CERT-In Issues Directions on IT Practices, Response and Reporting of Cyber Incidents

On 28th April 2022, Indian Computer Emergency Response Team (CERT-In)* issued the following directions relating to information security practices, procedures, prevention, response, and reporting of cyber incidents for safe & trusted internet:

On Reporting Cyber Incidents

CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organisations to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. Cyber security incidents that need to be mandatorily reported to CERT-In include:

  • Unauthorised access of IT systems/data
  • Malicious code attacks such as spreading of virus/Trojan/Bots/ Spyware
  • Fake mobile apps
  • Unauthorised access to social media accounts

The incidents can be reported to CERT-In via email, phone, and fax.

On Maintaining ICT System Logs

CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organizations to enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction.

On Connecting to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC)

CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organizations to connect to the NTP Server of NIC or National Physical Laboratory or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks.

On Assisting CERT-In

When required by CERT-IN for cyber incident response, service providers, intermediaries, data centres, and body corporates must take action and provide assistance to CERT-In for cyber security mitigation actions and enhanced cyber security situational awareness. The organizations must also designate a Point of Contact to interface with CERT-In and send the information of the Point of Contact to CERT-In in the format prescribed in the directions.

On Registration of Data Centres, Cloud Service Providers and Virtual Private Network (VPN) Service Providers

Data centres, Virtual Private Server providers, cloud service providers, and VPN service providers shall register accurate information on their IP address, names of subscribers/ customers, period, and purpose of hiring the service, etc. and maintain it for a period of 5 years or longer after cancellation or withdrawal of their registration.

On Maintaining Information Obtained as part of Know Your Customer (KYC)

Virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall maintain all information obtained as part of KYC and records of financial transactions for a period of 5 years.

Effective Date

The directions will be effective after 60 days from the date of issuance.

*As per Section 70B of the IT Act, 2000, CERT-In serves as the national agency for the collection, analysis, and dissemination of information on cyber incidents and undertaking emergency measures for handling cyber security incidents.

Reach Us

*In association with Moore, UAE


You might have been redirected to this website if you accessed ReinaLegal.in or Headsup.in since both the firms have merged to form ReinHeads.

As per the rules of the Bar Council of India, we are not permitted to solicit work or advertise for our services. The user acknowledges the following:

  • there has been no advertisement, personal communication, solicitation, invitation or inducement of any kind whatsoever from us or any of our members to solicit any work through this website;
  • the user wishes to gain more information about us for his/her own information and use;
  • the information about us is provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site would not create any lawyer-client relationship.