A CERT-In Empanelled Auditing Organization
Home/Blog/Regulatory Updates
Regulatory Updates

CERT-In’s six-hour incident reporting: what Indian organisations must do

Among India’s cybersecurity obligations, one stands out for its sheer speed: CERT-In’s directions require certain cyber incidents to be reported within six hours of noticing them. For most organisations, six hours is not long at all — barely time to confirm what has happened, let alone respond calmly — which is exactly why readiness, rather than good intentions, is what determines whether you actually comply on the day it matters.

What the directions cover

Issued under the Information Technology Act, CERT-In’s directions apply broadly to organisations operating in India — companies, intermediaries, data centres, cloud providers and other service providers. The headline is the six-hour reporting rule, but the directions also set supporting expectations that make incident investigation possible in the first place, and that are just as binding:

The reportable categories are specific and cover a wide range — from targeted scanning and unauthorised access to data breaches, attacks on critical systems and more — so mapping which of them apply to your environment is an essential part of being ready rather than a detail to work out mid-crisis.

Why six hours is genuinely hard

The clock starts when you notice the incident, or when it is brought to your notice. That single detail is what makes the rule so demanding: your ability to comply depends entirely on detecting quickly and escalating without friction. An organisation that only learns about a breach days later has already failed the spirit of the rule, no matter how quickly it then files its report. This reframes the obligation in an important way — six-hour reporting is a monitoring and escalation problem long before it is a paperwork problem. If your detection is slow, your alerting is noisy, or your escalation path is unclear, no report template in the world will save you. The organisations that struggle are usually those that invested in reporting mechanics but not in the ability to notice.

Specific incident categories, reporting formats and retention periods are set out in CERT-In’s directions and accompanying FAQs, and are updated periodically. Confirm the current requirements before finalising your procedures.

How to be ready

  1. Know what is reportable. Map the incident categories to your environment in advance, so you are recognising a reportable event rather than debating definitions while the clock runs.
  2. Detect and escalate fast. Invest in monitoring and a clear, rehearsed escalation path with named roles — the six-hour window is won or lost here, not in the reporting form.
  3. Pre-build the report. Have the template, the contact details and the submission channel ready and tested, so filing takes minutes rather than hours of hunting for the right information and the right person.
  4. Fix logging and time synchronisation now. Ensure logs are retained as required and clocks are synchronised, so the evidence exists and lines up when you need to investigate and report.
  5. Rehearse. A tabletop exercise turns a first-time scramble into a familiar routine and reliably exposes the gaps — the unclear ownership, the missing contact, the log that was not being kept — while you can still fix them cheaply.

The wider benefit

Preparing for the six-hour rule is not wasted effort even setting the regulation aside, because everything it demands — fast detection, clear escalation, good logging, a practised response — is exactly what limits the damage of any serious incident. Meeting CERT-In’s deadline and responding well to a breach are, in practice, the same capability. Build it for the regulator and you get the operational resilience for free.

The takeaway

The organisations that consistently meet the six-hour bar are simply the ones that decided, ahead of time, exactly what they would do — who detects, who decides it is reportable, who files, and with what information. Build that muscle before an incident, keep your logging and contacts in order, and rehearse it, and the deadline becomes a manageable routine rather than a source of dread.

CERT-InIncident ResponseComplianceIndia
Share

Keep reading

Related insights

Regulatory Updates

RBI, SEBI and IRDAI: keeping pace with India’s financial-sector cyber rules

The financial regulators have raised the bar on cyber resilience. A high-level map of what RBI, SEBI and IRDAI expect - and how to stay current.

4 min read
Regulatory Updates

PCI DSS v4.0.1 in 2026: every requirement is now mandatory

The grace period is over - since March 2025 every PCI DSS v4.x requirement is enforceable. What changed, and what card-handling businesses must do now.

3 min read
Regulatory Updates

GDPR for Indian companies serving EU customers

The GDPR reaches beyond Europe. When it applies to Indian companies, what it requires, and how it overlaps with your DPDPA work.

3 min read

Have a question this raised?

Our team turns guidance like this into working compliance and security programmes. Tell us where you are — we’ll help you plan the next step.