Skip to main content

New CERT-In Guidelines for Security Breaches: What You Need to Know

by Chris Brook on Monday April 29, 2024

Contact Us
Free Demo

In India, new CERT-In guidelines for security breaches have introduced new requirements for businesses to comply with, including one that requires organizations to report certain cybersecurity incidents to the office within six hours of discovery.

Network security and data protection have become the prevailing theme of recent years, as nations around the world race to enact laws to govern future technology. 

The expanding presence of the Internet, and the financial incentives it entertains, have attracted attention from a variety of individuals—and not all of them have the best intentions. 

A sharp uptick in cybercrime has already put companies on red alert, but new CERT-In guidelines for security breaches have introduced further requirements for firms to comply with.

If your business is likely to be affected by such changes, keep reading to learn more about the CERT-In guidelines, their scope, and best practices for compliance.

In this article:


Image by Selena Jain from Pixabay

What Are the New CERT-In Guidelines?

The Indian Computer Emergency Response Team, or "CERT-In," is in charge of specifying what measures must be taken by firms operating within their jurisdiction, or with data concerning India's citizens.

From issuing guidelines and vulnerability notes to directly collecting security breach information in cyberspace, CERT-In is India's response to the unprecedented growth of worldwide networks and the threats that permeate them. 

A recent batch of new guidelines from CERT-In introduces requirements in response to perceived security gaps, and these guidelines could impact the response team's capacity to perform risk and incident analysis at scale. These measures have been mandatory since 2022.

The new CERT-In guidelines for security breaches govern incident reporting, data retention, and more. The intention is to streamline collaborative security efforts between the Indian government and firms utilizing the network for operations that impact Indians.

For example, the new guidelines for security breaches call for extremely quick communication with the national authority in the event that such a breach occurs. More specifically, breaches must now be reported within six hours of discovery.

We'll go over the defined scope of CERT-In's guidelines below and cover the new guidelines themselves.


Photo by Glenn Carstens-Peters on Unsplash

CERT-In Guidelines and Scope

CERT-In Scope

CERT-In's guidelines are intended to apply to "any entity whatsoever" involved in handling Indian data, even if that entity resides overseas. The following types of entities are specifically listed in the Cyber Security Directions:

  • Service providers - Internet service providers are included here, as are cloud service providers, virtual asset services, and government organizations. Intermediaries are covered as well.
  • Data centers - These include virtual private server providers.
  • Corporate bodies - Firms, sole proprietorships, and all other professional associations qualify.


The actual guidelines put forth by CERT-In in 2022 are as follows:

  • Clock sync - All affected entities will need to synchronize their systems' clocks to the Network Time Protocol server of the National Informatics Centre or the National Physical Laboratory.
  • Reporting - All cyber incidents must be reported to CERT-In within six hours of detection. Reports can be submitted by email to [email protected], by phone at 1800-11-4949 or by fax to 1800-11-6969.
  • Requests - Organizations must comply with orders for information in specific formats and within timeframes provided by CERT-In.
  • Logging - Logs must be enabled for all network systems and maintained for a rolling period of 180 days within the Indian jurisdiction.
  • Data preservation - Service providers and data centers must register the names, periods/purposes of hire, IP addresses, email addresses, physical addresses, contact numbers, and ownership patterns of their customers. This information must also be preserved for at least five years following service cancellation. 
  • Transaction tracking - Virtual asset service providers must record Know Your Customer information and financial transaction details for five years. All identifying information must be preserved to facilitate the reconstruction of individual transactions, including public keys, timestamps, IPs, and accounts.

For a more information about this, check out the following video:

Best Practices for CERT-In Guideline Compliance

Always Report Incidents

Regardless of the nature of your operations or the other parties witnessing a security breach, you are expected to report it independently to CERT-In. The obligation of reporting is "neither transferable nor indemnified or dispensed with."

However, 'vulnerabilities' need not be reported in the absence of an actual incident. Incidents may include anything from targeted security probing and denial of service attempts to the compromise of critical systems, etc.

Designate a Point of Contact

Any organization operating in India or handling Indian data is expected to have a designated point of contact within the nation who can communicate directly with CERT-In.

Report Information On Hand On Time

Even if you don’t have access to all the information concerning a given incident within the six-hour window following its detection, you are expected to provide whatever information you have at that moment to CERT-In for assessment.

Final Thoughts

Defending against cyber crimes is a concern of increasing importance in today's always online environment. 

As compliance comes into the picture, companies of all kinds will need to step up their security practices to keep customers’ data safe and satisfy authorities simultaneously.


Image by Rishi Gangoly from  Pixabay

Frequently Asked Questions

What is the role of the CERT-In?

CERT-In produces guidelines and other resources to help protect network participants within India. The organization engages in active awareness campaigns to help combat cyber threats and helps mitigate attacks with IT security leadership in the country.

What is the national CERT-In India?

CERT-In is the Indian Computer Emergency Response Team. It performs routine data collection and analysis on cyber threats and security breaches to help provide better defensive guidance and deter and prevent future cybercrime.

Who is the head of CERT India?

CERT-In is headed by Dr. Sanjay Bahl, a renowned cybersecurity expert with a distinguished career in the field. With extensive experience and expertise, he has contributed significantly to enhancing cybersecurity practices globally. Dr. Bahl's leadership and research have played a pivotal role in safeguarding digital infrastructure and promoting cyber resilience.

Tags:  Compliance

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.

Get the latest security insights
delivered to your inbox each week.