In April 2022, India's CERT-In issued a directive that quietly changed the compliance calculus for every enterprise operating in the country: mandatory cyber incident reporting within 6 hours of detection.

For context, most enterprise incident response processes — even mature ones — take 6 hours just to confirm that an incident is real, notify internal stakeholders, and draft an initial situation report. CERT-In's mandate means that by the time many organisations finish internal triage, their regulatory deadline has already passed.

Criminal Liability Non-compliance with CERT-In Directions under Section 70B of the IT Act can result in up to one year of imprisonment and significant fines. For regulated entities, sector-specific regulators compound this: RBI, IRDAI, SEBI, and DPBI all impose their own parallel obligations.

The Multi-Regulator Problem

The challenge isn't just the 6-hour window — it's that different regulators require different formats, different information, and different points of contact, all running in parallel from the same detection timestamp.

A bank that suffers a ransomware attack at 2:00 AM must simultaneously manage all of the following deadlines:

RegulatorDeadline from DetectionFormatNotes
CERT-In6 hours9-field prescribed formatIT Act §70B · criminal penalty
RBI2–6 hoursITSS portal submissionRBI Master Directions on IT
IRDAI6 hoursBoard-attested reportRevised Mar 2025 · down from 24 hours
SEBI4 hoursSCORES portalSEBI CSCRF April 2024
DPBI (DPDP)72 hoursData Protection Board of IndiaPersonal data breaches only · DPDP Act 2023

Doing this manually, under pressure, at 2:00 AM, is where organisations consistently fail. Not because they don't respond — but because they fail to report in time.

What Good Looks Like

The organisations that handle this well have three things in place before an incident happens:

1. Pre-built incident classification taxonomy

Every CERT-In reportable category — ransomware, data breach, DDoS, website defacement, phishing, unauthorised access — must be pre-defined as a dropdown selection for the SOC analyst. At 2:00 AM, analysts click a dropdown, not write definitions. The 9-field CERT-In format must be templated and ready to populate.

2. Automated deadline calculation

The moment an incident is logged with a detection timestamp, every regulator deadline must be computed and displayed with a live countdown. The SOC should never be calculating deadlines manually. 30-minute escalation alerts for overdue notifications are essential for CERT-In and RBI windows.

3. AI-assisted initial report drafting

CERT-In's prescribed format has nine required fields. Having an AI assistant draft a compliant initial report from the incident details in under 30 seconds means the 6-hour window is spent on containment and communication — not paperwork.

Important Distinction The CERT-In initial report is a notification, not a final analysis. You are not expected to have root cause, full impact assessment, or attribution within 6 hours. What CERT-In requires is the 9-field initial report: incident category, detection timestamp, affected systems, estimated scope, point of contact, and initial containment actions taken.

The Log Retention Requirement

Buried in the CERT-In Directions is a requirement that most organisations discover only during inspection: all security logs must be retained in India for a rolling 180 days. This applies to 13 mandatory log source categories:

Firewall logs
IDS / IPS logs
Web Application Firewall (WAF)
EDR / XDR endpoint logs
SSO / IdP authentication logs
Application server logs
Database activity logs
VPN access logs
Cloud control plane logs
Mail gateway logs
DNS query logs
Network flow / NetFlow logs
Operating system event logs

For organisations running hybrid or multi-cloud environments, this is a non-trivial data architecture problem. WORM (Write Once Read Many) immutable storage is the recommended approach for critical sources. The logs must be available for production to CERT-In within 6 hours of a request — which means they must be indexed and searchable, not just archived.

The Practical Takeaway

India's cyber incident reporting regime is now one of the strictest in the world. The 6-hour window is not aspirational — it is enforceable with criminal liability. Organisations that treat incident response as a manual, ad-hoc process will find themselves non-compliant not because they failed to respond, but because they failed to report on time.

The three investments that matter: a classification taxonomy pre-built before an incident, automated multi-regulator deadline calculation from the detection timestamp, and an AI-assisted initial report drafter for the CERT-In 9-field format.

RiskSage Capability RiskSage by CreativeCyber automates the complete CERT-In incident response workflow — detection timestamp → deadline calculation for all five regulators → AI-drafted 9-field initial report → 30-minute overdue escalation → 180-day log retention tracker across all 13 CERT-In log source categories.

Request access to RiskSage →