Data>Nuance
Back to Blog
Compliance

CERT-In Cybersecurity Guidelines, 2022

February 18, 2025
8 min read
Data>Nuance Team

Introduction

The Computer Emergency Response Team of India (CERT-In) issued comprehensive cybersecurity directions in 2022, mandating specific information security practices and incident reporting requirements for organizations in India.

Key Requirements

1. Incident Reporting

  • Mandatory reporting within 6 hours of incident detection
  • Detailed incident information submission
  • Follow-up reports as investigation progresses
  • Coordination with CERT-In during response

2. Log Maintenance

  • Maintain logs for minimum 180 days
  • Synchronize system clocks with Network Time Protocol
  • Ensure log integrity and availability
  • Provide logs to CERT-In when requested

3. Information Security Practices

  • Implement appropriate security measures
  • Regular security audits and assessments
  • Vulnerability management programs
  • Security awareness training

Covered Entities

The directions apply to:

  • Service providers
  • Intermediaries
  • Data centers
  • Body corporate
  • Government organizations

Specific Requirements by Entity Type

Service Providers

  • VPN service providers must maintain customer logs
  • Cloud service providers must implement data localization
  • Cryptocurrency exchanges must maintain transaction records

Data Centers

  • Physical security measures
  • Access control systems
  • Environmental monitoring
  • Backup and recovery procedures

Compliance Framework

Technical Measures

  • Network security controls
  • Endpoint protection
  • Data encryption
  • Access management

Organizational Measures

  • Security policies and procedures
  • Incident response plans
  • Business continuity planning
  • Regular training programs

Incident Categories

Reportable incidents include:

  • Data breaches
  • Unauthorized access
  • Malware infections
  • Website defacements
  • Denial of service attacks
  • Ransomware incidents

Penalties and Enforcement

  • Non-compliance may result in penalties under IT Act 2000
  • Regulatory enforcement actions
  • Suspension of services
  • Criminal prosecution in severe cases

Implementation Recommendations

  • Conduct gap analysis against CERT-In requirements
  • Develop comprehensive incident response procedures
  • Implement automated log management systems
  • Establish regular compliance monitoring
  • Train staff on reporting obligations

Need Expert Data Protection Guidance?

Contact Data>Nuance for comprehensive data protection and compliance solutions tailored to your business needs.

Schedule a Consultation

Related Articles

Understanding GDPR Compliance for Indian Companies

Essential requirements for Indian businesses processing EU personal data.

Read More

CERT-In Cybersecurity Guidelines 2022

Comprehensive overview of mandatory cybersecurity practices in India.

Read More