Cybersecurity Advisory
CERT-In 6-Hour Reporting Rule: Who It Applies To and What You Must Do
In April 2022, India's nodal cybersecurity agency issued a directive that changed the compliance landscape for every organisation operating in the country. The CERT-In Directions 2022 introduced, for the first time, a mandatory 6-hour window to report cyber incidents to the government. Three years on, many organisations — from large banks to mid-sized IT companies to hospital networks — are still unclear on whether the rule applies to them, what exactly must be reported, and what happens if they miss the deadline. This article answers every one of those questions.
1. What Are the CERT-In Directions 2022?
The Indian Computer Emergency Response Team (CERT-In) operates under the Ministry of Electronics and Information Technology (MeitY). It is India's national authority for cybersecurity incident response, designated under Section 70B of the Information Technology Act, 2000.
On 28 April 2022, CERT-In issued Direction No. 20(3)/2022-CERT-In — universally referred to as the "CERT-In Directions 2022" or the "6-hour rule." It came into force on 28 June 2022 after a 60-day transition period.
The Directions introduced four substantive obligations for covered entities:
- Mandatory reporting of specified cyber incidents to CERT-In within 6 hours of becoming aware.
- Mandatory synchronisation of all ICT system clocks with the NIC or NPL Network Time Protocol (NTP) server.
- Mandatory maintenance of ICT system logs for a rolling period of 180 days, stored within India.
- Mandatory response to CERT-In information requests within 6 hours of receiving them.
2. Who Does the 6-Hour Rule Apply To?
This is the question most organisations get wrong. The Directions do not apply to a defined list of sectors. They apply to a very broad category of entities — and the presumption is inclusion, not exclusion.
The Covered Entities
The Directions apply to all of the following:
- Service providers
- Intermediaries
- Data centres
- Body corporates
- Government organisations
In practical terms, this means the rule applies to virtually every organisation that operates a website, processes customer data digitally, runs internal IT systems, uses cloud or SaaS products, operates as a fintech, healthtech, or edtech company, provides IT/ITES/BPO services, operates as a bank, NBFC, or insurance company, runs a hospital or diagnostic lab with connected systems, or is a government department or PSU. There is no size threshold.
⚠ Compliance Warning
Do not assume the rule does not apply because you are small or operate in a traditional sector. The obligation to report arises the moment an incident occurs — and the 6-hour clock starts ticking from the moment you become aware, not when you finish investigating.
3. What Is a Reportable Incident?
CERT-In has specified 20 categories of cyber incidents that must be reported within 6 hours. Many organisations mistakenly believe only data breaches need reporting. The actual list is far broader.
| # | Incident Category | Examples |
|---|---|---|
| 01 | Targeted scanning/probing of critical networks | Repeated port scans of your firewall from an external IP; reconnaissance on SCADA systems. |
| 02 | Compromise of critical systems or information | Unauthorised access to a server containing PII, financial data, or health records. |
| 03 | Unauthorised access to IT systems/data | Login from an unknown foreign IP; access logs showing data exfiltration. |
| 04 | Defacement of websites or intrusion into a website | Homepage replaced with attacker content; admin panel accessed without authorisation. |
| 05 | Malicious code attacks (virus, worm, trojan, ransomware) | Ransomware encrypting company files; a worm spreading across your internal network. |
| 06 | Attacks on servers (database, mail, DNS, network devices) | SQL injection compromising a database; DNS hijacking redirecting user traffic. |
| 07 | Identity theft, spoofing, and phishing attacks | A phishing campaign impersonating your domain; SIM swap on a senior executive. |
| 08 | Denial of Service (DoS) and DDoS attacks | A DDoS attack taking your payment gateway offline for 30+ minutes. |
| 09 | Attacks on critical infrastructure, SCADA, and OT systems | Intrusion into industrial control systems; unauthorised commands to operational equipment. |
| 10 | Attacks on IoT devices | Compromise of connected cameras, sensors, or smart locks on your network. |
| 11 | Data breach | Customer PII, payment card data, or health records accessed by an unauthorised party. |
| 12 | Data leak | An S3 bucket left publicly accessible; an employee sharing a confidential database externally. |
| 13 | Attacks affecting digital payment systems | Fraud on your payment platform traced to a system compromise. |
| 14 | Attacks via malicious mobile applications | A fraudulent app impersonating your brand harvesting customer credentials. |
| 15 | Fake mobile applications | An app on an unofficial store impersonating your official product. |
| 16 | Unauthorised access to social media accounts | Your company LinkedIn or Twitter controlled by an attacker. |
| 17 | Attacks on cloud computing systems | Unauthorised API calls to your environment; privilege escalation in AWS or Azure. |
| 18 | Attacks on Big Data, Blockchain, and virtual assets | Compromise of a cryptocurrency wallet; manipulation of a blockchain system. |
| 19 | Attacks on AI and ML systems | Adversarial manipulation of an AI model used in a financial or healthcare context. |
| 20 | Incidents affecting core Internet infrastructure | BGP hijacking; attacks on DNS resolvers. |
4. The 6-Hour Timeline: What the Clock Looks Like
The 6-hour window begins the moment your organisation "becomes aware" of the incident. The conservative, legally safe interpretation is that the clock starts when any person within your organisation first has reason to believe an incident has occurred — including an automated SIEM alert, an employee report, a third-party notification, or a media report indicating your systems are compromised.
It does not require confirmation. You do not need a completed root cause analysis. CERT-In expects an initial report within 6 hours and a detailed follow-up report within a further specified period.
| Stage | Deadline | What to Submit |
|---|---|---|
| Stage 1 | Within 6 hours of awareness | Incident type, date/time of discovery, systems affected, immediate containment actions, point of contact. Submit via the CERT-In portal at incidents.cert-in.org.in |
| Stage 2 | Within 15 days (or as directed) | Full root cause analysis, complete affected systems/data list, remediation steps, incident timeline, evidence logs, preventive measures. |
ⓘ Practical Note on “Becoming Aware”
If your organisation receives a security alert at 11:45 PM on a Friday, the 6-hour clock starts at 11:45 PM — not at 9:00 AM Monday. This is why 24x7 monitoring and on-call incident response procedures are no longer optional for covered entities.
5. How to Submit an Incident Report to CERT-In
CERT-In provides three reporting channels:
- Online Portal: incidents.cert-in.org.in — the primary channel. Register an account before an incident occurs.
- Email: incident@cert-in.org.in — acceptable if the portal is unavailable.
- Phone: 1800-11-4949 (toll free) — for urgent incidents only.
The Stage 1 report requires: organisation name and sector, incident category, date/time of detection, affected systems, estimated users/records impacted, immediate actions taken, whether the incident is ongoing, and the designated point of contact.
Register on the Portal Now — Before Any Incident
- Go to incidents.cert-in.org.in
- Click “New Registration” and enter your organisation details
- Complete email verification
- Store credentials securely and share with your incident response team
- Designate a primary and backup Point of Contact (PoC)
6. The 180-Day Log Retention Requirement
All covered entities must maintain logs of all ICT systems for a rolling 180 days. Critically, these logs must be stored within India — not exclusively on foreign servers or foreign cloud regions.
Logs that must be retained include system event logs, network flow logs, application and web server logs, authentication and access logs, email server logs, DNS query logs, and cloud audit logs (configured to use India-based regions such as AWS ap-south-1 Mumbai or Azure India Central).
✓ Log Retention Check
Ask your IT team: Are all logs retained for 180 days? Are they stored in India or India-based cloud regions? Are they tamper-proof and backed up? If any answer is “no” or “unsure,” you have a compliance gap requiring immediate remediation.
7. NTP Clock Synchronisation
All ICT system clocks must be synchronised with the NIC NTP server (time.nic.in) or the NPL NTP server (time.nplindia.org). This applies to all servers, workstations, network devices, and cloud instances.
During a cyber incident investigation, log timestamps are critical evidence. If a system clock is out of sync — even by minutes — correlating events across systems becomes unreliable and can compromise both the CERT-In investigation and any parallel legal proceedings. This is a simple configuration change your IT team can implement in a few hours.
8. Penalties for Non-Compliance
| Violation | Section | Penalty |
|---|---|---|
| Failure to report within 6 hours | Section 70B(7) IT Act | Imprisonment up to 1 year, or fine up to ₹1 lakh, or both |
| Failure to provide logs/information to CERT-In | Section 70B(7) IT Act | Imprisonment up to 1 year, or fine up to ₹1 lakh, or both |
| Failure to maintain 180-day logs | CERT-In Directions 2022 | Regulatory action and adverse findings in any investigation |
| Obstruction of CERT-In investigation | Section 70B(7) IT Act | Imprisonment up to 1 year, or fine up to ₹1 lakh, or both |
⚠ Criminal Liability Falls on Individuals
The IT Act provides for imprisonment of the person responsible — not just the organisation. Your CISO, CTO, or designated incident response lead can face personal criminal liability for non-compliance. Role designation and training are not optional.
9. The DPDPA 2023 Dimension
The Digital Personal Data Protection Act 2023 introduces a parallel obligation on Data Fiduciaries to report personal data breaches to the Data Protection Board of India (DPBI) and affected individuals. Where a cyber incident also constitutes a personal data breach — which covers the majority of incidents involving customer-facing systems — organisations face a three-layer notification stack:
- CERT-In initial report — within 6 hours
- DPBI notification — within 72 hours (draft Rules, January 2025) if personal data is involved
- Individual notification — promptly after DPBI notification, where significant harm is likely
Organisations should design incident response procedures to handle all three notifications simultaneously, with pre-approved templates and clear escalation paths.
10. Sector-Specific Obligations That Layer on Top
For regulated-sector organisations, CERT-In compliance is the floor, not the ceiling. Several sector regulators have issued their own cybersecurity incident reporting requirements.
| Sector | Regulator | Key Obligation |
|---|---|---|
| Banking | RBI | Report to RBI CSITE within 2–6 hours; detailed report within 24 hours; monthly summary reporting. |
| NBFCs | RBI | Same as banking; phased timelines for smaller entities. |
| Insurance | IRDAI | Report to IRDAI within 6 hours of a significant incident; quarterly reporting for lesser incidents. |
| Securities | SEBI CSCRF 2024 | Report to SEBI within 6 hours; detailed report within 24 hours. Stricter timelines for MIIs. |
| Telecom | DoT 2024 | Report to DoT within 6 hours; mandatory CERT-In engagement for significant incidents. |
| Healthcare | NHA | Breach notification under Health Data Management Policy; CERT-In obligations fully applicable. |
| Critical Infrastructure | NCIIPC | Separate reporting to NCIIPC in addition to CERT-In; real-time threat intelligence sharing. |
If your organisation falls into a regulated sector, you need a unified incident response framework that satisfies all applicable reporting obligations simultaneously — with the shortest deadline setting your effective response time.
Siri Law LLP — Cybersecurity & GRC Practice11. Building a CERT-In Compliant Incident Response Capability
Step 1: Appoint a Designated Point of Contact
Designate a primary and backup PoC with authority to file CERT-In reports. Both must have active portal credentials, 24x7 accessibility, and the authority to escalate to management immediately.
Step 2: Create a Written Incident Response Plan
Your IRP must address CERT-In obligations specifically — including a decision tree for triaging alerts, escalation paths from SOC to legal, pre-approved Stage 1 report templates, and procedures for simultaneous DPDPA notifications.
Step 3: Pre-Register on the CERT-In Portal
Register at incidents.cert-in.org.in today. Creating an account during a live incident wastes critical time inside the 6-hour window.
Step 4: Implement 180-Day Log Retention in India
Audit your current log retention. Ensure 180-day retention and India-only storage across all systems and cloud environments.
Step 5: Synchronise All Clocks to NIC/NPL NTP
Configure all servers, workstations, and network devices to sync with time.nic.in or time.nplindia.org.
Step 6: Run a Tabletop Exercise
Simulate a ransomware attack or data leak and walk through your IRP. Time it. Can your team file a complete Stage 1 report within 6 hours? Identify bottlenecks and fix them before a real incident.
12. Common Mistakes That Lead to Non-Compliance
| Mistake | Why It Causes Non-Compliance |
|---|---|
| Waiting to confirm before reporting | The clock starts at awareness, not confirmation. Report first, investigate second. |
| Believing only data breaches are reportable | All 20 categories trigger the obligation. A DDoS or website defacement is reportable even without data loss. |
| Assuming it only applies to large companies | No size threshold. Applies to all covered entities regardless of headcount or revenue. |
| No portal credentials before an incident | Creating an account during a live incident wastes critical time inside the 6-hour window. |
| Logs in foreign regions or retained under 180 days | Both are non-compliant. 180 days and India-only storage are firm requirements. |
| PoC unreachable outside business hours | Incidents don't respect business hours. 24x7 availability is essential. |
| Staff not trained to recognise and escalate incidents | If the right people don't hear quickly, the 6-hour window is consumed internally before the report is filed. |
Key Takeaways
- The CERT-In 6-hour rule applies to virtually every organisation operating digital infrastructure in India — no size or sector exemption.
- 20 categories of incidents must be reported, not just data breaches. DDoS, ransomware, website defacements, and cloud intrusions all trigger the obligation.
- The clock starts at awareness, not confirmation. File immediately and update as your investigation progresses.
- Logs must be retained for 180 days and stored within India. Foreign-only log storage is non-compliant.
- All ICT clocks must sync to NIC or NPL NTP servers.
- Non-compliance carries criminal liability — imprisonment up to 1 year — that falls on designated individuals, not just the organisation.
- Regulated-sector organisations face parallel obligations from RBI, SEBI, IRDAI, or DoT with potentially shorter timelines.
- Operational preparedness — registered credentials, written IRP, trained PoC, tested procedures — is the only way to reliably meet the 6-hour window.
Is Your Organisation CERT-In Ready?
Book a complimentary readiness review with our Cybersecurity & GRC team. We identify your obligations, gaps, and a clear action plan — at no cost for the initial consultation.