CERT-In Incident Reporting — The Six-Hour Rule, In Plain English

Published May 19, 2026 · By AxVeil Compliance · 14 min read

The Indian Computer Emergency Response Team (CERT-In) issued Directions under Section 70B(6) of the IT Act 2000on 28 April 2022, with enforcement starting 28 June 2022. The directions did two things that permanently changed Indian incident response: they introduced a six-hour incident reporting window, and they imposed multi-year log and KYC retention obligations on service providers, data centres, and intermediaries. Four years in, most Indian CISOs we work with still struggle to operationalise the six-hour rule — not because the policy is unclear, but because their alert-to-report workflow was built around 24- or 72-hour expectations. This guide is the playbook we hand customers who have just realised they need to be able to file inside six hours of detecting a ransomware burst or a credential-stuffing wave.

What is reportable

Annexure I of the CERT-In Directions lists 20 categories of cyber incidents that must be reported. The list is broad and intentionally so. The categories you will see most often in practice:

Targeted scanning / probing of critical networks or systems.
Compromise of critical systems or information.
Unauthorised access to IT systems or data.
Defacement of website, intrusion into a website, and unauthorised changes such as inserting malicious code or links to external websites.
Malicious code attacks — virus, worm, Trojan, bot, ransomware, spyware, crypto miners.
Attack on servers — database, mail, DNS — and on network devices such as routers.
Identity theft, spoofing, and phishing attacks.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Attacks on critical infrastructure, SCADA, OT systems, and wireless networks.
Attacks on cloud computing systems, virtual assets, virtual asset exchanges, custodian wallets.
Attacks or malicious / suspicious activities affecting systems/servers/software/applications related to AI & ML.
Attacks on systems handling Big Data, Blockchain, virtual assets, robotics, 3D and 4D printing, additive manufacturing, drones, IoT, social media.
Data breach & data leak.
Fake mobile apps.

If you are unsure whether an event qualifies, report. CERT-In does not penalise over-reporting; it penalises under-reporting. Operationally, treat any High-or-Critical-severity SOC alert that confirms one of the listed categories as a reportable trigger.

The six-hour clock — operationalising it

Six hours is short. If your alert pipeline relies on a daily standup to triage, you have already lost. The minimum infrastructure to consistently meet the timeline:

Detection-to-trigger workflow

SIEM rules tagged with a cert_in_category field. When the rule fires, the alert carries the category metadata into the ticket.
SOAR or ticketing automation that pages an on-call "CERT-In reporting officer" on creation of any CERT-In-tagged High/Critical ticket.
An SLA timer on the ticket counting down from six hours. Visible in the on-call dashboard. Breaches escalate to CISO at the four-hour mark.

Reporting-officer kit

Pre-filled CERT-In incident report template stored in the runbook. Five sections: who you are, what happened, what you have done, what you need, who to contact.
PGP key for incident@cert-in.org.in already imported on the on-call workstation.
A boilerplate "Initial submission" cover note that explicitly states you will follow up with updates as facts emerge — partial submission within 6 hours is the correct posture.
Pre-approved contact info for the secondary channels: 1800-11-4949 (phone), 1800-11-6969 (fax), web form at cert-in.org.in.

Sample initial report (redact and customise)

To: incident@cert-in.org.in
From: ciso@example.in
Subject: CERT-In Incident Report — Ransomware (Initial, T+02:30)

1. Organisation
   Name:       Acme Financial Services Pvt Ltd
   CIN:        U72900KA2018PTC123456
   Sector:     BFSI (NBFC)
   Officer:    Priya Sharma, Reporting Officer, +91-80-XXXX-XXXX

2. Incident category (Annexure I)
   Item 5: Malicious code attacks — ransomware
   Item 13: Data breach (suspected, under investigation)

3. Summary
   At 14:12 IST today, EDR on 47 file-server endpoints in the Bengaluru
   data centre raised LockBit 3.0 signature detections. SOC confirmed
   active encryption on at least 8 hosts. Network containment applied
   at 14:24. AD privileged account 'svc-backup' suspected compromise
   vector (Pass-the-Hash detection from same host 36h prior).

4. Impact
   ~12 TB on the affected hosts. Customer-facing services unaffected.
   No confirmed exfiltration; outbound DLP review in progress.

5. Actions taken
   - Containment: 47 hosts isolated from network.
   - Eradication: in progress; clean re-image planned.
   - Investigation: Mandiant retained at 15:30.
   - Backups: offline backups verified intact.

6. Assistance requested
   IOC sharing for LockBit 3.0 variant if held by CERT-In.

7. Follow-up
   Update will follow at T+12h with confirmed scope.

Log retention — the 180-day rule

The directions require ICT system logs to be kept for 180 days within India. "Within India" is not a request — for regulated entities (banks, telecoms, payment systems) it is enforceable through sectoral regulators. Engineering-side implications:

If your SIEM is hosted outside India (some Splunk, Elastic, Datadog, Azure Sentinel deployments), confirm with the vendor that you can configure log storage in an Indian region. Most can; do not assume by default.
Retention is 180 days online, not archived. CERT-In expects timely retrieval, not a restore-from-tape exercise. Plan ingestion volumes accordingly.
Logs must cover authentication, network flow, DNS, web access, and any source the SIEM uses for detection. A missing source is a missing log under audit.
Maintain a documented retention SOP and time-sync (NTP, with stratum 1 or stratum 2 source) attestation. Out-of-band clock drift kills the evidentiary value of the logs in a CERT-In follow-up.

Five-year KYC retention for specific providers

Data centres, VPS providers, cloud service providers must keep accurate customer KYC and IP-address allocation records for five years after termination of registration.
VPN providers must keep subscriber names, period of hire, IPs allocated, email, IP at registration, purpose of hire, and validated address/contact numbers — for five years.
Virtual asset service providers, exchange providers, and custodian wallet providers must keep KYC and financial transaction records for five years.

How CERT-In interacts with other regulators

The CERT-In rule is not the only clock you may be running. The most common multi-regulator scenarios:

RBI-regulated entities — additionally report to RBI Cyber Security Incident Reporting (CSIR) format. See our RBI cyber framework checklist.
SEBI-regulated entities — additionally report under the SEBI Cybersecurity and Cyber Resilience Framework. The SEBI CSCRF checklist covers the parallel reporting flow.
Personal data breaches — under DPDP Act 2023, you also notify the Data Protection Board within 72 hours. The clocks run in parallel, not sequentially. See DPDP Act checklist.
Insurance regulators (IRDAI), UIDAI, and TRAI have additional sectoral notification windows for relevant incidents.
Listed companies — SEBI LODR disclosure obligations may trigger Stock-Exchange filings for material cyber events.

Penalties and enforcement reality

On paper, Section 70B(7) of the IT Act 2000 imposes imprisonment up to one year or a fine up to one lakh rupees, or both, for failing to comply with CERT-In directions. In practice, CERT-In has not pushed criminal prosecution under this clause; the enforcement that bites is sector-regulator consequences (RBI supervisory actions, SEBI penalties, listing-norm violations) and the reputational damage that lands when a sectoral inquiry reveals you failed to report a known incident inside six hours. Treat the six-hour rule as a hard SLA owned by a named officer.

Operational checklist

Named CERT-In Reporting Officer with deputy on the on-call schedule.
SIEM rules tagged with cert_in_category for every Annexure I item that matches your environment.
Six-hour SLA timer on every CERT-In-tagged ticket with auto-escalation at four hours.
Pre-filled initial report template and pre-imported PGP key on the reporting workstation.
180-day log retention in Indian region across SIEM, identity, DNS, network, cloud control plane.
NTP sync attested quarterly, with stratum source documented.
Quarterly tabletop that exercises the six-hour timeline end-to-end (see our tabletop templates).
Mapping document linking each Annexure I category to a SIEM rule ID and a runbook page.

Pair the CERT-In playbook with quarterly VAPT and compliance reviewsso the underlying detection and logging controls are independently validated. AxVeil's BFSI practice runs CERT-In tabletop exercises as part of every annual programme renewal.

FAQ

What is CERT-In's six-hour reporting rule?

The CERT-In Directions of 28 April 2022 (in force since 28 June 2022) require all service providers, intermediaries, data centres, body corporates, and government organisations to report defined cyber incidents to CERT-In within six hours of noticing them or being informed about them. The list of in-scope incident types covers 20 categories including ransomware, data breach, identity theft, unauthorised access, and attacks on cloud or IoT systems.

When does the six-hour clock start?

From the time you 'notice' the incident or are 'brought to notice'. CERT-In has been consistent that this means the time your security or operations team first becomes aware — not the time you complete root-cause analysis. Treat any high-severity SOC alert that confirms one of the listed incident types as the trigger event and start the clock immediately.

What logs must we retain under the CERT-In directions?

ICT system logs must be retained for 180 days within India, accessible to CERT-In on request. Data centres, VPS providers, cloud service providers, and VPN providers must also keep customer KYC and IP-address allocation records for five years (or as long as the customer registration is current, whichever is longer). Cryptocurrency exchanges and wallet providers have an additional five-year KYC retention obligation.

How do we file the report?

Email incident@cert-in.org.in with the structured incident report (PDF or web form via cert-in.org.in). Include the time of incident, affected systems, attack vector, observed indicators, impact, and the contact details of your reporting officer. Phone: 1800-11-4949. Fax: 1800-11-6969. Initial submission can be partial — file what you know inside six hours and follow up with updates.

What are the penalties for non-compliance?

Section 70B(7) of the IT Act 2000 makes non-compliance with CERT-In directions punishable with imprisonment up to one year or a fine up to one lakh rupees, or both. More importantly, repeated non-reporting becomes evidence in any subsequent CERT-In or sector regulator (RBI, SEBI, IRDAI, TRAI) inquiry — and that is where the operational cost lands.