Among India’s cybersecurity obligations, one stands out for its sheer speed: CERT-In’s directions require certain cyber incidents to be reported within six hours of noticing them. For most organisations, six hours is not long at all — barely time to confirm what has happened, let alone respond calmly — which is exactly why readiness, rather than good intentions, is what determines whether you actually comply on the day it matters.
What the directions cover
Issued under the Information Technology Act, CERT-In’s directions apply broadly to organisations operating in India — companies, intermediaries, data centres, cloud providers and other service providers. The headline is the six-hour reporting rule, but the directions also set supporting expectations that make incident investigation possible in the first place, and that are just as binding:
- Six-hour reporting of specified incident types after they are noticed or brought to your notice.
- Log retention for a defined period, maintained within India, so incidents can be investigated after the fact.
- Synchronised clocks to a common, reliable time source, so that logs across different systems line up during an investigation — a small detail that becomes critical when reconstructing an attack.
- Reachable points of contact and a duty to cooperate with CERT-In during and after an incident.
The reportable categories are specific and cover a wide range — from targeted scanning and unauthorised access to data breaches, attacks on critical systems and more — so mapping which of them apply to your environment is an essential part of being ready rather than a detail to work out mid-crisis.
Why six hours is genuinely hard
The clock starts when you notice the incident, or when it is brought to your notice. That single detail is what makes the rule so demanding: your ability to comply depends entirely on detecting quickly and escalating without friction. An organisation that only learns about a breach days later has already failed the spirit of the rule, no matter how quickly it then files its report. This reframes the obligation in an important way — six-hour reporting is a monitoring and escalation problem long before it is a paperwork problem. If your detection is slow, your alerting is noisy, or your escalation path is unclear, no report template in the world will save you. The organisations that struggle are usually those that invested in reporting mechanics but not in the ability to notice.
Specific incident categories, reporting formats and retention periods are set out in CERT-In’s directions and accompanying FAQs, and are updated periodically. Confirm the current requirements before finalising your procedures.
How to be ready
- Know what is reportable. Map the incident categories to your environment in advance, so you are recognising a reportable event rather than debating definitions while the clock runs.
- Detect and escalate fast. Invest in monitoring and a clear, rehearsed escalation path with named roles — the six-hour window is won or lost here, not in the reporting form.
- Pre-build the report. Have the template, the contact details and the submission channel ready and tested, so filing takes minutes rather than hours of hunting for the right information and the right person.
- Fix logging and time synchronisation now. Ensure logs are retained as required and clocks are synchronised, so the evidence exists and lines up when you need to investigate and report.
- Rehearse. A tabletop exercise turns a first-time scramble into a familiar routine and reliably exposes the gaps — the unclear ownership, the missing contact, the log that was not being kept — while you can still fix them cheaply.
The wider benefit
Preparing for the six-hour rule is not wasted effort even setting the regulation aside, because everything it demands — fast detection, clear escalation, good logging, a practised response — is exactly what limits the damage of any serious incident. Meeting CERT-In’s deadline and responding well to a breach are, in practice, the same capability. Build it for the regulator and you get the operational resilience for free.
The takeaway
The organisations that consistently meet the six-hour bar are simply the ones that decided, ahead of time, exactly what they would do — who detects, who decides it is reportable, who files, and with what information. Build that muscle before an incident, keep your logging and contacts in order, and rehearse it, and the deadline becomes a manageable routine rather than a source of dread.