Active security incident? Call our 24/7 hotline: +91 84474 25125
Compliance Roadmap

CERT-In Direction 2022 Compliance

CERT-In's Direction No 20(3)/2022 (issued April 2022) sets prescriptive obligations on Indian service providers, intermediaries, data centres and bodies corporate — including a 6-hour incident reporting timeline, mandatory log retention, time synchronisation to NPL or NIC servers, and KYC obligations on certain service categories. NexaSource helps Indian enterprises operationalise these obligations into their existing security operations.

6 hours

Incident-reporting workflow we build into your SOC

180 days

Log retention architecture aligned to CERT-In requirement

NPL / NIC sync

Time-synchronisation discipline across all systems

What CERT-In Direction 2022 requires

  • 6-hour incident reporting: Specified categories of cyber incidents must be reported to CERT-In within 6 hours of noticing.
  • Log retention: ICT system logs must be enabled and securely maintained for 180 days within Indian jurisdiction.
  • Time synchronisation: All ICT system clocks must be synchronised to NPL (National Physical Laboratory) or NIC (National Informatics Centre) NTP servers.
  • Designated point of contact: Chief Information Security Officer or designated contact for CERT-In communications.
  • KYC retention: For specified service providers (data centres, VPS, cloud, VPN), KYC information of customers to be retained for 5 years.
  • Cooperation with CERT-In: Including providing information when requested for incident response, threat intelligence and analysis.

How we operationalise CERT-In compliance

Incident classification matrix

Mapping of incident types to CERT-In reporting categories, with decision-trees for SOC analysts to determine reportability quickly.

6-hour reporting workflow

Pre-approved templates, escalation matrix, legal-team coordination and CERT-In submission process — exercised through tabletops.

Log architecture

SIEM and log-archive design with 180-day hot/warm retention plus secured cold storage, all India-resident, integrity-protected.

Time synchronisation hardening

NTP architecture pointing to NPL/NIC sources, monitoring of clock drift, audit evidence of synchronisation across critical systems.

Designated CERT-In contact

Role definition, contact registration, communication SOPs and out-of-hours coverage for SOC-led organisations.

Tabletop exercises

Annual exercises that test the 6-hour timeline against realistic ransomware, data-exfiltration and DDoS scenarios.

Where we engage

  • All Indian bodies corporate processing personal or business data
  • Data centres, VPS, cloud and VPN providers (additional KYC retention)
  • BFSI entities running parallel CERT-In and sectoral-regulator reporting
  • IT services and SaaS firms with large customer estates
  • Government and public-sector entities

Frequently Asked Questions

What incident types must be reported within 6 hours?

CERT-In specifies categories including targeted scanning of critical systems, compromise of critical systems, identity theft, data breach, ransomware, attacks on internet-of-things devices, and several others. We supply the full reportable-event matrix as part of engagement.

Where should logs be stored under the Direction?

Within Indian jurisdiction. We design log architectures using Indian regions of cloud SIEMs (Sentinel, Chronicle, Splunk Cloud) or India-hosted on-premise SIEMs.

How do we synchronise time to NPL or NIC?

We point your NTP infrastructure to NPL (time.nplindia.org) or NIC (time.nic.in) servers, with secondary sources, monitoring of drift, and audit evidence collection.

Do KYC retention obligations apply to us?

KYC retention specifically applies to data centres, VPS providers, cloud service providers and VPN service providers. We help assess applicability and design retention infrastructure if applicable.

Who should be the CERT-In point of contact?

Typically the CISO or designated information-security leader. We help define the role, register it with CERT-In and create out-of-hours coverage arrangements.

Can your SOC handle CERT-In reporting on our behalf?

We can operate your SOC and prepare reportable-incident packets, but the Direction places the obligation on the entity itself — we facilitate and your designated contact submits.

Ready to start your CERT-In Directions programme?

Get a quote, schedule a scoping call, or request an on-site visit.

Request a Quote → Call +91 84474 25125