Compliance

CERT-In 6-Hour Rule: What Indian Startups Must Report

CERT-In's mandatory 6-hour incident reporting rule for Indian companies in 2026: what to report, how to report, penalties, and how to prepare.

AK
Ashok Kamat
Cybersecify
10 min read

CERT-In requires every Indian company to report cyber security incidents within 6 hours of detection per the April 2022 directive (effective June 27, 2022). Reportable incidents include data breaches, ransomware attacks, unauthorized access, defacement, and other categories listed in the directive. The directive applies to all body corporates, service providers, intermediaries, data centre operators, and government organizations regardless of size. Non-compliance can result in penalties under the IT Act 2000, including potential ISP-level service blocking. Startups are not exempt. The 6-hour window starts at incident detection, not investigation completion.

Key findings

  • The 6-hour clock starts at detection, not at incident occurrence. Discovering a breach that happened weeks ago still triggers a fresh 6-hour reporting obligation the moment you learn about it.
  • CERT-In’s window is 12x faster than GDPR’s 72-hour notification standard. This rules out lengthy internal deliberation or legal review before notification; you need a pre-built incident response playbook.
  • 14 incident categories trigger the obligation, including targeted scanning, unauthorized access, ransomware, DDoS, website defacement, supply chain attacks, cloud system attacks, and data breaches. When in doubt, report.
  • 180-day log retention within Indian jurisdiction is mandatory for all service providers, intermediaries, data centres, and body corporates. 30-day retention is out of compliance.
  • Clock synchronization must use NIC or NPL NTP servers (or NTP servers traceable to these). Without synchronized timestamps, incident timeline evidence is unreliable.
  • VPN providers must retain subscriber records for 5 years after cancellation, including validated names, addresses, IP assignments, and purpose of use. Cloud and VPS providers must maintain KYC records.
  • Penalties derive from Section 70B of the IT Act, 2000 and can include financial penalties, ISP-level service blocking, and in severe cases criminal prosecution.
  • Report via email to incident@cert-in.org.in or through the CERT-In incident reporting portal. Initial notification can be brief; detailed forensics follow.

Cybersecify is a founder-led penetration testing and security consulting firm based in Bengaluru, India, serving AI-first and API-first SaaS startups. We help CERT-In-applicable SaaS startups operationalize the 6-hour rule, including incident response playbooks, centralized logging with 180-day retention, NTP synchronization to NIC or NPL, and CERT-In Point of Contact designation. For an example of the pentest deliverable that complements your incident response readiness, see our SOC 2 + ISO 27001 ready pentest report sample.

If you run a startup in India and handle any kind of digital infrastructure, there is a compliance requirement you need to know about. Since June 2022, every company operating in India must report cyber incidents to CERT-In within 6 hours of becoming aware of them. Not 6 business days. Not “when you get around to it.” Six hours.

Most founders we talk to have never heard of this rule. Some learned about it the hard way. This post breaks down what the rule says, what it means for your company, and how to make sure you are prepared if an incident happens.

What Are the CERT-In Directions?

On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In), which operates under the Ministry of Electronics and Information Technology (MeitY), issued a set of directions relating to information security practices, procedures, prevention, response, and reporting of cyber incidents. These directions became effective on June 27, 2022.

The directions apply broadly. If your organization falls into any of these categories, they apply to you:

  • Service providers
  • Intermediaries
  • Data centre operators
  • Body corporates (essentially any registered company)
  • Government organizations

In practical terms, if you are a startup registered in India or operating digital services for Indian users, these directions apply to you.

The 6-Hour Rule Explained

The headline requirement is straightforward: you must report qualifying cyber incidents to CERT-In within 6 hours of noticing or being notified about the incident.

The clock starts when you become aware. Not when the incident actually occurred. If an attacker breached your system on Monday but you only discovered it on Thursday, your 6-hour window starts on Thursday when you found out.

This distinction matters. It means that even if you discover a breach that happened weeks ago, you still have a fresh 6-hour obligation the moment you learn about it.

Six hours is tight. For context, the EU’s GDPR gives organizations 72 hours to report a data breach to supervisory authorities. India’s requirement is 12 times faster. That leaves almost no room for internal deliberation, legal review, or figuring out who is supposed to do what. You need a plan in place before an incident happens.

What Incidents Must Be Reported

The CERT-In directions list specific types of cyber security incidents that trigger the reporting obligation. Here is the full list:

Incident TypeExamples
Targeted scanning or probingPort scanning, vulnerability scanning aimed at critical networks or systems
Compromise of critical systems or informationUnauthorized changes to critical infrastructure, data tampering
Unauthorized access to IT systems or dataSomeone gaining access to systems or data they should not have access to
Website defacementUnauthorized modification of website content
Malicious code attacksRansomware, trojans, worms, spyware infections
Attacks on serversTargeting database servers, mail servers, DNS servers, or routers
Identity theft, spoofing, and phishingFraudulent emails, fake login pages, credential harvesting targeting your organization
Denial of service (DoS) and distributed denial of service (DDoS) attacksFlooding your services with traffic to make them unavailable
Attacks on critical infrastructure and SCADA systemsTargeting operational technology and industrial control systems
Attacks on IoT devices and associated systemsCompromising connected devices, botnets using IoT endpoints
Data breaches or data leaksUnauthorized exfiltration, exposure, or loss of personal or sensitive data
Attacks or suspicious activities affecting cloud computing systemsUnauthorized access to cloud resources, cryptojacking
Supply chain attacksCompromise through third-party software, services, or vendors
Attacks on digital payment systemsTargeting UPI, payment gateways, or financial transaction systems

The scope is wide. A ransomware attack is an obvious trigger. But even detecting targeted port scanning against your infrastructure qualifies. When in doubt, report.

How to Report

Incidents must be reported to CERT-In via email at incident@cert-in.org.in. You can also report through the CERT-In incident reporting portal.

Your report should include:

  • Organization details: Name, sector, contact information
  • Incident details: Nature of the incident, systems affected, date and time of detection
  • Impact assessment: What data or services were affected, scope of impact
  • Actions taken: Immediate containment or mitigation steps already performed
  • Supporting information: Log files, IP addresses involved, indicators of compromise (IOCs)

The report does not need to be a polished document. The initial notification within 6 hours can be brief, with detailed follow-up information submitted afterward. The priority is timely notification, not a complete forensic analysis.

Other CERT-In Requirements Beyond the 6-Hour Rule

The 6-hour reporting window gets the most attention, but the 2022 directions include several other requirements that affect how you manage your infrastructure day to day.

180-Day Log Retention

All service providers, intermediaries, data centres, and body corporates must maintain logs of their ICT systems for a rolling period of 180 days. These logs must be maintained within Indian jurisdiction and provided to CERT-In upon request.

This means your logging infrastructure needs to capture and retain at least 6 months of data. If you are running lean and only keeping 30 days of logs, you are out of compliance.

Clock Synchronization

All ICT systems must have their clocks synchronized to the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or to NTP servers traceable to these. Accurate timestamps are essential for incident investigation and for proving the timeline of events.

VPN Provider Record Keeping

If you operate a VPN service, you must maintain subscriber and customer records for a minimum of 5 years, even after the subscriber cancels their service. Records include validated names, addresses, contact numbers, email addresses, IP addresses assigned, and the purpose of using the service.

Cloud and VPS Provider KYC

Virtual private server (VPS) providers, cloud service providers, and virtual private network service providers must maintain Know Your Customer (KYC) records of their customers. This includes verified identity and address information.

Where Cybersecify fits in your CERT-In readiness

Cybersecify conducts penetration testing for Indian SaaS startups, fintechs, and AI first product companies preparing for CERT-In reporting obligations or customer / auditor pentest evidence requests. Startup Pentest at INR 74,999 covers 1 scope in 7 days with a free retest. Growth Pentest at INR 1,79,999 covers 2 scopes in 10 days with SOC 2 and ISO 27001 audit prep and a Letter of Attestation. Both follow PTES and OWASP WSTG methodology, produce technical and executive reports with reproduction steps, business impact framing, CVSS risk ratings, and remediation guidance, delivered founder led by both co-founders (Rathnakara GN holds OSCP and CompTIA PenTest+; Ashok S Kamat handles compliance scoping). See pentest plans or book a 30-min scoping call to map your CERT-In readiness requirements to a pentest scope.

Penalties for Non-Compliance

The CERT-In directions derive their authority from Section 70B of the Information Technology Act, 2000. Non-compliance can lead to:

  • Penalties under the IT Act: Section 70B(7) empowers the government to take action against entities that fail to comply with CERT-In directions. This can include financial penalties.
  • Blocking of services: In serious cases, the government can direct internet service providers to block access to the non-compliant entity’s services.
  • Reputational damage: Regulatory action becomes public record and can damage investor confidence, customer trust, and partnership opportunities.
  • Criminal prosecution: Under certain circumstances, non-compliance with CERT-In directions can attract criminal proceedings under the IT Act.

For a startup, the financial and reputational risk of non-compliance far outweighs the effort of setting up proper incident response processes.

How to Prepare: Practical Steps

Compliance with the CERT-In directions is not just about knowing the rules. It requires putting processes and infrastructure in place before an incident occurs. Here is what you should do now.

1. Set Up Centralized Logging

Deploy centralized log management that captures events from your servers, applications, cloud services, and network devices. Ensure retention is set to at least 180 days, and store logs within Indian jurisdiction. Solutions like the ELK stack, Grafana Loki, or managed SIEM services work well for startups.

2. Synchronize Your Clocks

Configure NTP on all your systems to sync with NIC or NPL time servers. This is a one-time setup that takes minutes but is required for compliance. Document the configuration.

3. Create an Incident Response Playbook

Write a clear, step-by-step playbook for handling cyber incidents. CERT-In reporting should be step one, not an afterthought. Your playbook should answer:

  • Who detects and confirms the incident?
  • Who drafts and sends the CERT-In notification?
  • What is the escalation chain?
  • Where are the reporting templates and contact details stored?

4. Designate a Point of Contact

Assign a specific person (and a backup) as the CERT-In Point of Contact. This person should have the authority to submit incident reports without waiting for multiple layers of approval. Six hours does not allow for lengthy internal sign-off chains.

5. Run Tabletop Exercises

At least once a quarter, run a simulated incident exercise with your team. Walk through a scenario: ransomware hits your production database at 2 AM on a Saturday. Can your team detect it, assess it, and submit a CERT-In report within 6 hours? If the answer is no, fix the gaps.

6. Get a Penetration Test

The best incident is the one that never happens. A penetration test identifies vulnerabilities in your systems before attackers find them. Fixing those vulnerabilities reduces your likelihood of having a reportable incident in the first place.

7. Know Your Attack Surface

You cannot protect what you do not know about. Many startups have forgotten subdomains, exposed staging environments, or misconfigured cloud storage that they are not aware of. Mapping your external attack surface is the first step toward securing it.

Take Action Now

Waiting until an incident happens to figure out your reporting obligations is a losing strategy. The 6-hour clock does not pause while you Google “how to report cyber incident India.”

Here is where to start:

  • Free 30-min discovery call: Founder-led scoping conversation. We will map your CERT-In readiness gap and recommend the right next step. No payment, no commitment.

  • Security Retainer (INR 24,999/month): 10 hours of founder-led work per month for ongoing execution. We can help you build your incident response playbook, set up logging, and prepare your CERT-In reporting process. Monthly Brand Protection and external attack surface scans bundled.

  • Startup Pentest (INR 74,999) or Growth Pentest (INR 1,79,999): Find and fix vulnerabilities before they become reportable incidents. The Growth plan includes SOC 2 + ISO 27001 audit prep.

  • Open EASD: Our free External Attack Surface Discovery tool. Enter your domain and get a snapshot of what attackers can see. No commitment required.

If you need structured help with CERT-In readiness, incident response planning, or compliance documentation, see our audit and compliance services.

The CERT-In directions are not going away. If anything, enforcement is tightening. Getting compliant now is cheaper and less painful than dealing with the consequences of non-compliance later.

Related: DPDP Act Compliance Checklist for SaaS Startups, RBI Cybersecurity Framework for Fintech Startups, SOC 2 + ISO 27001 ready pentest report sample.

Frequently Asked Questions

What is the CERT-In 6-hour reporting rule?

CERT-In requires all Indian companies to report cyber security incidents within 6 hours of detection. This applies to data breaches, ransomware attacks, unauthorized access, and other incidents listed in the April 2022 directive.

What happens if you don't report to CERT-In within 6 hours?

Non-compliance can result in penalties under the IT Act, 2000. CERT-In can also direct your ISP to block your services. The 6-hour window starts from when you detect the incident, not when you finish investigating it.

Does the CERT-In reporting rule apply to startups?

Yes. The directive applies to all companies, government bodies, and service providers in India regardless of size. Startups are not exempt.

What incidents trigger the CERT-In 6-hour reporting requirement?

Fourteen categories per the April 2022 directive. Targeted scanning or probing of critical networks or systems, compromise of critical systems or information, unauthorised access to IT systems or data, defacement of websites or intrusion into a website, malicious code attacks (ransomware, worms, trojans), attacks on servers (databases, mail, DNS) and network appliances (routers, switches), identity theft and spoofing and phishing attacks, denial of service (DoS) and distributed denial of service (DDoS) attacks, attacks on critical infrastructure (SCADA, OT systems), attacks on applications (e-governance, e-commerce, banking), data breaches and data leaks, attacks on IoT devices, attacks affecting digital payment systems, and attacks through malicious mobile apps. When in doubt about whether an incident is reportable, report. CERT-In prefers over-reporting to under-reporting.

How do I actually report an incident to CERT-In?

Three channels are accepted. Email to incident@cert-in.org.in with incident details. Phone hotline at 1800-11-4949 (also published on CERT-In website). Online via the CERT-In incident reporting portal. Initial notification can be brief: what happened, when detected, who is affected, contact details for follow-up. Detailed forensics and root-cause analysis follow in subsequent updates. Include your designated CERT-In Point of Contact in every report. CERT-In publishes a reporting form template on cert-in.org.in that you can pre-fill and keep ready for incident response. Most mature incident response playbooks have the reporting email and form pre-drafted so a 2 AM incident does not turn into a 4 AM email-writing exercise.

When does the 6-hour clock start exactly?

At detection, not at occurrence and not after investigation completes. Detection means the moment any person inside the organisation becomes aware that an incident has occurred or is in progress. This includes the SOC analyst seeing the SIEM alert, the on-call engineer noticing anomalous traffic, the customer support agent receiving a phishing complaint, or the developer spotting the unauthorised data access in logs. If you discover today that a breach happened three months ago, the 6-hour clock starts when you discovered it today, not three months ago. The intent is to prevent organisations from delaying reporting under the pretext of internal investigation.

What is the 180-day log retention requirement?

All service providers, intermediaries, data centres, body corporates, and government organisations must retain ICT system logs within Indian jurisdiction for 180 days rolling. The 30-day retention period that was common in early-stage SaaS startups is out of compliance. Logs covered include authentication logs, audit logs, application logs, network logs (firewall, IDS, IPS, proxy), DNS query logs, system event logs. Retention within Indian jurisdiction means physically stored in India, on infrastructure governed by Indian law. Storing logs in Mumbai-region AWS or GCP satisfies the geography requirement. Forward to a SIEM (Elastic, Splunk, ChaosSearch, Datadog with India region) and retain rolling 180 days. Many startups discover this requirement during their first SOC 2 or CERT-In audit and have to retroactively re-engineer logging.

What is the NTP synchronisation requirement under CERT-In?

All entities must synchronise clocks to either National Informatics Centre (NIC) NTP servers, National Physical Laboratory (NPL) NTP servers, or NTP servers traceable to these. The requirement exists because incident timeline evidence is only useful if timestamps across systems are consistent. A breach investigation that spans firewall logs, application logs, and database audit logs is meaningless if each system's clock drift is several seconds in different directions. NIC NTP servers: time.nic.in, ntp.nic.in. NPL NTP server: time.npl.in. For cloud deployments on AWS or GCP, configure NTP at the OS level on every instance to point at one of these servers as primary and fall back to your cloud provider's NTP as secondary.

Do VPN providers and cloud providers have additional CERT-In obligations?

Yes. VPN service providers must retain subscriber records for 5 years after cancellation, including validated names, validated addresses, contact numbers, email IDs, the IP addresses allotted to each subscriber, the period for which each subscriber used the service, and the purpose of using the service. Cloud and VPS providers must maintain accurate KYC records for their customers. This requirement is the reason multiple consumer VPN providers (NordVPN, ExpressVPN, ProtonVPN) withdrew their India servers in 2022. Indian-domiciled VPN and cloud providers must comply; foreign providers serving Indian customers must comply for the India-served portion or withdraw from the market.

What are the penalties for missing the CERT-In 6-hour deadline?

Penalties derive from Section 70B of the Information Technology Act, 2000. Specifically Section 70B(7) makes non-compliance with CERT-In directions punishable with imprisonment up to one year, fine up to INR 1 lakh, or both. Section 69A allows CERT-In to direct your ISP to block your services if the violation is serious or repeated. For corporate entities, the penalty falls on the designated CERT-In Point of Contact and on the body corporate. In practice CERT-In has issued show-cause notices rather than seeking criminal prosecution for first-offence reporting delays, but the legal exposure exists and serious incidents (data breach affecting many users, critical infrastructure) attract sharper enforcement. The reputational impact, customer-trust impact, and SOC 2 or ISO 27001 audit impact often outweigh the statutory penalty in practice.

How does CERT-In's 6-hour rule compare to GDPR or HIPAA reporting timelines?

CERT-In is the strictest of major global incident reporting regimes. GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. HIPAA Breach Notification Rule requires notification within 60 days. India's Digital Personal Data Protection Act 2023 has a separate breach notification obligation to both the Data Protection Board and to affected data principals (timeline to be defined in DPDP Rules expected in 2025-2026 implementation). The 6-hour CERT-In rule is 12x faster than GDPR. This rules out lengthy internal deliberation, legal review, or PR-team coordination before notification. The implication for incident response playbooks is that the initial CERT-In report is technical-team-driven, not legal-team-gated.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Ashok Kamat on LinkedIn.

Share this article
CERT-Inincident reportingcompliancestartup securityIndiacybersecurity