CERT-In's 6-Hour Incident Reporting Rule: What You Must Do

What the 6-hour rule requires

CERT-In's Directions under Section 70B of the IT Act, issued on 28 April 2022, require specified cyber incidents to be reported to CERT-In within 6 hours of detection, in the prescribed format.

Six hours is operationally demanding. It assumes you can detect incidents quickly and have an agreed reporting process, which in practice means 24/7 monitoring and an incident-response playbook prepared in advance.

Beyond reporting: logs and time sync

The Directions add two further technical obligations that auditors check.

• Retain ICT system logs securely within Indian jurisdiction for 180 days
• Synchronise all system clocks to NIC or NPL NTP servers
• Register accurate contact details with CERT-In

The 2025 audit policy

CERT-In's Comprehensive Cyber Security Audit Policy Guidelines, issued on 25 July 2025, shift India from checkbox audits towards resilience. They require at least one comprehensive ICT audit per year, independent reviewers, signed audit certificates, and coverage of cloud, AI, blockchain and third-party risk.

Financial regulators (RBI, SEBI, IRDAI) all require CERT-In empanelled auditors, so one empanelled audit can serve multiple regulator filings.

How IntelligenceX helps

We prepare your 6-hour reporting playbook, validate log retention and NTP configuration, and deliver CERT-In aligned comprehensive ICT audits and VAPT with an empanelled-style report and independent review.