Laws & RegulationsCERT-In Directions 2022
In Forcecross-sectorNo. 20(3)/2022-CERT-In, dated April 28, 2022
Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 — CERT-In Cybersecurity Directions 2022
Also known as: CERT-In Directions 2022
The CERT-In Directions 2022 require all entities in India to report cybersecurity incidents to CERT-In within 6 hours — one of the shortest mandatory reporting windows globally. They also require 180-day log retention, NTP synchronization, and 5-year record retention for VPN providers, cloud service providers, and virtual asset service providers.
Jurisdiction
India
Regulator
Indian Computer Emergency Response Team
Effective
6/28/2022
Sector
cross-sector
Full Text / Summary
The Directions were issued under Section 70B(6) of the IT Act 2000. They require: (1) 6-hour incident reporting for 20 categories of incidents; (2) 180-day log retention for ICT systems; (3) NTP clock synchronization; (4) 5-year subscriber record retention for VPN providers, cloud service providers, and virtual asset service providers; (5) 6-hour response to CERT-In information requests. The Directions have been controversial for their short reporting window and data localization requirements for VPN providers, leading several international VPN providers to exit India.