ServicesAssessmentsIndustriesSpectraAgentPricingInsightsAboutContactStart Free Assessment
Home CERT-In Compliance
🛡️ Mandatory Compliance

CERT-In Compliance — What Every Indian Company Must Do

CERT-In directives under IT Act 2000 apply to every organization in India. 6-hour breach notification. 180-day log retention. Not optional. Criminal liability for non-compliance.

Check Your CERT-In Readiness →

What CERT-In Requires

The Indian Computer Emergency Response Team (CERT-In) issued mandatory directives in April 2022 that apply to every organization, service provider, and intermediary in India. These are not guidelines — they carry legal force under the Information Technology Act, 2000.

6h
6-Hour Incident Reporting
All cybersecurity incidents must be reported to CERT-In within 6 hours of detection. This includes: unauthorized access, data breaches, ransomware, DDoS, phishing, malware, and website defacement. Failure to report is a criminal offence under IT Act.
180
180-Day Log Retention
All ICT system logs must be retained for a rolling period of 180 days within Indian jurisdiction. Includes: firewall logs, IDS/IPS logs, VPN logs, server logs, application logs, and database audit logs.
NTP
NTP Synchronisation
All systems must synchronise time with NTP servers provided by NIC or NPL, or with global NTP servers traceable to these. Accurate timestamps are essential for log correlation and incident investigation.
POC
Designated Point of Contact
Every organization must designate a point of contact (POC) for CERT-In communication. This person must be reachable and able to provide information within the reporting timeline.
KYC
KYC for VPS/Cloud/VPN
Data centres, VPS providers, cloud service providers, and VPN providers must maintain KYC records of their customers for 5 years. This applies to any Indian infrastructure provider.

Who Must Comply?

Everyone. CERT-In directives apply to: companies, government bodies, service providers, intermediaries, data centres, body corporates, and any entity that operates computer systems in India. There is no size exemption — a 5-person startup and a 50,000-employee bank have the same reporting obligation.

Penalties for Non-Compliance
Criminal liability under IT Act 2000 Section 70B. Failure to report incidents within 6 hours, failure to maintain logs for 180 days, or failure to provide information to CERT-In can result in imprisonment and/or fines. Additionally, insurance companies may deny cyber insurance claims if CERT-In reporting was not followed.

How SpectraAI Helps

SpectraAI checks your log retention configuration against the 180-day requirement, verifies NTP synchronisation, audits your incident response readiness, and provides the monitoring capability to detect incidents quickly enough to report within 6 hours. Our SpectraAgent runs continuously on your servers, detecting threats in real-time so you're never caught off guard.

Are you CERT-In ready?

Find out in 5 minutes. Free assessment covers log retention, NTP, incident response readiness.

Start Free Assessment →