🇮🇳CERT-In Directions under Section 70B of the Information Technology Act

This is not a privacy law. But it applies to you.

The CERT-In Directions were issued in April 2022 under Section 70B of the Information Technology Act 2000. They are cybersecurity directions, not data protection rules. But because they directly govern how organisations handle cyber incidents, logs, and infrastructure, they sit squarely inside any serious data compliance programme. A personal data breach is, almost always, also a cyber incident. The obligations overlap — and the penalties for non-compliance with CERT-In directions are separate from DPDP penalties.

The Directions apply to service providers, intermediaries, data centres, body corporate and government organisations. If you are a company that processes any data digitally, you are almost certainly a body corporate within scope. There is no size threshold, no sector carve-out, and no revenue floor. If you operate ICT systems in India, these directions apply to you.

The five core obligations

The Directions impose five categories of obligation. Each is specific, operational, and immediately enforceable. Non-compliance is not treated as a gap to remediate — it is treated as a violation, with potential punitive action under Section 70B(7) of the IT Act.

One: NTP synchronisation. Every ICT system — servers, network devices, cloud instances, endpoints — must synchronise its clock to the NTP server of the National Informatics Centre or the National Physical Laboratory, or to an NTP source traceable to these. The reason is forensic: unsynchronised clocks make logs unreliable as evidence. If your clocks deviate, your incident timeline cannot be trusted, and neither can your logs when CERT-In asks for them.

Two: Mandatory incident reporting within six hours. Twenty categories of cyber incident must be reported to CERT-In within six hours of the organisation noticing the incident or being brought to notice of it. Six hours is not a business-hours window. It applies at 2am on a Sunday. Your Point of Contact must be reachable and capable of dispatching a report at any time.

Three: On-demand information and action. When CERT-In issues an order or direction, the organisation must take the required action or provide the required information within the specified timeframe — which can be as tight as near-real-time. The Point of Contact designated under the Directions is the channel for all CERT-In communications. If that person changes and you have not updated CERT-In, communications will go to the wrong person and non-compliance will be assumed.

Four: Mandatory log retention for 180 days within Indian jurisdiction. All ICT system logs must be enabled and retained for a rolling 180-day period. The logs must be maintained within Indian jurisdiction. Where organisations use overseas cloud regions or overseas log aggregation platforms, they must ensure that a compliant copy of all required logs is maintained within Indian jurisdiction — routing all logging exclusively through overseas infrastructure does not satisfy this requirement.

Five: Subscriber registration records for infrastructure providers. Data centres, VPS providers, cloud service providers and VPN service providers must maintain validated subscriber registration data — including names, hire period, IPs allotted, email addresses with timestamps, purpose, address, contact numbers and ownership pattern — for five years from cancellation or withdrawal of the subscription. Virtual asset service providers, exchanges and custodian wallet providers must maintain full KYC records and granular transaction records for five years.

The twenty mandatory reporting categories

Annexure I of the Directions lists twenty categories of cyber incident that must be reported within six hours. These include: targeted scanning or probing of critical networks; compromise of critical systems; unauthorised access to IT systems or data; data breach; data leak; identity theft, spoofing and phishing; denial of service attacks; attacks on digital payment systems; attacks on IoT devices and associated systems; attacks on cloud computing systems; attacks on Big Data, blockchain, virtual asset exchanges and custodian wallets; and attacks on AI and machine learning systems.

The breadth of this list is intentional. CERT-In wants visibility across the entire digital infrastructure landscape. If you operate in any of these domains — and most organisations touch at least several of them — you need a current mapping of your systems to these categories. You cannot report within six hours what you have not pre-identified as reportable.

The Point of Contact — and why it is not a formality

The Directions require every organisation to designate a Point of Contact for CERT-In communications and to submit their details — name, designation, organisation, office address, email, mobile, phone and fax — to CERT-In at info@cert-in.org.in in the Annexure II format. This must be kept current.

The PoC is not a compliance formality. It is the person who will receive CERT-In orders requiring action within hours, who will dispatch incident reports in the middle of the night, and who will serve as the organisation's interface with India's national cybersecurity agency. Designating someone who is not briefed, not reachable outside business hours, and not empowered to act is functionally the same as not designating anyone at all.