Compliance

CERT-In Compliance for Indian Businesses: A Practical Guide for 2025

January 20, 2025·8 min read·By Verentix Security Research

The Indian Computer Emergency Response Team — CERT-In — issued sweeping cybersecurity directives in April 2022 that fundamentally changed the compliance landscape for Indian businesses. Three years later, enforcement has progressively tightened.

Who Needs to Comply?

The short answer: almost every organisation with an internet presence in India. CERT-In's directives apply to service providers, intermediaries, data centres, body corporates, and government organisations.

The 6-Hour Incident Reporting Requirement

Organisations must report cybersecurity incidents to CERT-In within 6 hours of becoming aware of them. Not 24 hours. Not 72 hours like GDPR. Six hours. Reportable incidents include targeted scanning, compromise of IT systems, unauthorised access, website defacement, malware attacks, data breaches, and attacks on cloud systems.

To meet this requirement, you need incident detection capability, a documented incident response plan, and a designated point of contact registered with CERT-In.

Log Retention: 180 Days Rolling

CERT-In requires all organisations to maintain logs of their ICT systems for a rolling period of 180 days within Indian jurisdiction. This means firewall logs, IDS/IPS logs, web server access logs, application logs, database audit logs, and authentication logs.

VPN Provider Requirements

If your business operates a VPN service — including corporate VPNs — you are required to maintain subscriber and connection logs for 5 years.

What Happens If You Do Not Comply?

CERT-In can direct organisations to implement specific measures, block IT resources, and refer non-compliance to sector regulators like RBI, SEBI, or IRDAI — which have significant penalty powers.

How to Get Started

Start with a gap assessment. Prioritise incident reporting capability and log retention. Build your incident response plan. Register your point of contact with CERT-In. Verentix's CERT-In advisory service guides Indian businesses through the entire compliance process — typically 4-8 weeks.

Need help with this topic?

Our security experts can assess your specific situation and provide actionable recommendations.

Talk to an Expert

Secure Your Business Today.

Talk to our security experts. No sales pitch — just an honest assessment.

GET A FREE CONSULTATION