Issued under Section 70B(6) of the IT Act, 2000, CERT-In's Cyber Security Directions 2022 require entities to report 20 categories of cyber incidents within six hours of noticing occurrence or being brought to notice. The directions also mandate synchronization of ICT system clocks with NTP servers, maintenance of logs for 180 days, and KYC for VPN/cloud service providers. Non-compliance attracts penalties up to one year imprisonment under Section 70B(7). The framework aims to create a national early warning system for cyber threats affecting Indian cyberspace.

• Enables CERT-In to issue timely advisories and coordinate national-level incident response, as demonstrated during the AIIMS ransomware attack in November 2022 where centralized coordination helped manage patient data exposure
• Creates a structured intelligence feed helping organizations learn from sector-wide attack patterns, particularly useful for BFSI sector during UPI fraud spikes and digital payment compromises
• Establishes accountability in incident handling with defined timelines, reducing mean-time-to-respond for critical infrastructure entities like power grids and telecom operators
• Strengthens India's cybersecurity posture for international cooperation, enabling faster coordination with foreign CERTs during cross-border ransomware and APT campaigns targeting Indian entities
• Provides legal protection to reporting entities through structured disclosure mechanisms, reducing litigation risks compared to ad-hoc public disclosures

• The six-hour timeline is operationally challenging for organizations with decentralized IT teams across time zones; many Indian MNCs struggle with incident validation and categorization within this window
• Ambiguity in defining 'noticing' versus 'occurrence' creates compliance confusion, especially for incidents discovered through external threat intelligence or vendor notifications weeks after actual breach
• Lack of harmonization with sectoral regulators like RBI (24-hour reporting for banks), SEBI, and IRDAI creates duplicate reporting burden with different formats and timelines for regulated entities
• No materiality threshold specified—organizations report minor incidents like single phishing emails, creating signal-to-noise problems; CERT-In receives thousands of low-priority reports diluting critical incident focus
• Insufficient guidance on reporting third-party vendor incidents, cloud service breaches, and supply chain compromises where Indian entities may lack complete visibility or forensic access

• In November 2022, AIIMS Delhi suffered a ransomware attack affecting 1.3 TB patient data and 40 million records. The incident was reported to CERT-In within the six-hour window, enabling coordinated national response, but full services took nearly a month to restore, highlighting gaps in recovery protocols beyond reporting.
• During the Air India data breach disclosed in May 2021 (occurring in February 2021 at SITA processor), the delayed discovery and multi-jurisdictional nature created reporting timeline challenges. Post-2022 directions, such cloud processor incidents involving Indian customer data require immediate reporting even when breach occurs at foreign data processors.
• In October 2022, multiple Indian entities using Microsoft Exchange servers reported ProxyNotShell exploitation attempts to CERT-In within hours, enabling CERT-In to issue CIVN-2022-0297 advisory within 24 hours, protecting thousands of unpatched Indian servers from compromise.

• Establish pre-classified incident templates and automation APIs for real-time reporting integration with SIEM platforms to reduce manual effort in the six-hour window; organizations should deploy SOAR playbooks with CERT-In reporting workflows
• Conduct quarterly cross-functional incident response drills involving legal, IT, and compliance teams with simulated CERT-In reporting scenarios to build muscle memory and reduce confusion during actual incidents
• Implement continuous log aggregation and clock synchronization monitoring across all ICT systems including OT/ICS environments, cloud workloads, and SaaS applications to ensure 180-day retention and NTP compliance beyond traditional IT infrastructure
• Develop clear escalation matrices with defined roles for incident categorization, especially for edge cases involving supply chain, third-party vendors, and cloud services, with pre-approved communication templates to meet tight reporting deadlines