Compliance

CERT-In Compliance Guide: The 6-Hour Rule & How to Avoid Penalties

Complete guide to CERT-In compliance requirements for Indian businesses. Learn about the 6-hour incident reporting rule and how to meet regulatory obligations.

5 December 2024
14 min read
MA
MailArmor Team

Introduction

In India's cybersecurity landscape, the "good old days" of ignoring data breaches are over. The Indian Computer Emergency Response Team (CERT-In) now enforces some of the strictest reporting timelines in the world. This CERT-In compliance guide cuts through the legal jargon to explain the mandatory "6-hour reporting rule," log retention requirements, and how Indian businesses can stay compliant to avoid jail time and heavy fines.

What is CERT-In and Why Does It Matter?

CERT-In (Indian Computer Emergency Response Team) is the national nodal agency responsible for cybersecurity under the Ministry of Electronics and Information Technology (MeitY). Think of them as the "Cyber Police" of India.

For years, their guidelines were seen as suggestions. That changed with the issuance of the Cyber Security Directions (April 2022) and subsequent clarifications. These directions carry the force of law under Section 70B of the IT Act, 2000.

The Stake: Non-compliance isn't just a slap on the wrist. It is a criminal offense punishable by imprisonment of up to one year or a fine of ₹1 Lakh (per instance), or both. For a business facing multiple unchecked breaches, this can mean operational shutdown.

The 6-Hour Reporting Mandate: The Hardest Hurdle

The most controversial and critical aspect of the new guidelines is the timeline.

The Rule:

Any service provider, intermediary, data center, or body corporate must report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to their notice.

Why This is Difficult:

In most global standards (like GDPR), you have 72 hours. India demands 6.

Scenario: A ransomware attack hits your server at 2:00 AM. Your IT team notices it at 8:00 AM. You must report it to CERT-In by 2:00 PM the same day.

The Trap: Most businesses spend the first 24 hours just trying to figure out "what happened." Under CERT-In rules, delay is not an option.

The 180-Day Log Retention Rule

To investigate crimes, the government needs evidence. That evidence lives in your server logs.

The Requirement:

All organizations must enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days (6 months).

These logs must be maintained within the Indian jurisdiction.

What Logs Are Required?

It is not just firewall logs. The scope includes:

  • Application logs (Email, ERP, CRM).
  • Database access logs.
  • Network device logs (Routers, Switches).
  • VPN access logs (IP, Time, Duration).

NTP Synchronization:

You cannot have random timestamps. All system clocks must be synchronized with NTP servers of the National Informatics Centre (NIC) or National Physical Laboratory (NPL). This ensures that if a hack happens at 10:05 AM, your logs match the government's timeline exactly.

Who Must Comply? (Scope of Applicability)

A common myth is "I am a Small Medium Business (SMB), so this doesn't apply to me."

The Reality:

The directions apply to:

  • Service Providers: ISPs, Cloud Providers, VPN services.
  • Intermediaries: Social media platforms, e-commerce sites.
  • Data Centers: Hosting providers.
  • Body Corporates: Any company (Private Ltd, LLP) handling data.

If you have a server, an email system, and customers in India, you are likely under the scope. There are no exemptions based on revenue or employee count.

Step-by-Step: How to Achieve Compliance

Compliance is an operational challenge, not just a technical one. Follow this roadmap.

Step 1: Appoint a Point of Contact (PoC)

You must designate a specific officer responsible for communicating with CERT-In. Their name and contact details must be ready to share.

Step 2: Centralize Your Logging

You cannot store logs on individual laptops. Use a SIEM (Security Information and Event Management) tool or a centralized log server to aggregate data for the mandatory 180 days.

Step 3: Synchronize Time (NTP)

Configure your Active Directory and Firewalls to sync time with time.nplindia.org or samay.nic.in.

Step 4: Automate Incident Detection

Since you only have 6 hours to report, human detection is too slow. You need AI email security and endpoint detection tools that alert you instantly when a breach occurs.

Step 5: Draft the "First Information Report"

Prepare a template for reporting. When an incident hits, you shouldn't be scrambling for the format. The report must be sent to incident@cert-in.org.in or via their helpdesk portal.

Checklist: Mandatory Reportable Incidents

Not every glitch is an incident. However, CERT-In has listed 20 specific types of events that must be reported. Here are the top ones relevant to SMBs:

Incident Type Description Priority
Phishing / BEC Fake emails, CEO fraud, invoice scams. High
Ransomware Data encryption and extortion demands. Critical
Data Breach Leakage of customer or employee data. Critical
Unauthorized Access Hacking into social media or email accounts. High
Defacement Attackers changing your website content. Medium
Denial of Service (DoS) Attacks crashing your servers/website. Medium

Frequently Asked Questions (FAQs)

Q1: Do we need to report an incident even if we fixed it successfully?

Yes. The mandate requires reporting the occurrence of the incident, regardless of whether you mitigated it or lost data.

Q2: What is the format for reporting to CERT-In?

Reports can be submitted via email (incident@cert-in.org.in), Phone (1800-11-4949), or Fax. The preferred method is the online form on the CERT-In website which asks for Time of Occurrence, Affected Systems, and Impact.

Q3: Can we store logs on a cloud server outside India?

The guidelines emphasize maintaining logs within Indian jurisdiction. If you use a foreign cloud provider, you must ensure they have an Indian instance or that you possess a mirrored copy of the logs locally/in India-based storage.

Q4: Does this apply to VPN providers?

Yes. VPN and VPS providers have even stricter rules. They must maintain customer KYC data (names, IPs, phone numbers) for 5 years or more, effectively banning "anonymous" VPN services in India.

Conclusion

The message from the government is clear: Cyber hygiene is no longer a personal choice; it is a public duty.

For Indian businesses, CERT-In compliance is a wake-up call. The 6-hour reporting window is impossible to meet with manual checks. It requires a shift toward automated, always-on security layers. If you don't know you've been hacked within minutes, you cannot comply.

The cost of compliance (logs, tools) is high, but the cost of non-compliance—criminal charges and business closure—is infinitely higher.

Can your business detect a breach in under 6 hours?

Don't rely on luck. Rely on automation.

Ensure Compliance & Rapid Detection with MailArmor

Continue Learning

Related Guides

Threat Detection

AI Email Security for Indian SMBs: The Ultimate Guide

Comprehensive guide to implementing AI-powered email security solutions for small and medium businesses in India. Learn ...

15 min read
Email Security

What is Email Security? The Definitive Guide for Business Leaders

Everything business leaders need to know about email security, from basic concepts to advanced protection strategies for...

12 min read
Phishing Protection

Understanding Phishing Attacks: The Survival Guide for SMBs

Learn how to identify, prevent, and respond to phishing attacks. Comprehensive guide covering all types of phishing thre...

10 min read
Ready to Get Started?

Secure Your Email Today

Get started with MailArmor's AI-powered email security platform. Protect your organization from phishing, BEC, and other email threats.

Request a DemoContact Us