CERT-In — the Indian Computer Emergency Response Team — is the national nodal agency for cyber incident response, operating under Section 70B of the IT Act 2000. Its Directions of 28 April 2022 (effective 25 June 2022) bind virtually every organisation operating in India: intermediaries, data centres, body corporate and government bodies alike.

The headline obligation is the 6-hour reporting clock: any of the reportable incident types must be reported to incident@cert-in.org.in within six hours of being noticed — the fastest breach notification deadline in the world, and the clock that paces every other Indian regulator's notification workflow.

Three technical mandates follow. First, 180-day log retention: system, network, application and security logs must be retained within India and be producible to CERT-In on demand. Second, NTP synchronisation: all ICT infrastructure must sync to Indian time sources (NIC/NPL), never foreign NTP servers. Third, KYC and record-keeping duties for VPN providers, cloud providers and virtual asset exchanges, with five-year retention.

Non-compliance is punishable under Section 70B(7) of the IT Act — imprisonment up to one year and/or fine up to ₹1 lakh — but the practical exposure is larger: CERT-In non-compliance is routinely cited in RBI, SEBI and IRDAI inspection findings, multiplying regulatory consequences.

Use the layers below for the full 26 reportable incident types, the clock-aware 6-hour reporting SOP and the technical mandates table.