Cybersecurity Compliance

CERT-In Compliance for Indian Businesses — 2026 Guide

CERT-In (Indian Computer Emergency Response Team) is India's national agency for cyber security under MeitY. CERT-In Directions issued under Section 70B of the IT Act 2000 (28 April 2022) mandate Indian organisations to report specific cyber security incidents within 6 hours, synchronise system clocks with NPL, and maintain logs for 180 days.

The CERT-In April 2022 directions apply to all service providers, intermediaries, data centres, body corporates, and Government organisations in India. Key obligations: (1) Report 20 categories of incidents (data breach, ransomware, identity theft, DoS attacks, supply-chain compromise, etc.) within 6 hours of noticing them, (2) Maintain ICT system logs for 180 days within Indian jurisdiction, (3) Synchronise system clocks with NPL (National Physical Laboratory) or NIC Network Time Protocol servers, (4) Designate Point of Contact (PoC) for CERT-In communications. VPN providers and crypto exchanges have additional KYC and customer data retention requirements.

Industries served: All Indian service providers, Data centres, BPO, IT services, Banks, Fintech, E-commerce, SaaS, VPN providers

Related terms: DPDP Act 2023, ISO 27001, Incident Response, Log Management, NPL Time Sync

Frequently Asked Questions

Does CERT-In compliance apply to small Indian businesses?

Yes — CERT-In directions apply to "all service providers, intermediaries, data centres, body corporates and Government organisations" regardless of size. Small Indian businesses processing customer data are equally bound. Practical enforcement is more lenient for SMBs, but legal exposure exists. Best practice: implement compliance baseline early.

What incidents must be reported to CERT-In within 6 hours?

20 categories including: data breach exposing personal data, ransomware attacks, identity theft / spoofing, DoS / DDoS attacks, attacks on critical information infrastructure, network intrusions, application attacks (SQLi, XSS), supply chain attacks, attacks on IoT devices, malicious mobile apps, fake business / phishing websites impersonating Indian businesses. Detailed list on CERT-In website.

How do Indian businesses synchronise system clocks with NPL per CERT-In?

Configure NTP (Network Time Protocol) client on servers and network devices to sync with: time.nic.in (NIC NTP server) or pre.time.nplindia.org (NPL servers). For Indian businesses on AWS, Azure, or GCP, configure cloud-region NTP servers + secondary fallback to Indian NTP. Most modern OS (Windows, Linux, macOS) handle NTP automatically once configured. Time sync is a baseline requirement, easy to fix.

Where do Indian businesses store 180-day logs for CERT-In compliance?

Logs must be stored within Indian jurisdiction (Indian data centre). Options: (1) AWS Mumbai / Hyderabad CloudWatch Logs, (2) Azure India Log Analytics, (3) On-premise log management (Splunk, ELK Stack, Wazuh), (4) Indian-sovereign cloud (Yotta). For SMBs, AWS CloudWatch with 180-day retention is the easiest path. Cost: ~₹0.50-1/GB/month for log storage.

What is the penalty for CERT-In non-compliance?

Under IT Act Section 70B and IT Rules, non-compliance can attract: fines up to ₹1 crore per offence, imprisonment up to 1 year, blocking of business operations in extreme cases. Practical enforcement so far has been advisory + naming + smaller fines (₹10,000-1 lakh per offence). However, the legal framework allows escalation, and post-DPDP Act 2023, enforcement is expected to intensify.

Free CERT-In compliance setup for Indian businesses — time sync, log retention, incident response.