Read as
Why this module exists. CERT-In’s April 2022 Directions (under Section 70B of the IT Act) imposed novel and operationally significant obligations on Indian entities — including the 6-hour incident reporting rule, mandatory log retention, KYC for VPN providers, and incident-reporting cooperation. This module is the practitioner-level operational guide.
Why this module exists. Three years on, most Indian enterprises are still uncertain about which CERT-In Directions apply to them, what counts as a reportable incident, and what the reporting workflow looks like. This module is the operational answer.
What the Directions actually require
- Time synchronisation to NTP servers run by NIC or NPL (or NTP servers traceable to those). Network logs must use this synchronised time.
- Incident reporting to CERT-In within 6 hours of noticing or being notified about a cyber incident.
- Log retention for 180 days rolling, for systems in Indian jurisdiction. Logs must be enabled and retained for the listed system types.
- KYC for VPN, virtual private server, cloud, crypto-exchange providers (the controversial provision; mostly affected providers, not enterprise users).
- Designated Point of Contact registered with CERT-In, with name, designation, email, phone.
- Cooperate with CERT-In for incident response — provide logs, system access, support analysis.
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants