Cyberattacks in India are growing more frequent and more dangerous. From ransomware to data breaches, organizations across sectors are under constant threat. In case of a cyber-attack or a data breach, responding quickly isn’t enough. Today, your response must also meet regulatory standards mandated by CERT-In.
The Indian Computer Emergency Response Team (CERT-In) is the national nodal agency responsible for handling cybersecurity incidents. If your organization suffers a breach, you’re legally required to report the cybersecurity incident within a strict timeline.
In this blog, we’ll walk you through:
- Types of Incidents That Must Be Reported
- How to report a cyber incident to CERT-In
- The cybercrime reporting timeline every business must follow
- The compliance steps to take after a breach
If you handle sensitive data or operate in a regulated industry, this guide is for you. Let’s get started.
Types of Incidents That Must Be Reported
Not every security glitch needs to be reported—but CERT-In has made it clear which ones do. According to the CERT-In compliance guidelines issued on April 28, 2022, specific types of cybersecurity incidents must be reported within a defined time window. If you experience any of the following, it’s your responsibility to report the incident:
- Malware Attacks: If malicious software compromises your systems, whether through a drive-by download or infected email attachments.
- Phishing or Spoofing Attempts: Fake emails, cloned websites, or impersonation attacks designed to steal user credentials or sensitive information.
- Unauthorized Access or Data Breach: Any unapproved access to your internal systems, databases, or cloud environments, including leakage of PII or financial data.
- Website Defacement: If your public-facing website is altered or tampered with, it’s considered a serious breach of digital trust.
- Ransomware or DDoS Attacks: Attacks that lock your files or overwhelm your servers with traffic, making them unavailable to users or clients.
The Indian government mandates certain types of incidents to be reported under CERT-In compliances. The CERT-In compliance guidelines are strict, and reporting these incidents is not optional. Whether you’re a startup, a bank, or part of a critical infrastructure, you need to act fast—and stay compliant.
Why Reporting Cyber Incidents Is a National Responsibility?
CERT-In under Section 70B of the IT Act, emphasizes the mandatory reporting of cybersecurity incidents by service providers, data centers, body corporates, and intermediaries.
If your organization operates in sectors like e-commerce, data hosting, financial services, or public infrastructure, you are legally required to report cyberattacks—whether it’s a phishing attempt, server breach, website defacement, or malware infection.
Every unreported incident risks not just your company, but the digital safety of over 1.2 billion citizens. Report cyber incidents immediately at incident@cert-in.org.in to stay CERT-In compliant.
How to Report a Cybersecurity Incident to CERT-In?
If your organization experiences a cyberattack, acting fast is not only good practice, but also the law. Wondering how to report a cybersecurity incident to CERT-In? Here’s a simple step-by-step guide you can follow:
Step 1: Respond Promptly, but Thoughtfully
Before anything else, contain the breach. Isolate affected systems immediately to stop the spread. Avoid rebooting—this could wipe out digital evidence that’s crucial for investigation. Run a forensic analysis. Understand what happened before sounding the alarm. This helps avoid panic or misinformation.
Step 2: Gather All the Technical Details
Start by collecting essential information. This includes
- Logs (system, firewall, access)
- Timestamps
- Affected IPs/domains
- Email headers (for phishing)
- Screenshots or ransom notes
and a summary of what happened. The more accurate your data, the better CERT-In can assist.
Step 3: Inform Internal Teams
Before external communication, notify your top leadership. Share a clear internal report with your CISO, IT heads, legal, and compliance teams. Let them decide when and how to involve external stakeholders—including CERT-In and affected users.
Step 4: Fill the Incident Reporting Form
CERT-In provides an official Incident Reporting Form on their website. You’ll need to provide:
- Name of the organization
- Contact details
- Types of incidents (malware, phishing, ransomware, etc.)
- Date and time of detection
- Systems impacted
- Immediate actions taken
Make sure the information is complete and truthful. Partial or vague inputs may cause delays.
Step 5: Include Supporting Documentation
It’s not just the form. CERT-In encourages submission of supporting evidence such as log files, screenshots, and relevant artifacts. Depending on the incident type, additional data like PCAPs or copies of the suspicious files may be requested. If the incident involves ransomware, share the ransom note and behavior patterns. For phishing, include headers and email content.
Step 6: Send to the Official Email or Use the Portal
Once the form is filled out, send it along with relevant attachments (logs, screenshots, or files) to incident@cert-in.org.in. If you prefer, you can also report it using the online portal available on the CERT-In website. Also attach logs, screenshots, PCAPs, or suspicious files, if available with the email.
Step 7: Co-operate Fully
If CERT-In follows up with queries or requests for further clarification, make sure your tech or compliance teams are available to respond. Transparency helps you stay compliant and avoid penalties.
Step 8: Be Transparent While Communicating
When going public, be honest and clear.
Communicate:
- What happened
- Who’s affected
- What data was compromised
- What you’re doing about it
Keep it non-technical for customers. Reassure them with facts and empathy.
Step 9: Support Your Users
Offer guidance like:
- Changing passwords
- Monitoring suspicious account activity
- Using a helpline or support email for queries
Don’t blame others. Focus on how you’re taking control and helping them.
Step 10: Comply with Reporting Timelines
Under CERT-In compliance, some incidents must be reported within 6 hours of detection. Late reporting may lead to scrutiny or non-compliance penalties.
Tip: Build an incident response checklist within your IT/security policy to act quickly when needed.
Pro Tip: Don’t wait until an incident hits. Have this reporting flow documented in your internal security policy and train your team on how to act quickly.
Example: Fintech Breach Scenario
Imagine you’re a Neobank in Chennai. Suddenly, your team discovers customer Aadhaar and PAN details have leaked.
Here’s how you respond:
- Isolate affected systems and freeze access
- Launch a forensic investigation
- Inform your leadership team
- Report to CERT-In within the 6-hour deadline
- Notify customers and offer support
- Begin remediation with internal and third-party experts
This shows trust, preparedness, and compliance.
What Is the Timeline to Report a Cybercrime to CERT-In?
When it comes to cybersecurity, time is everything. The Key points of CERT-In directive (28th April 2022) mandates that all service providers, intermediaries, data centers, body corporate and enterprises must:
- Maintain logs of all ICT systems for 180 days and share them when requested for systems within the Indian jurisdiction.
- Report cyber incidents within 6 hours of detection or awareness to CERT-In. Delays in reporting may result in non-compliance penalties. You also risk investigations, and loss of business credibility if you miss it.
- Synchronize system clocks with NTP servers for accurate event tracking.
Also,
- Data centers, VPS, cloud service, and VPN providers must maintain detailed customer records, including validated names, IP allocations, and ownership patterns, for at least 5 years.
- Virtual asset providers, exchanges, and custodian wallets must store KYC records and financial transactions for 5 years as mandated by the law even after any cancellation or withdrawal of the registration. For more information, visit. This requirement applies to virtual asset service providers operating within India or serving Indian users.
This timeline to report cybercrime to CERT-In isn’t a suggestion—it’s mandatory. Delaying the report beyond this six-hour window can lead to serious consequences. These may include:
- Regulatory penalties
- Loss of credibility with customers and partners
- Non-compliance with IT Act or sectoral mandates from RBI, SEBI, IRDAI
To avoid such risks, it’s smart to set up an internal incident response plan. Assign clear roles to your IT, cybersecurity, and compliance teams. Make sure everyone knows who collects the logs, who fills out the CERT-In form, and who sends the report.
Quick response not only ensures compliance but also helps contain the damage. Being prepared means you’re not panicking during a breach—you’re acting with a plan.
Final Thoughts
Cybersecurity incidents are the new reality, and how you respond to them makes all the difference. Following CERT-In compliances helps your business stay on the right side of the law, builds customer trust, and shows you take data security seriously.
At Peneto Labs, we help companies detect vulnerabilities, avoid breaches, and stay compliant through expert-led penetration testing and security audits.
Whether you’re in finance, healthcare, SaaS, or government projects—we’ve got your back. If you’re unsure about the process or want to set up a response plan that keeps your team ready, we’re here to help.
Contact Peneto Labs today for expert-led guidance, incident response support, and CERT-In aligned security audits. Stay safe, stay compliant.
Let’s secure your business before you incur any losses.