Part 13.1

CERT-In 2022 Directions

"6-Hour Rule and Mandatory Compliance"

Indian Computer Emergency Response Team (CERT-In) - History, April 2022 Mandatory Directions, Scope, Applicability, 20 Incident Types, Timeline, and Penalties under IT Act Section 70B.

1.1

CERT-In - Introduction and History

CERT-In Overview

Aspect	Details
Full Form	Indian Computer Emergency Response Team
Establishment	2004 under IT Act 2000
Legal Basis	IT Act Section 70B (inserted by Amendment 2008)
Parent Ministry	Ministry of Electronics and IT (MeitY)
Headquarters	New Delhi
Function	National nodal agency for cyber incidents

IT Act Section 70B(4)

CERT-In Powers

"The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of cyber security: (a) collection, analysis and dissemination of information on cyber incidents; (b) forecast and alerts of cyber security incidents; (c) emergency measures for handling cyber security incidents; (d) coordination of cyber incidents response activities; (e) issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents."

1.2

28 April 2022 Directions - Key Provisions

CERT-In Directions 2022 - Scope

Applicable To:

1. Service Providers

2. Intermediaries

3. Data Centres

4. Body Corporates

5. Government Organizations

Effective Date: 28 June 2022 (60 days from notification)

Extended for MSMEs/Startups: 25 September 2022

Key Requirement	Timeline/Details	Non-Compliance Penalty
Incident Reporting	Within 6 hours of noticing	IT Act Section 70B(7) - Up to 1 year imprisonment or fine up to Rs. 1 lakh
Log Retention	180 days (rolling)	IT Act penalties apply
NTP Synchronization	ICT systems synced with Indian Standard Time (IST)	Compliance failure penalties
Point of Contact	Designated POC within organization	Must be available 24x7
VPN Provider KYC	Maintain subscriber records for 5 years	Service disruption possible

1.3

20 Types of Mandatory Reportable Incidents

Reportable Cyber Incidents (within 6 hours)

#	Incident Type	Example
1	Targeted scanning/probing	Port scanning, vulnerability scanning
2	Compromise of critical systems	Server compromise, admin access breach
3	Unauthorized access to IT systems	Hacking, credential theft
4	Defacement of websites	Website tampering
5	Malicious code attacks	Virus, ransomware, worm
6	Attack on servers	SQL injection, XSS attacks
7	Identity theft, spoofing, phishing	Email spoofing, fake websites
8	Denial of Service (DoS/DDoS)	Traffic flooding attacks
9	Attack on critical infrastructure	Power grid, banking systems
10	Attack on applications (e-governance, e-commerce)	Payment gateway attacks
11	Data breach	Personal data leak
12	Data leak	Confidential information exposure
13	Attack on IoT devices	Smart device compromise
14	Attack on digital payment systems	UPI, IMPS fraud attacks
15	Attack through malicious mobile apps	Fake banking apps
16	Fake mobile apps	Impersonation apps
17	Unauthorized access to social media accounts	Account takeover
18	Attacks on cloud computing systems	Cloud infrastructure breach
19	Attacks on AI/ML systems	Model poisoning, adversarial attacks
20	Any other incident not listed above	Novel attack types

1.4

Maharashtra Context - Implementation

Maharashtra Cyber and CERT-In Coordination

Maharashtra Cyber Cell: Works in coordination with CERT-In for incident response

Reporting Path:

1. Report to CERT-In (mandatory, within 6 hours)

2. Parallel report to Maharashtra Cyber (if criminal)

3. Sector regulator (RBI, SEBI, IRDAI as applicable)

Mumbai IT/ITES Companies: Must comply with CERT-In directions, maintain POC, and ensure log retention

Pune IT Hub: Large number of IT companies must implement SOC/SIEM for compliance

Practical Scenario - Maharashtra IT Company

Compliance Example

A Pune-based IT company detects ransomware at 2:00 AM. Action Required: (1) Report to CERT-In by 8:00 AM (6-hour rule); (2) Preserve logs (180 days); (3) Notify affected clients; (4) If personal data involved, consider DPDPA obligations; (5) File NC/FIR at cyber police station if financial loss.

1.5

Penalties and Consequences

IT Act Section 70B(7)

Penalty for Non-Compliance

"Any service provider, intermediary, data centre, body corporate or person who fails to provide the information called for, or comply with the direction issued by CERT-In, shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both."

Violation	Legal Consequence	Business Impact
Failure to report incident within 6 hours	Section 70B(7) - Up to 1 year / Rs. 1 lakh	Regulatory scrutiny, reputation damage
Non-maintenance of logs (180 days)	Compliance failure, investigation hindrance	Unable to prove defense, increased liability
No designated POC	Direction non-compliance	Communication gaps during incident
VPN provider KYC failure	Service suspension possible	Business disruption

Key Points - Part 13.1

CERT-In - National nodal agency under IT Act Section 70B; established 2004
28 April 2022 Directions - Mandatory compliance for all service providers, intermediaries, data centers
6-Hour Rule - All 20 types of incidents must be reported within 6 hours of detection
Log Retention - 180 days rolling retention mandatory for all ICT systems
NTP Synchronization - All systems must sync with Indian Standard Time (IST)
POC Designation - 24x7 available Point of Contact required
VPN Providers - 5-year KYC record retention; subscriber details mandatory
Penalty - Up to 1 year imprisonment or Rs. 1 lakh fine under Section 70B(7)
Maharashtra - Maharashtra Cyber coordinates with CERT-In; dual reporting for criminal incidents
Sector Regulators - RBI, SEBI, IRDAI have additional requirements beyond CERT-In