The Cybersecurity Directions of April 28, 2022, issued by CERT-In under Section 70B(6) of the IT Act, 2000, aim to strengthen India’s cybersecurity ecosystem by mandating practices for timely reporting, data retention, and infrastructure security. These directions are applicable to service providers, intermediaries, data centres, body corporates, government organizations, cloud and VPN service providers, and virtual asset service providers, both domestic and international, if they serve Indian users.
A central requirement is that all entities must report specified types of cyber incidents—such as unauthorized access, malware attacks, data breaches, DDoS attacks, and threats to critical infrastructure—to CERT-In within six hours of detection. A comprehensive list of such incidents is provided in Annexure I of the document.
Entities must also synchronize their ICT system clocks with the National Informatics Centre (NIC) or National Physical Laboratory (NPL) NTP servers to ensure consistency in logs and forensic investigations. Additionally, all ICT system logs must be maintained for at least 180 days within Indian jurisdiction and made available to CERT-In upon request.
The directions mandate that Data Centres, Cloud, VPS, and VPN providers must collect and retain accurate subscriber information (including names, IPs, timestamps, purpose of service, etc.) for five years, even after service termination. Crypto exchanges and wallet providers must comply with KYC norms issued by RBI, SEBI, or DoT and store detailed transaction records for the same duration.
Entities are required to designate a Point of Contact (PoC) to interface with CERT-In for communication and compliance. Non-compliance may result in penalties, including fines and imprisonment under Section 70B(7) of the IT Act.
The accompanying FAQs clarify applicability, reporting obligations, cross-border compliance, and data privacy concerns. The directions explicitly override any conflicting confidentiality clauses in private contracts, reinforcing their statutory authority.
Overall, these directions are intended to ensure a Safe, Trusted, and Accountable Internet for users in India by creating a robust framework for cyber incident management and reporting.
