the latest CERT-In publications and consult qualified advisors for your obligations.
Frequently Asked Questions
Click any question to expand the answer.
Q What is the CERT-In 6-hour incident reporting rule?
Under CERT-In's directions of 28 April 2022 (effective 27 June 2022), organisations must report a defined list of cyber incidents to CERT-In within six hours of noticing them or being made aware of them. The report is an early warning filed with available information and updated as the investigation progresses.
Q Who has to comply with the CERT-In directions?
The directions apply to any service provider, intermediary, data centre, body corporate, and government organisation operating in India — effectively almost every organisation running IT systems. Data centres, VPS, cloud and VPN providers, and virtual-asset businesses carry additional five-year KYC and record-keeping obligations.
Q How long must logs be retained under CERT-In rules?
Organisations must enable logging of their ICT systems and maintain the logs securely for a rolling period of 180 days within Indian jurisdiction, producing them to CERT-In when directed. Systems must also be time-synchronised to the NTP servers of NIC or NPL.
Q How do you report an incident to CERT-In?
CERT-In accepts reports via email ([email protected]), phone, and its online incident-reporting portal, using the formats published on its website. Include the time of occurrence and detection, incident type, affected systems, a description, impact, indicators such as IP addresses, and contact details.
Q What are the penalties for not reporting to CERT-In?
Failure to comply with CERT-In's directions is a punishable offence under Section 70B(7) of the IT Act, 2000, attracting imprisonment of up to one year and/or a fine of up to one lakh rupees, in addition to sector-regulatory exposure.
Q How can Adayptus help with CERT-In compliance?
Adayptus provides managed SOC / SOC-as-a-Service / MDR with SIEM-based 180-day log retention, threat hunting, DFIR and IR retainers, crisis and breach simulations, ransomware readiness, VAPT, red teaming, awareness training, and a GRC / virtual CISO wrapper so CERT-In and sector-regulatory obligations are demonstrably met.

Peyush Baranwal
Senior Delivery Manager — Cyber Security, Adayptus
Peyush Baranwal is a Senior Delivery Manager at Adayptus Consulting with 11+ years of experience designing, implementing, and managing enterprise security programmes. His core expertise spans Vulnerability Assessment & Penetration Testing (VAPT), Application Security, and Security Operations — leading web, mobile, API, and infrastructure security assessments for CISOs and security teams across BFSI, healthcare, and SaaS. He focuses on measurable risk reduction, governance maturity, and operationalising detection-and-response capability. Outside work, Peyush is a passionate biker and part-time photographer.
Connect on LinkedInExecutive Intelligence Briefing
Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.
On This Page
- What Are the CERT-In Directions?
- Who Must Comply?
- The 6-Hour Rule — How It Actually Works
- Which Incidents Must Be Reported?
- The Obligations Beyond Reporting
- How to Report an Incident to CERT-In
- Penalties for Non-Compliance
- How CERT-In Fits With SEBI, RBI & Other Rules
- Building CERT-In Readiness — A Practical Plan
- Common Mistakes
- How Adayptus Helps
- Conclusion
- Frequently Asked Questions


