Cert-In Direction On Reporting Cyber Incidents


On 28 April 2022, CERT-In issued a direction relating to “information security practices, procedures, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet” (“Direction”).1 The Direction has been issued under Section 70B(6) of the Information Technology Act, 2000 (“IT Act”). A summary of the provisions of the Direction is provided in Annexure A below.

The Direction has significantly widened the types of cyber security incidents that must be mandatorily reported to CERT-In. The Direction also imposes a strict timeline of 6 hours after notice of the incident for reporting such incidents to CERT-In and introduces several compliance requirements for different types of entities, including intermediaries, service providers, data centres, virtual private network service providers, cloud service providers, as also other entities such as “virtual asset service providers” and “virtual asset exchange providers”. The key compliances are discussed below.

Considering the wide wording of the Direction, it is likely to be applicable to almost each and every type of business operating within India. The Direction will be effective from June 28, 2022 and may require businesses to rethink and overhaul their cyber security practices and processes.

NDA is organising a webinar to further discuss the key aspects of the Direction and their impact on businesses in India on Wednesday, May 11, 2022. You may register for the webinar at this link.

We have discussed some key aspects of the Direction below.


Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”)2 issued under Section 70B(5) of the IT Act.

The CERT-In Rules required mandatory reporting of identified cyber security incidents (See Annexure B), while other cyber security incidents could be reported voluntarily. By way of the Direction, CERT-In has in a way amended several provisions of the CERT-In Rules.


  1. Reporting

    • Mandatory reporting requirements: The list of cyber security incidents which are mandatorily reportable…