From startups to large enterprises, no business is completely immune to cyber threats targeting businesses of all sizes. To strengthen the nation’s cybersecurity posture, the Indian Computer Emergency Response Team (CERT-In) issued a set of mandatory cybersecurity guidelines that every organization must follow. If you are a business owner in India searching for clarity on these rules, this blog will help you understand what’s required and why compliance is crucial.
What Is CERT-In?
CERT-In (Indian Computer Emergency Response Team) is the national agency under the Ministry of Electronics and Information Technology (MeitY).
Its main role is to monitor, detect, and respond to cybersecurity incidents across the country. The agency also issues guidelines, advisories, and directions that businesses must follow to ensure data security and system integrity.
In 2022, CERT-In released new cybersecurity directions under Section 70B(6) of the IT Act, 2000, making several measures mandatory for all entities operating in India.
Key Mandatory CERT-In Guidelines Businesses Must Follow
Let’s look at the major directives issued by CERT-In that businesses need to implement:
1. Reporting Cybersecurity Incidents Within Six Hours
All organizations must report cybersecurity incidents to CERT-In within six hours of detection. This includes events like data breaches, ransomware attacks, website defacement, or phishing campaigns. Timely reporting helps CERT-In analyze patterns and issue nationwide alerts to prevent further damage.
2. Synchronizing System Clocks with NTP Servers
Businesses must ensure their systems’ clocks are synchronized with the National Informatics Centre (NIC) or National Physical Laboratory (NPL) time servers. This helps maintain consistency in log timestamps and simplifies investigation during security incidents.
3. Storing Logs for 180 Days
All entities are required to maintain IT and network logs for at least 180 days (6 months). These logs must be stored securely and made available to CERT-In upon request for analysis and audits.
4. Data Retention by VPN, Cloud, and Hosting Providers
Data centers, VPNs, and cloud providers must store customer information such as:
- Names and contact details
- Ownership patterns
- IP addresses used for registration
- Usage and purpose of services
This data must be retained for five years, even after the user stops using the service.
5. Mandatory Incident Information Sharing
Businesses must share information regarding unusual cyber incidents, malware attacks, network intrusions with CERT-In for national threat intelligence. This helps the agency build a collective defense framework for Indian cyberspace.
6. Appointing a Point of Contact (PoC)
Every business must assign a dedicated Point of Contact to coordinate with CERT-In during cybersecurity incidents. This ensures quick response and smoother communication during emergencies.
Who Needs to Follow CERT-In Guidelines?
The CERT-In guidelines apply to a wide range of entities, including:
- Government and public sector organizations.
- Private companies and startups.
- Data centers, cloud service providers, and VPN operators.
- Internet service providers (ISPs) and hosting firms.
- Financial institutions and e-commerce platforms.
In short, any organization offering digital services or handling user data in India must comply.
Common Challenges Businesses Face in Compliance
While the CERT-In guidelines are necessary, many organizations struggle with compliance due to:
- Lack of awareness of new directives.
- Limited internal cybersecurity expertise.
- Inadequate log management or infrastructure.
- Overdependence on third-party vendors for compliance.
To address these challenges, partnering with a CERT-In empanelled cybersecurity firm like Peneto Labs can be highly beneficial.
Why Work with a CERT-In Empanelled Company?
A CERT-In empanelled company is officially authorized to perform security audits and testing as per national standards. Working with such a partner ensures:
- Full compliance with Indian cybersecurity laws.
- Expert assessment of IT infrastructure and applications.
- Timely reporting and audit readiness.
- Better defense against cyber threats.
Penalties Your Business will face for Non-Compliance of CERT-In Guidelines
Ignoring CERT-In directives can have serious legal, financial, and reputational consequences for businesses operating in India. Under Section 70B(7) of the Information Technology Act, 2000, any organization that fails to report cybersecurity incidents or provide information to CERT-In can face:
- Imprisonment of up to one year,
- A fine, or
- Both, depending on the severity of the violation.
Beyond legal penalties, non-compliance also leads to:
- Regulatory setbacks: Non-adherence can result in failed IT audits or loss of compliance with frameworks like ISO 27001, GDPR, RBI, or SEBI cyber norms.
- Financial losses: Organizations risk penalties, data breach costs, and increased insurance premiums.
- Operational disruptions: CERT-In may initiate investigations or require corrective actions that can affect business continuity.
- Reputational damage: Failing to meet government cybersecurity standards can erode customer confidence and brand credibility.
- Increased vulnerability to cyberattacks:
In short, it’s always smarter to comply proactively than to face costly penalties, investigation delays, and long-term damage to your organization’s reputation.
How Can Businesses Ensure CERT-In Compliance Effectively?
Meeting CERT-In’s cybersecurity requirements isn’t just about avoiding penalties, it’s about building a secure, transparent, and resilient IT environment. Here’s how businesses can stay compliant and protected:
1. Understand the CERT-In Mandate
Start by reviewing the official CERT-In guidelines and the April 2022 directive. Identify which parts apply to your business, especially incident reporting timelines, log retention, and system synchronization requirements.
2. Collaborate with CERT-In Empanelled Vendors
Partnering with a CERT-In empanelled cybersecurity firm ensures your systems are tested and monitored in line with national security standards. These experts can conduct Vulnerability Assessments, Penetration Testing (VAPT), and compliance audits tailored for Indian businesses.
About Peneto Labs
Peneto Labs, is a cybersecurity company committed to helping businesses strengthen their digital security and regulatory compliance. With deep expertise in vulnerability assessment, penetration testing (VAPT), and compliance audits, Peneto Labs assists Indian and UAE organizations in meeting mandatory CERT-In guidelines and global security standards such as OWASP, ISO 27001, and NIST.
The company’s security professionals combine advanced testing methodologies with practical risk management insights to deliver accurate, actionable, and compliance-ready reports. Trusted by enterprises across finance, IT, and government sectors, Peneto Labs empowers organizations to detect, respond, and recover from cyber threats, ensuring data protection and long-term resilience.
3. Appoint a Compliance Officer or Team
Designate a dedicated cybersecurity or compliance officer responsible for coordinating with CERT-In. This team should maintain detailed records of incidents, responses, and communications for audit purposes.
4. Establish a Robust Incident Response Plan (IRP)
Your organization must have a documented and tested IRP that outlines steps to detect, respond to, and report security incidents within six hours as required by CERT-In.
5. Implement Continuous Monitoring and Logging
Maintain system and application logs for at least 180 days, and ensure they are stored securely in India. Use SIEM (Security Information and Event Management) tools to detect suspicious activities early.
6. Synchronize System Time with NTP Servers
Ensure that all ICT systems- servers, routers, firewalls, and applications are synchronized with Network Time Protocol (NTP) servers designated by CERT-In. This helps maintain consistency in incident timelines and reports.
7. Train Employees and Stakeholders
Regularly conduct cybersecurity awareness sessions to help employees recognize phishing, malware, and data theft attempts. Human error remains one of the biggest causes of breaches.
8. Maintain Documentation and Audit Trails
Keep clear records of all security events, reports, and responses. During CERT-In audits or inspections, proper documentation demonstrates transparency and proactive compliance.
9. Review and Update Policies Regularly
CERT-In requirements evolve with emerging threats. Review your cybersecurity and data protection policies every quarter to stay aligned with the latest directives.
Partnering with a CERT-In empanelled cybersecurity company like Peneto Labs can simplify compliance by providing security audit support, real-time monitoring, and expert reporting assistance ensuring your business meets every mandatory requirement confidently.
Final Thoughts
The CERT-In cybersecurity guidelines are not just regulatory formalities, they are essential for building a resilient and trustworthy digital business environment in India. As cyber threats evolve, compliance with these directives ensures your business remains secure, credible, and legally protected.
If your organization hasn’t yet aligned with these rules, now is the right time to act. Partner with Peneto Labs, a CERT-In empanelled cybersecurity company to safeguard your systems, data, and brand reputation. Call us today!