CERT-In Cybersecurity Compliance 2026: Rules Every Business Must Follow
Every business operating in India, from a two-person startup to a multinational data center, must report cybersecurity incidents to CERT-In within 6 hours of detection. This is not a guideline. It is a legal mandate under the CERT-In Directions dated April 28, 2022 (effective June 27, 2022), issued under Section 70B of the Information Technology Act, 2000. Non-compliance carries a fine of up to ₹1 lakh and imprisonment of up to 1 year. With 20 categories of reportable incidents, mandatory 180-day log retention, and NTP synchronization requirements, the compliance burden affects startups, SMEs, VPN providers, cloud platforms, and traditional businesses alike. Here is your complete breakdown of CERT-In cybersecurity compliance requirements for 2026, including what to report, how to report it, and what it will cost your business.
- CERT-In Directions (April 28, 2022) mandate 6-hour reporting of 20 categories of cybersecurity incidents for all organizations in India
- Penalties: up to ₹1 lakh fine and 1 year imprisonment under IT Act Section 70B. DPDP Act adds penalties up to ₹250 crore for data breaches
- VPN, cloud, and VPS providers must maintain subscriber KYC and logs for 5 years
- Implementation costs for SMEs range from ₹50,000 to ₹5 lakh depending on size and infrastructure
- All system logs must be retained for 180 days within India and made available to CERT-In on demand
What Is CERT-In? Definition and Legal Authority
CERT-In (Indian Computer Emergency Response Team) is India's national nodal agency for cybersecurity incident response, operating under the Ministry of Electronics and Information Technology (MeitY). Established under Section 70B of the Information Technology Act, 2000, CERT-In collects, analyzes, and disseminates information on cybersecurity incidents across the country. It issues advisories, coordinates emergency response, and sets mandatory cybersecurity standards for all organizations operating in India.
Unlike advisory bodies in some countries, CERT-In has enforcement power. The Directions issued on April 28, 2022 carry the force of law. Non-compliance is a criminal offence. Think of CERT-In as the cybersecurity equivalent of the income tax department: you can ignore it, but the consequences catch up fast. The agency operates 24x7 through its Incident Response Help Desk, and its mandate covers private companies, government entities, academic institutions, and critical infrastructure operators.
Governed by Section 70B of the Information Technology Act, 2000. Administered by CERT-In under the Ministry of Electronics and IT (MeitY). Reporting portal: www.cert-in.org.in.
The April 2022 CERT-In Directions: What Changed
Before April 2022, India had voluntary cybersecurity incident reporting with no fixed timeline. The CERT-In Directions dated April 28, 2022 changed the entire landscape by introducing India's first mandatory, time-bound cybersecurity incident reporting framework. These directions came into effect on June 27, 2022 and apply to every entity in India without exception.
6-Hour Mandatory Reporting Window
The headline change: organizations must report cybersecurity incidents to CERT-In within 6 hours of noticing or being informed of the incident. This is faster than the EU's GDPR (72 hours) and significantly more aggressive than most global equivalents. The clock starts the moment your IT team, security vendor, or any employee detects the incident, not when the investigation concludes. You report first, investigate concurrently.
Expanded Scope of Reportable Incidents
The 2022 Directions expanded the list to 20 categories of mandatory reportable incidents, covering everything from ransomware to fake mobile apps. Previously, only a vague set of "cyber incidents" required reporting. The new framework is explicit: if your organization experiences any of the 20 listed events, the 6-hour clock starts immediately.
Log Retention and System Requirements
All organizations must maintain ICT system logs for 180 days on a rolling basis within India. Organizations must synchronize system clocks with NIC or NPL time servers (or servers traceable to them). VPN, VPS, and cloud providers face additional requirements including 5-year KYC and log retention. These requirements ensure that forensic investigations have reliable, timestamped evidence.
Stay Compliant with Expert Support
IncorpX helps businesses set up compliance frameworks covering cybersecurity, data protection, and annual filings.
Explore Compliance Services20 Types of Cyber Incidents That Must Be Reported
CERT-In specifies 20 distinct categories of incidents that trigger the 6-hour reporting obligation. Understanding what qualifies is critical because under-reporting is as much a violation as non-reporting. Here is the complete list.
| # | Incident Category | Example |
|---|---|---|
| 1 | Targeted scanning/probing of critical networks | Port scanning of government or critical infra servers |
| 2 | Compromise of critical systems/information | Unauthorized access to financial system databases |
| 3 | Unauthorized access to IT systems/data | Employee account compromised via credential stuffing |
| 4 | Defacement of website or intrusion into a website | Company website altered by attacker to display messages |
| 5 | Malicious code attacks (virus, worm, Trojan, bots) | Spyware installed through phishing email attachment |
| 6 | Attack on servers (database, mail, DNS) | SQL injection attack on application database |
| 7 | Identity theft, spoofing, and phishing attacks | Fake CEO email requesting wire transfer |
| 8 | Denial of Service (DoS) and DDoS attacks | Volumetric traffic flood crashing e-commerce website |
| 9 | Attacks on critical infrastructure, SCADA, and OT systems | Malware targeting power grid control systems |
| 10 | Attacks on IoT devices and associated systems | Botnet recruitment through vulnerable smart devices |
| 11 | Attacks or malicious activity affecting cloud computing | Unauthorized access to cloud-hosted customer database |
| 12 | Attacks or suspicious activity affecting digital payment systems | Fraudulent UPI transaction attempts at scale |
| 13 | Ransomware attacks | Files encrypted with demand for cryptocurrency payment |
| 14 | Cryptojacking | Unauthorized use of server CPU for cryptocurrency mining |
| 15 | Data breach or data leak | Customer records exposed through unsecured API endpoint |
| 16 | Data loss | Accidental or malicious deletion of critical business data |
| 17 | Attacks through malicious mobile apps | Fake version of company app on third-party store |
| 18 | Fake mobile apps | Phishing app impersonating banking institution |
| 19 | Unauthorized access to social media accounts | Company X (Twitter) account posting unauthorized content |
| 20 | Attacks or malicious activity affecting e-Governance platforms | Intrusion into state government portal |
If your organization experiences any of the 20 listed incidents and fails to report within 6 hours, you face penalties under Section 70B of the IT Act. "We didn't know it was reportable" is not a valid defence. Train your team to recognize all 20 categories.
Who Must Comply: No Size-Based Exemptions
Unlike regulations such as EPF (mandatory above 20 employees) or tax audit (above ₹1 crore turnover), CERT-In compliance has no minimum threshold. Every business that uses IT systems, websites, or cloud services falls within scope. This is the part that catches most small businesses off guard.
Entities Explicitly Covered
- All companies: Private Limited Companies, LLPs, OPCs, and partnerships
- MSMEs and startups: Including DPIIT-recognized startups
- Data centres and hosting providers
- VPN service providers (Indian and foreign serving Indian users)
- VPS providers and cloud service providers
- Managed Security Service Providers (MSSPs)
- Government organizations at all levels
- Body corporates defined under IT Act, 2000
- E-commerce platforms
- Cryptocurrency and virtual asset service providers
If your business has a website, uses email, stores customer data on the cloud, or runs any software connected to the internet, you are within CERT-In's reporting mandate. A freelance web developer with a personal VPS is just as obligated as Infosys.
Key Compliance Requirements: The Full Checklist
CERT-In compliance goes beyond just reporting incidents. The 2022 Directions impose ongoing operational requirements that demand changes to how your business manages its IT infrastructure. Here is the complete compliance framework.
1. Incident Reporting Within 6 Hours
Report any of the 20 incident types to CERT-In through the portal (www.cert-in.org.in), email (incident@cert-in.org.in), or phone (1800-11-4949) within 6 hours. Include incident type, affected systems, detection time, IP addresses involved, and initial impact assessment. Designate a person responsible for CERT-In communication before an incident occurs.
2. ICT Log Retention for 180 Days
Maintain logs from firewalls, intrusion detection systems, servers, applications, and network devices for a minimum of 180 days on a rolling basis. Store logs within Indian jurisdiction. Use centralized log management or SIEM (Security Information and Event Management) tools. Ensure logs include timestamp, source IP, destination IP, event type, and user identity where applicable.
3. NTP Synchronization
Synchronize all system clocks to National Informatics Centre (NIC) or National Physical Laboratory (NPL) time servers. Alternatively, use global NTP servers traceable to Indian time standards. Consistent timestamps across your infrastructure are essential for forensic accuracy. Configure automatic NTP sync on all servers, workstations, and network devices.
4. Designated Point of Contact
Register a point of contact (POC) with CERT-In. This person (or team) is responsible for receiving alerts, coordinating incident response, and submitting reports. For startups, this is typically the CTO or IT head. For larger organizations, appoint a Chief Information Security Officer (CISO). Keep the POC registration updated if personnel changes occur.
5. VPN/Cloud Provider Specific Requirements
If you provide VPN, VPS, or cloud services, you must maintain: subscriber KYC with validated name, email, IP address, and contact details, usage logs for 5 years after cancellation of the subscriber's service, records of IP address allocation with timestamps, and cooperation with CERT-In investigations. These records must be produced within a reasonable time when requested.
Based on our experience helping 10,000+ businesses with compliance frameworks, the biggest mistake SMEs make is treating CERT-In compliance as a one-time exercise. It requires continuous log management, periodic security audits, and regular team training. Budget 2 to 4 hours per month for ongoing compliance maintenance after your initial setup.
Penalties for Non-Compliance: IT Act and DPDP Act
The consequences of ignoring CERT-In compliance are both criminal and financial. Two separate laws create overlapping penalty frameworks that can stack against a non-compliant organization.
IT Act, 2000 Penalties (Section 70B)
| Violation | Penalty | Provision |
|---|---|---|
| Failure to report cyber incident within 6 hours | Fine up to ₹1 lakh + imprisonment up to 1 year | Section 70B(7), IT Act |
| Failure to provide information/logs to CERT-In | Fine up to ₹1 lakh + imprisonment up to 1 year | Section 70B(7), IT Act |
| Non-compliance with CERT-In directions | Fine up to ₹1 lakh + imprisonment up to 1 year | Section 70B(7), IT Act |
| Failure to maintain logs for 180 days | Fine up to ₹1 lakh + imprisonment up to 1 year | Section 70B(7), IT Act |
DPDP Act, 2023 Penalties (For Data Breaches)
| Violation | Penalty | Provision |
|---|---|---|
| Failure to notify Data Protection Board of personal data breach | Up to ₹200 crore | DPDP Act, 2023 |
| Failure to implement reasonable security safeguards | Up to ₹250 crore | DPDP Act, 2023 |
| Non-compliance with Data Protection Board orders | Up to ₹50 crore per instance | DPDP Act, 2023 |
A single data breach that goes unreported can trigger penalties under both laws simultaneously. A startup that suffers a customer data leak faces a ₹1 lakh fine under the IT Act for not reporting to CERT-In, plus up to ₹250 crore under the DPDP Act for failing to notify the Data Protection Board and affected users. The lesson: compliance is cheaper than the alternative.
Protect Your Business with Proper Registration
Registered companies have better access to compliance frameworks. Start your Pvt Ltd registration at ₹5,999.
Register Your CompanyCERT-In Compliance Checklist for Startups and SMEs
If you are a startup or SME and CERT-In compliance feels overwhelming, this prioritized, step-by-step checklist breaks the process into manageable tasks. Complete these in order and your organization will meet the baseline requirements within 2 to 4 weeks.
| Step | Action Item | Timeline | Estimated Cost (₹) |
|---|---|---|---|
| 1 | Designate a cybersecurity point of contact and register with CERT-In | Day 1 | Free |
| 2 | Install and configure NTP synchronization on all systems | Day 1 to 2 | Free (open-source NTP clients) |
| 3 | Deploy centralized log management (SIEM or log aggregator) | Week 1 | ₹10,000 to ₹50,000/year |
| 4 | Install firewall and endpoint protection on all devices | Week 1 to 2 | ₹15,000 to ₹1 lakh/year |
| 5 | Create an incident response plan with CERT-In reporting templates | Week 2 | ₹10,000 to ₹30,000 (consultant) |
| 6 | Train team on identifying the 20 reportable incident types | Week 2 to 3 | ₹5,000 to ₹15,000 (training session) |
| 7 | Configure 180-day log retention with automated backup within India | Week 3 | ₹5,000 to ₹20,000/year (storage) |
| 8 | Conduct a baseline vulnerability assessment | Week 3 to 4 | ₹20,000 to ₹1 lakh |
| 9 | Implement access controls and multi-factor authentication | Week 4 | ₹5,000 to ₹30,000/year |
| 10 | Schedule a quarterly security review and drill | Ongoing | ₹10,000 to ₹25,000/quarter |
Micro startup (1 to 5 people): ₹50,000 to ₹1.5 lakh initial setup. Small business (5 to 25 people): ₹1 lakh to ₹3 lakh. Medium enterprise (25 to 100 people): ₹2 lakh to ₹5 lakh. Annual maintenance adds 30% to 40% of the initial cost. Open-source tools (Wazuh, ELK Stack, pfSense) can reduce costs by 40% to 60%.
Building an Incident Response Plan
An incident response plan (IRP) is the document your team follows when a cybersecurity event occurs. Without one, the 6-hour reporting window will slip by while your team figures out who does what. A good IRP turns panic into process.
Essential Components of an IRP
- Incident Classification Matrix: Map all 20 CERT-In reportable categories to severity levels (Critical, High, Medium, Low). Define what triggers automated alerts versus manual investigation.
- Notification Chain: Define who gets notified first (IT lead), who approves external communication (management), and who contacts CERT-In (designated POC). Include phone numbers, not just emails.
- Evidence Preservation: Before cleaning up, preserve system images, memory dumps, log files, and network packet captures. Forensic evidence is required for CERT-In investigation and potential legal proceedings.
- CERT-In Report Template: Pre-fill a template with your organization details, designated contact, system inventory, and network topology. During an incident, you only need to fill in incident-specific fields.
- Recovery Procedures: Define steps for system isolation, malware removal, data restoration from backups, and service resumption. Include rollback procedures for each critical system.
- Post-Incident Review: Within 7 days of an incident, conduct a review. Document what happened, how it was detected, response timeline, and improvements needed. Share findings with the team.
Quarterly Drills: Test Before Reality Does
Run tabletop exercises every quarter. Simulate a ransomware attack on a Friday evening (attackers' favourite timing) and time your team's response. Can they classify the incident within 30 minutes? Can they file the CERT-In report within 6 hours? If not, revise the IRP. Organizations that conduct quarterly drills respond 4x faster than those that have a plan but never test it.
Many SMEs create an incident response plan at incorporation and never update it. Staff turnover, infrastructure changes, and new CERT-In advisories require IRP updates at least every 6 months. An outdated IRP is almost as bad as none at all.
CERT-In Compliance and the DPDP Act: Dual Obligation
The Digital Personal Data Protection Act, 2023 creates a separate but overlapping compliance framework for data breaches that businesses must navigate alongside CERT-In rules. Understanding where these two regimes intersect saves you from reporting gaps.
Where CERT-In Rules and DPDP Act Overlap
| Requirement | CERT-In Directions | DPDP Act, 2023 |
|---|---|---|
| Reporting timeline | 6 hours from detection | "Without delay" (specific timeline pending rules) |
| Report to whom | CERT-In | Data Protection Board + affected individuals |
| Scope | All 20 cyber incident types | Personal data breaches only |
| Penalties | ₹1 lakh fine + 1 year imprisonment | Up to ₹250 crore per violation |
| Log retention | 180 days within India | Data retention per consent terms |
| Applicability | All entities with IT systems | Data fiduciaries processing personal data |
A customer database breach triggers both frameworks simultaneously. You must report to CERT-In within 6 hours and notify the Data Protection Board and affected individuals under the DPDP Act. Having separate workflows for each reporting obligation prevents critical delays. Most compliance consultants now recommend a unified breach notification workflow that satisfies both requirements in parallel.
Need ISO Certification for Cybersecurity?
ISO 27001 certification demonstrates your cybersecurity commitment. CERT-In compliance gets you 60% to 70% ready.
Get ISO CertificationSpecial Rules for VPN, Cloud, and VPS Providers
The 2022 Directions imposed the most disruptive requirements on VPN and cloud service providers. Multiple international VPN companies pulled their Indian servers after these rules came into effect. If your business provides VPN, VPS, or cloud services, here are your specific obligations.
Mandatory Subscriber KYC
Validate and maintain the following for every subscriber: full name, email address, physical address, valid phone number, purpose of using the service, IP addresses allocated, and ownership pattern (for business subscribers). This data must be retained for 5 years after service cancellation. Anonymous or pseudonymous account registration is not permitted for services operating in India.
5-Year Activity Log Retention
Beyond the standard 180-day rolling log retention, VPN, VPS, and cloud providers must maintain activity logs and subscriber data for 5 years, even after the subscriber terminates service. These logs must be produced to CERT-In upon request. The storage and compliance cost is significant: a mid-size VPN provider serving 10,000 Indian users can expect ₹10 lakh to ₹25 lakh annually in storage and log management infrastructure.
IP Address Record Keeping
Maintain accurate records of IP addresses allocated to subscribers with timestamps. If using dynamic IP allocation, log every IP assignment and de-allocation event with the subscriber identity. This enables CERT-In to trace malicious activity to specific users. Static IP assignment simplifies compliance but is not always operationally feasible for large providers.
CERT-In Compliance vs Global Standards
India's 6-hour reporting mandate is among the strictest in the world. Placing it alongside global equivalents helps businesses operating across jurisdictions understand where they need to calibrate their response capabilities.
| Framework | Reporting Timeline | Jurisdiction | Key Penalty |
|---|---|---|---|
| CERT-In (India) | 6 hours | India | ₹1 lakh + 1 year imprisonment |
| GDPR (EU) | 72 hours | European Union | Up to 4% of global turnover or EUR 20 million |
| NIS2 Directive (EU) | 24 hours (early warning) + 72 hours (detailed) | European Union | Up to EUR 10 million or 2% of global turnover |
| CIRCIA (USA) | 72 hours (incidents) + 24 hours (ransomware) | United States | Subpoenas, civil action, contempt of court |
| PDPA (Singapore) | "As soon as practicable" within 3 days | Singapore | Up to SGD 1 million |
The 6-hour window is uniquely challenging. While GDPR gives 72 hours, many Indian businesses with global operations now default to CERT-In's 6-hour standard across all geographies: if you can report in 6 hours, you can report anywhere. This is actually a competitive advantage for Indian businesses seeking global clients who value rapid incident response.
How to Report an Incident: Step-by-Step
When a cyber incident occurs, speed and accuracy both matter. Here is the exact process for filing a report with CERT-In within the 6-hour window.
- Detect and Classify (0 to 30 minutes): Identify the incident type from the 20-category list. Assign severity. Alert the designated POC and management. The 6-hour clock starts at detection.
- Preserve Evidence (30 to 60 minutes): Capture system logs, memory dumps, network traffic data, and screenshots. Do not reboot affected systems or delete logs. Isolate compromised systems from the network without shutting them down.
- Prepare CERT-In Report (1 to 3 hours): Use your pre-filled template. Include: incident type, date and time of detection, affected systems and IP addresses, initial impact assessment, containment measures taken, and contact details of reporting officer.
- Submit Report (3 to 5 hours): File via the CERT-In online portal at www.cert-in.org.in, or email to incident@cert-in.org.in. For critical infrastructure incidents, also call 1800-11-4949. Obtain acknowledgment/reference number from CERT-In.
- Continue Investigation (5+ hours): After the initial report, continue your internal investigation. Provide supplementary information to CERT-In as your investigation progresses. CERT-In may issue advisories or request additional technical details.
- Post-Incident Compliance: If the incident involves personal data, trigger your DPDP Act notification workflow separately. Conduct a post-incident review within 7 days. Update your IRP based on lessons learned.
CERT-In Compliance and ISO 27001: Complementary Frameworks
Businesses pursuing ISO 27001 certification will find that CERT-In compliance requirements map closely to several ISO controls. Implementing one framework accelerates the other, making the combined investment more efficient than tackling them separately.
Overlapping Controls
| CERT-In Requirement | ISO 27001 Control | Area |
|---|---|---|
| Incident reporting within 6 hours | A.16.1 (Information Security Incident Management) | Incident Management |
| 180-day log retention | A.12.4 (Logging and Monitoring) | Operations Security |
| NTP synchronization | A.12.4.4 (Clock Synchronisation) | Operations Security |
| Access control and authentication | A.9 (Access Control) | Access Management |
| Incident response plan | A.17 (Business Continuity) | Continuity Planning |
| Vulnerability management | A.12.6 (Technical Vulnerability Management) | Operations Security |
Organizations that have completed CERT-In compliance are typically 60% to 70% ready for ISO 27001 certification. The reverse is also true: ISO 27001 certified companies often need only minor adjustments (primarily the 6-hour reporting procedure and CERT-In-specific log formats) to achieve CERT-In compliance. Budget ₹2 lakh to ₹8 lakh for the combined implementation depending on organizational size.
Practical Tips for SMEs on a Budget
Not every business can afford a dedicated cybersecurity team. These practical, cost-effective measures help SMEs meet CERT-In requirements without breaking the bank.
Free and Low-Cost Tools
- Wazuh (Free): Open-source SIEM for log management, intrusion detection, and compliance monitoring. Meets the 180-day log retention requirement.
- pfSense (Free): Open-source firewall with logging capabilities. Suitable for businesses with up to 50 users.
- ClamAV (Free): Anti-malware for servers. Not enterprise-grade but adequate for basic endpoint protection on a budget.
- Elastic Stack / ELK (Free tier): Centralized log aggregation and search. Excellent for meeting log retention and forensic readiness requirements.
- Google Authenticator (Free): Adds multi-factor authentication to business accounts. Essential for access control compliance.
Outsourcing Options
If your startup has 5 to 20 employees and no in-house IT security expertise, consider a Managed Security Service Provider (MSSP). Monthly costs range from ₹15,000 to ₹50,000 for basic monitoring, log management, and incident response support. This is often cheaper than hiring a part-time security consultant and ensures 24x7 coverage for the 6-hour reporting requirement.
Register Your Startup and Build a Compliance Foundation
Starting with the right business structure simplifies compliance. Register your startup with IncorpX from ₹5,999.
Start Your RegistrationCommon Cybersecurity Threats Facing Indian Businesses in 2026
Understanding the current threat environment helps businesses prioritize their CERT-In compliance efforts. India experienced over 15 lakh cybersecurity incidents in 2024, with SMEs and startups being disproportionately targeted due to weaker security infrastructure.
Top 5 Threats for Indian SMEs
- Ransomware: The most common attack vector for Indian SMEs. Attackers encrypt business data and demand ₹5 lakh to ₹50 lakh in cryptocurrency. Recovery without backups costs 10x more than prevention. Always maintain offline backups.
- Business Email Compromise (BEC): Fake emails impersonating the CEO or CFO directing wire transfers. Indian businesses lost over ₹1,700 crore to BEC attacks in 2024. Train employees to verify payment requests through a separate channel.
- Phishing and Credential Theft: Fake login pages for GST portal, bank websites, or internal tools. Multi-factor authentication blocks 99% of credential theft attempts. Deploy it on all business accounts.
- Supply Chain Attacks: Compromised software updates or third-party plugins infecting your systems. Audit all third-party software dependencies. Use only verified and signed software packages.
- Cloud Misconfiguration: Publicly accessible databases, unsecured APIs, and overly permissive IAM roles. Cloud misconfigurations accounted for 30% of data breaches in India in 2024. Use cloud security posture management (CSPM) tools.
Summary
CERT-In's 6-hour incident reporting mandate, 180-day log retention, and NTP synchronization requirements apply to every business in India, with no size-based exemptions. Non-compliance attracts penalties under Section 70B of the IT Act (₹1 lakh fine, 1 year imprisonment) and, for data breaches, up to ₹250 crore under the DPDP Act, 2023. The implementation cost for SMEs (₹50,000 to ₹5 lakh) is trivial compared to the penalty exposure. Start with the 10-step compliance checklist, build an incident response plan, train your team on the 20 reportable incident categories, and consider professional compliance support to ensure ongoing adherence.
Get Expert Compliance Support for Your Business
From company registration to annual compliance, IncorpX handles your legal and regulatory requirements.
Talk to a Compliance Expert
