What is the CERT-In 6-hour reporting rule?

CERT-In requires all Indian companies to report cyber security incidents within 6 hours of detection. This applies to data breaches, ransomware attacks, unauthorized access, and other incidents listed in the April 2022 directive.

What happens if you don't report to CERT-In within 6 hours?

Non-compliance can result in penalties under the IT Act, 2000. CERT-In can also direct your ISP to block your services. The 6-hour window starts from when you detect the incident, not when you finish investigating it.

Does the CERT-In reporting rule apply to startups?

Yes. The directive applies to all companies, government bodies, and service providers in India regardless of size. Startups are not exempt.

CERT-In Incident Reporting: The 6-Hour Rule Every Startup Must Know

If you run a startup in India and handle any kind of digital infrastructure, there is a compliance requirement you need to know about. Since June 2022, every company operating in India must report cyber incidents to CERT-In within 6 hours of becoming aware of them. Not 6 business days. Not “when you get around to it.” Six hours.

Most founders we talk to have never heard of this rule. Some learned about it the hard way. This post breaks down what the rule says, what it means for your company, and how to make sure you are prepared if an incident happens.

What Are the CERT-In Directions?

On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In), which operates under the Ministry of Electronics and Information Technology (MeitY), issued a set of directions relating to information security practices, procedures, prevention, response, and reporting of cyber incidents. These directions became effective on June 27, 2022.

The directions apply broadly. If your organization falls into any of these categories, they apply to you:

Service providers
Intermediaries
Data centre operators
Body corporates (essentially any registered company)
Government organizations

In practical terms, if you are a startup registered in India or operating digital services for Indian users, these directions apply to you.

The 6-Hour Rule Explained

The headline requirement is straightforward: you must report qualifying cyber incidents to CERT-In within 6 hours of noticing or being notified about the incident.

The clock starts when you become aware. Not when the incident actually occurred. If an attacker breached your system on Monday but you only discovered it on Thursday, your 6-hour window starts on Thursday when you found out.

This distinction matters. It means that even if you discover a breach that happened weeks ago, you still have a fresh 6-hour obligation the moment you learn about it.

Six hours is tight. For context, the EU’s GDPR gives organizations 72 hours to report a data breach to supervisory authorities. India’s requirement is 12 times faster. That leaves almost no room for internal deliberation, legal review, or figuring out who is supposed to do what. You need a plan in place before an incident happens.

What Incidents Must Be Reported

The CERT-In directions list specific types of cyber security incidents that trigger the reporting obligation. Here is the full list:

Incident Type	Examples
Targeted scanning or probing	Port scanning, vulnerability scanning aimed at critical networks or systems
Compromise of critical systems or information	Unauthorized changes to critical infrastructure, data tampering
Unauthorized access to IT systems or data	Someone gaining access to systems or data they should not have access to
Website defacement	Unauthorized modification of website content
Malicious code attacks	Ransomware, trojans, worms, spyware infections
Attacks on servers	Targeting database servers, mail servers, DNS servers, or routers
Identity theft, spoofing, and phishing	Fraudulent emails, fake login pages, credential harvesting targeting your organization
Denial of service (DoS) and distributed denial of service (DDoS) attacks	Flooding your services with traffic to make them unavailable
Attacks on critical infrastructure and SCADA systems	Targeting operational technology and industrial control systems
Attacks on IoT devices and associated systems	Compromising connected devices, botnets using IoT endpoints
Data breaches or data leaks	Unauthorized exfiltration, exposure, or loss of personal or sensitive data
Attacks or suspicious activities affecting cloud computing systems	Unauthorized access to cloud resources, cryptojacking
Supply chain attacks	Compromise through third-party software, services, or vendors
Attacks on digital payment systems	Targeting UPI, payment gateways, or financial transaction systems

The scope is wide. A ransomware attack is an obvious trigger. But even detecting targeted port scanning against your infrastructure qualifies. When in doubt, report.

How to Report

Incidents must be reported to CERT-In via email at incident@cert-in.org.in. You can also report through the CERT-In incident reporting portal.

Your report should include:

Organization details: Name, sector, contact information
Incident details: Nature of the incident, systems affected, date and time of detection
Impact assessment: What data or services were affected, scope of impact
Actions taken: Immediate containment or mitigation steps already performed
Supporting information: Log files, IP addresses involved, indicators of compromise (IOCs)

The report does not need to be a polished document. The initial notification within 6 hours can be brief, with detailed follow-up information submitted afterward. The priority is timely notification, not a complete forensic analysis.

Other CERT-In Requirements Beyond the 6-Hour Rule

The 6-hour reporting window gets the most attention, but the 2022 directions include several other requirements that affect how you manage your infrastructure day to day.

180-Day Log Retention

All service providers, intermediaries, data centres, and body corporates must maintain logs of their ICT systems for a rolling period of 180 days. These logs must be maintained within Indian jurisdiction and provided to CERT-In upon request.

This means your logging infrastructure needs to capture and retain at least 6 months of data. If you are running lean and only keeping 30 days of logs, you are out of compliance.

Clock Synchronization

All ICT systems must have their clocks synchronized to the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or to NTP servers traceable to these. Accurate timestamps are essential for incident investigation and for proving the timeline of events.

VPN Provider Record Keeping

If you operate a VPN service, you must maintain subscriber and customer records for a minimum of 5 years, even after the subscriber cancels their service. Records include validated names, addresses, contact numbers, email addresses, IP addresses assigned, and the purpose of using the service.

Cloud and VPS Provider KYC

Virtual private server (VPS) providers, cloud service providers, and virtual private network service providers must maintain Know Your Customer (KYC) records of their customers. This includes verified identity and address information.

Penalties for Non-Compliance

The CERT-In directions derive their authority from Section 70B of the Information Technology Act, 2000. Non-compliance can lead to:

Penalties under the IT Act: Section 70B(7) empowers the government to take action against entities that fail to comply with CERT-In directions. This can include financial penalties.
Blocking of services: In serious cases, the government can direct internet service providers to block access to the non-compliant entity’s services.
Reputational damage: Regulatory action becomes public record and can damage investor confidence, customer trust, and partnership opportunities.
Criminal prosecution: Under certain circumstances, non-compliance with CERT-In directions can attract criminal proceedings under the IT Act.

For a startup, the financial and reputational risk of non-compliance far outweighs the effort of setting up proper incident response processes.

How to Prepare: Practical Steps

Compliance with the CERT-In directions is not just about knowing the rules. It requires putting processes and infrastructure in place before an incident occurs. Here is what you should do now.

1. Set Up Centralized Logging

Deploy centralized log management that captures events from your servers, applications, cloud services, and network devices. Ensure retention is set to at least 180 days, and store logs within Indian jurisdiction. Solutions like the ELK stack, Grafana Loki, or managed SIEM services work well for startups.

2. Synchronize Your Clocks

Configure NTP on all your systems to sync with NIC or NPL time servers. This is a one-time setup that takes minutes but is required for compliance. Document the configuration.

3. Create an Incident Response Playbook

Write a clear, step-by-step playbook for handling cyber incidents. CERT-In reporting should be step one, not an afterthought. Your playbook should answer:

Who detects and confirms the incident?
Who drafts and sends the CERT-In notification?
What is the escalation chain?
Where are the reporting templates and contact details stored?

4. Designate a Point of Contact

Assign a specific person (and a backup) as the CERT-In Point of Contact. This person should have the authority to submit incident reports without waiting for multiple layers of approval. Six hours does not allow for lengthy internal sign-off chains.

5. Run Tabletop Exercises

At least once a quarter, run a simulated incident exercise with your team. Walk through a scenario: ransomware hits your production database at 2 AM on a Saturday. Can your team detect it, assess it, and submit a CERT-In report within 6 hours? If the answer is no, fix the gaps.

6. Get a Penetration Test

The best incident is the one that never happens. A penetration test identifies vulnerabilities in your systems before attackers find them. Fixing those vulnerabilities reduces your likelihood of having a reportable incident in the first place.

7. Know Your Attack Surface

You cannot protect what you do not know about. Many startups have forgotten subdomains, exposed staging environments, or misconfigured cloud storage that they are not aware of. Mapping your external attack surface is the first step toward securing it.

Take Action Now

Waiting until an incident happens to figure out your reporting obligations is a losing strategy. The 6-hour clock does not pause while you Google “how to report cyber incident India.”

Here is where to start:

Security on Demand (INR 9,999): 4 hours of founder-led security work. We can help you build your incident response playbook, set up logging, and prepare your CERT-In reporting process. Full refund if you don’t continue. Continue with us, and the fee comes off the price.
Startup Pentest (INR 74,999) or Growth Pentest (INR 1,79,999): Find and fix vulnerabilities before they become reportable incidents. Both plans include a Brand Protection Snapshot, and the Growth plan includes SOC 2 + ISO 27001 audit prep.
Open EASD: Our free External Attack Surface Discovery tool. Enter your domain and get a snapshot of what attackers can see. No commitment required.

If you need structured help with CERT-In readiness, incident response planning, or compliance documentation, see our audit and compliance services.

The CERT-In directions are not going away. If anything, enforcement is tightening. Getting compliant now is cheaper and less painful than dealing with the consequences of non-compliance later.