CERT-In
Indian Computer Emergency Response Team Directions
India's mandatory cybersecurity directions requiring incident reporting within 6 hours, log retention for 180 days, and security audits for healthcare applications.
CERT-In — OfficialNon-compliance can result in blocking of services and criminal prosecution
2 to 4 months for CERT-In compliance setup (logging, incident response, audit prep)
Generated code includes 180-day logging, NTP timestamps, and security scanning aligned with CERT-In requirements
CERT-In (Indian Computer Emergency Response Team) issued mandatory cybersecurity directions in April 2022 that apply to all organizations operating in India, including healthcare providers and health-tech companies. The directions are notably strict — requiring cybersecurity incident reporting within 6 hours (compared to 72 hours under GDPR), mandatory 180-day log retention, and synchronized system clocks. For healthcare apps, CERT-In compliance is also required for ABDM certification — CERT-In empanelled auditors must conduct security assessments before an app can move from ABDM sandbox to production.
What It Covers
Cybersecurity incident reporting within 6 hours to CERT-In
System log retention for a rolling 180-day period within Indian jurisdiction
NTP-synchronized system clocks for accurate event logging
KYC for VPN providers and cloud service operators
Mandatory security audit by CERT-In empanelled auditors (for ABDM apps)
Vulnerability disclosure and patch management
Penalties & Enforcement
Failure to report incidents within 6 hours — potential service blocking
Non-maintenance of logs — violation under IT Act, 2000
Criminal prosecution possible under Section 70B of IT Act for non-compliance
ABDM certification blocked without CERT-In empanelled audit clearance
Penalties under IT Act range from ₹1 lakh to ₹1 crore depending on violation
Real Enforcement Examples
N/A
2023-2024
Multiple health-tech companies
Several companies received non-compliance notices for failing to report cybersecurity incidents within the 6-hour window. CERT-In increased enforcement actions in the healthcare sector.
How VertiComply Helps
Comprehensive audit logging with 180-day retention capability
NTP-synchronized timestamps on all log entries
Incident detection and alerting workflows for 6-hour reporting
Security scanning to identify vulnerabilities before CERT-In audits
Generated code follows CERT-In security best practices
OWASP Top 10 protection built into all generated applications
Frequently Asked Questions
Does CERT-In apply to healthcare apps?
Yes. CERT-In directions apply to all organizations with computer systems in India, including healthcare providers, health-tech companies, and their service providers. It is also mandatory for ABDM certification.
Why is the 6-hour reporting window important?
India has one of the strictest incident reporting timelines globally (GDPR allows 72 hours). Healthcare organizations must have automated detection and pre-drafted notification templates ready to meet this window.
What logs must be retained for 180 days?
All ICT system logs — firewall logs, IDS/IPS logs, web server logs, application logs, authentication logs, and database access logs. They must be stored within Indian jurisdiction.
Related Articles
Build CERT-In-compliant from day one
VertiComply generates production-ready code with CERT-In safeguards built in automatically.
Quick Facts
Region
India
Category
Cybersecurity
Max Penalty
Non-compliance can
Manual Timeline
2 to 4 months
With VertiComply
Minutes