Cybersecurity Obligations under CERT-In Guidelines
Cybersecurity Obligations under CERT-In Guidelines

This practitioner guide intends to provide legal professionals and other individuals a compliance-centric view of the current Cybersecurity obligations under CERT-In (Indian Computer Emergency Response Team guidelines. The guide includes: What CERT-In is, the legal foundation of its powers and the advancement of updates and clarifications. Further, it also covers Cybersecurity compliances for Indian companies, what they must incorporate in their daily operations i.e. reporting of episodes and, log maintenance, and co-operation, to ensure the response is legally defendable.

Introduction

Henceforward, in the Indian jurisdiction, Cybersecurity incidents are not handled merely by internal I.T. teams or voluntary disclosures. These incidents are regulated by a legal incident-response framework governed by CERT-In (under the Ministry of electronics and Information Technology of Government of India), authorized to issue mandatory directions and mandate co-operation from technology-oriented entities. For business entities, employers, startups, and professionals, this renders into Cybersecurity obligations under CERT that serve as enforceable compliance obligations rather than elective best practices.

What usually makes compliances difficult in practice is the operation of the regulatory framework. Usually, the published CERT-In directions for organizations follow an uncertain revision and clarification cycle. Further, these clarifications often materialize as guides rather than formal amendments and requirements. For instance, the mandatory reporting to CERT-in requirement emerged due to mere apprehension not quantifiable impact. Moreover, this creates misunderstanding across H.R., I.T., Legal teams and vendors alike, as they battle with administering reporting and cross-functional rights.

What are the Cybersecurity obligations under CERT-In?

Cybersecurity obligations under CERTare not just ambitious or technical criterions but are conduct-oriented statutory obligations. These duties are devised to control the behaviour of businesses before, after and during the occurrence of the respective incident. The regulatory framework is operational in nature and is concerned with the response mechanism of organizations to cyber risks i.e. timing, transparency, and collaboration. It is usually less concerned with the state-of-the-art security framework.

A conduct-focused compliance framework

At the core of CERT-In’s regulatory framework lies the emphasis on “response behaviour” of companies, as per the CERT-In Cyber Security Directions dated 28th April 2022 (hereinafter referred to as “April 2022 Directions”) . The framework is designed to ensure that cybercrimes are detected early, evidence is conserved, and organized risks can be evaluated at a national level. Resultantly, the judgment of compliances is made basis the nature of the incident, time of occurrence, and the engagement with the respective authority, and not on the concurrent impact of the incident.

In practice, this means that even well-equipped organizations can fall under scrutiny in case of breach of procedural obligations. Whereas, smaller entities who have a proactive and transparent response mechanism are considered compliant, regardless of their procedural and resources limitations. The April 2022 Directions enforce six tangible duties for the applicable entities, including service providers, negotiators, data centres, legal entities, and government organizations.

  1. Time-bound Mandatory Reporting:
    The aforesaid directions mandate entities to report the cyber incidents listed under Annexure I, within 6 hours of detecting the incident or being cognizant of the same. It is important to note that the reporting prompt is detection or awareness, not forensic validation, or impact assessment.
    The obligations under these directions are applicable even for ongoing investigations and even when incidents appear to be controlled. From a practical compliance viewpoint, this reporting mandate forms the essence of Mandatory incident reporting to CERT-In and delays are assessed precisely against the six-hour interface and not the internal decision-making timeframe.
  2. Maintenance of Logs:
    The entities are required to enable logs of their Information and Communication Technology (ICT) systems and maintain them safely for a rolling period of 180 days with logs to be maintained within the Indian jurisdiction. These logs must be produced while incident reporting or as and when directed by CERT-In. This mandate is applicable irrespective of the occurrence of incident. On a practical note, it is one of the most enforceable requirements of CERT-In cybersecurity compliance requirements, because the absence of logs becomes evident when information is sought for.
  3. Enforceable Compliance through orders and timelines:
    Entities are required to provide information and assistance in the required format and timeline, whenever CERT-In issues an order or direction for incident response or preventive action. Failure to comply within the pre-defined timeline shall be considered non-compliance. Furthermore, organizations shall appoint an authorized CERT-In Point of Contact (PoC) to route all communication through this channel.
  4. Sector-specific Obligations:
    The April 2022 Directions impose data retention obligations on certain categories of entities, including data centres, VPS providers, cloud service providers, and VPN providers. These entities are required to maintain customer and subscriber information for 5 years after cessation of services.
    Furthermore, virtual asset service providers, exchanges and custodian wallet providers should retain their KYC and transaction records for 5 years, in sufficient to concede transaction reconstruction.
  5. Time Synchronization:
    For all entities it is mandatory to synchronise ICT system clocks using NIC or NPL Network Time Protocol (NTP) servers, or servers accessible to them. Lower flexibility is permitted for geographically dispersed infrastructure, provided there is no deviation from the prescribed time source.
    When combined, these responsibilities define CERT-In directions for organizations in clear operational terms i.e. promptly report issues, maintain logs within India, maintain a dynamic Point of Contact (PoC), act in accordance with the information requests, keep track of specified customer and transaction data wherever applicable, and uphold system time reliability.

For companies, this framework establishes a consistent state of compliance readiness rather than a damage control system active only after a major cyber threat.

Legal and Practical Challenges faced by organizations under CERT-In guidelines

Usually, compliance lapses under the CERT-In framework arise during execution rather than interpretation. In real-time practice, legal disclosure arises from gaps between internal team responses and the CERT-In cybersecurity compliance requirements with respect to timings, records, and co-operation.

  1. Reporting decisions under a pre-defined timeline:
    Generally, organizations tend to delay escalation of incidents while evaluating gravity, acknowledgment, or business impact. However, reporting obligations are applicable on detection of incidents not on forensic approval. Early decision-making becomes important as delay in reporting cannot be defended against the backdrop of internal approval mechanisms. As a result, mandatory incident reporting to CERT-In usually collapses, even in generally well-managed incidents.
  2. Maintenance of Logs and Preservation of Evidence:
    Maintenance of logs is an ongoing activity. However, it is observed during an incident that logs are incomplete, inaccessible, or modified, due to system layout or vendor limitations. At this stage, compliance exposure has already developed, irrespective of the pace at which the incident is controlled.
  3. Dependency on Vendors and Cloud:
    Dependence on cloud service providers or governed service providers does not shift the responsibility of the entities. As per the CERT-In directions for organizations, the burden of compliance retains with the entity using the respective computer resource. Contractual gaps around incident notification and access of logs often turn up during ongoing incidents and directly influence the outcome.
    In our experience, organizations that supervise cybersecurity compliance for Indian companies effectually are those with a clear reporting framework, predetermined escalation mechanism, and methodical log governance.

Conclusion – Cybersecurity obligations under CERT

CERT-In’s cybersecurity regime institutes a well-defined and enforceable framework for organizations’ responses to cyber crime incidents. These mandates are specific and time-oriented, making vigilance and readiness as important as technical know-how.

Regarding Cybersecurity obligations under CERT as important as business development and a recurrent activity, is essential for development. Regular review of reporting mechanisms, log maintenance activities and internal control can exponentially minimize compliance risks before occurrence of incidents.

Frequently Asked Questions (FAQs) – Cybersecurity obligations under CERT

What is CERT-in?

It is a national-level authority operational since 2004. However, it was recognized under the Information Technology Act (Amendment) Act, 2008 as the national agency for incident response with the introduction of Section 70B(1).

What is the legal foundation of CERT-In compliances?

Primarily, CERT-In’s legal authority emerges from Section 70B of the Information Technology Act (Amendment) Act, 2008, which authorizes it to circulate and summon technology-oriented companies for more information. CERT-In’s authority mainly focuses on the conduct rather than the outcome i.e. even if any incident causes minimal harm but breaches procedural obligations, it can still attract investigation.

Are CERT-In compliances legally binding?

Yes, CERT-In compliances are legally binding and may attract scrutiny in case of procedural lapse/s. CER-In directions for organizations are issues under legislative authority and are treated as statutory obligations and not mere advice.

What statutory functions does CERT-In perform?

In accordance with the Section 70B (4) of the Information Technology Act (Amendment) Act, 2008, CERT-In is legally obliged to perform the following functions:

  1. Collection, analysis, and dissemination of information related to cyber security incidents;
  2. Forecasts and alerts of potential cyber security threats;
  3. Emergency measures for tackling cyber security incidents;
  4. Organization of cyber incidents response activities;
  5. Issue advisories, guidelines, whitepapers, with respect to information security- practices, procedures, prevention, responses, and reporting of cyber security incidents;
  6. Any other functions related to cyber security as maybe prescribed/required.

Are the CERT-In Cyber Security Directions dated 28 April 2022 still binding under Section 70B?

Yes. As on February 2026, the April 2022 Directions are still legally binding under Section 70B of the Information Technology Act, 2000. They continue to be the core legal regime for obligations like incident reporting, log retention, cooperation with CERT In, and related duties. There has not been any new Gazette notification, amendment or replacement directive that overrides or repeals these Directions so they remain in effect.

Did later FAQs or clarifications change the scope of legal duties as in the April 2022 Directions?

No. The May 2022 FAQs clarifications and other follow-up guidance are meant to explain and interpret the Directions they do not change the scope of legal requirements. Similarly, extensions or phased timelines like for MSMEs or specific service categories only adjusted when compliance was due, but they did not alter the underlying legal obligations set out in the April 2022 Directions.

Who do the April 2022 Directions apply to?

The April 2022 Directions expressly cover all service providers, intermediaries, data centres, body corporates, and Government organisations. This scope is clearly set out in the applicability clause of the Directions, making compliances mandatory for both private and public sector entities that fall within these categories.

Which cyber incidents are covered under the Annexure I of the April 2022 Directions?

Annexure-I of the April 2022 Directions explicitly state XX cyber incidents that should be mandatorily reported to CERT-In. The scope of the incidents is broad and is focused on the risk involved and not the damages sustained. The Annexure includes incidents, namely attack on servers or network devices, spoofing or phishing, data breach or leak, fake mobile applications, unauthorized access of IT systems or data, unauthorized access to social media accounts, amongst others.

Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet. 
28th April 2022. Retrieved from: efaidnbmnnnibpcajpcglclefindmkaj/https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

About Us

Corrida Legal is a boutique corporate & employment law firm serving as a strategic partner to businesses by helping them navigate transactions, fundraising-investor readiness, operational contracts, workforce management, data privacy, and disputes. The firm provides specialized and end-to-end corporate & employment law solutions, thereby eliminating the need for multiple law firm engagements. We are actively working on transactional drafting & advisory, operational & employment-related contracts, POSH, HR & data privacy-related compliances and audits, India-entry strategy & incorporation, statutory and labour law-related licenses, and registrations, and we defend our clients before all Indian courts to ensure seamless operations.

We keep our client’s future-ready by ensuring compliance with the upcoming Indian Labour codes on Wages, Industrial Relations, Social Security, Occupational Safety, Health, and Working Conditions – and the Digital Personal Data Protection Act, 2023. With offices across India including GurgaonMumbai and Delhi coupled with global partnerships with international law firms in Dubai, Singapore, the United Kingdom, and the USA, we are the preferred law firm for India entry and international business setups. Reach out to us on LinkedIn or contact us at contact@corridalegal.com/+91-9211410147 in case you require any legal assistance. Visit our publications page for detailed articles on contemporary legal issues and updates.

Legal Consultation

In addition to our core corporate and employment law services, Corrida Legal also offers comprehensive legal consultation to individuals, startups, and established businesses. Our consultations are designed to provide practical, solution-oriented advice on complex legal issues, whether related to contracts, compliance, workforce matters, or disputes.

Through our Legal Consultation Services, clients can book dedicated sessions with our lawyers to address their specific concerns. We provide flexible consultation options, including virtual meetings, to ensure ease of access for businesses across India and abroad. This helps our clients make informed decisions, mitigate risks, and remain compliant with ever-evolving regulatory requirements.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    To Top