CERT-In Compliance Services India | Directions 2022 | eShield

CERT-In Compliance Services India

CERT-In Directions 2022 — Expert Advisory & Implementation

The Indian Computer Emergency Response Team (CERT-In) issued binding Directions in April 2022 that impose mandatory cybersecurity obligations on all organisations operating in India. Non-compliance can result in penalties under the IT Act 2000. eShield helps you understand, implement, and maintain CERT-In compliance.

Get a CERT-In Compliance Assessment

CERT-In Directions 2022: Key Obligations

🚨 6-Hour Incident Reporting

60+ categories of cybersecurity incidents must be reported to CERT-In within 6 hours of detection. This includes data breaches, ransomware, website defacement, DDoS, and unauthorised access.

📋 180-Day Log Retention

All ICT system logs — including network, application, security, and access logs — must be retained for a minimum of 180 days and stored within India.

🕐 NTP Synchronisation

All ICT infrastructure must synchronise time to NAS (National Physical Laboratory, India) or NIC NTP servers. Accurate timestamps are essential for incident investigation and log correlation.

🔒 Data Localisation (VPN/Cloud)

VPN providers, cloud service providers, and virtual asset service providers must register with CERT-In and maintain subscriber data — including logs — in India for 5 years.

🔍 Vulnerability Management

Organisations must track known and suspected vulnerabilities and security incidents. CERT-In may request information or technical assistance at any time — organisations must cooperate.

👥 POC Registration

Service providers, intermediaries, data centres, and government entities must designate a Point of Contact for CERT-In and register within 6 hours of direction issuance.

eShield CERT-In Compliance Services

🔎 CERT-In Gap Assessment

Comprehensive assessment against all CERT-In Directions 2022 obligations — incident reporting capability, log retention setup, NTP configuration, data localisation compliance, and POC registration.

🚨 Incident Reporting Programme

Design and implement your 6-hour incident reporting workflow — detection playbooks, CERT-In notification templates, escalation procedures, and tabletop exercises to validate response time.

📋 Log Management Implementation

Architect and implement centralised log management — SIEM configuration, log sources coverage (network, endpoints, applications), 180-day retention, and India-based storage.

🕐 NTP Remediation

Audit your NTP configuration across servers, network devices, and endpoints. Remediate to NAS/NIC NTP sources and document as evidence of compliance.

VAPT & Vulnerability Management

Annual penetration testing and continuous vulnerability scanning to maintain a defensible security posture. Reports structured for CERT-In compliance evidence.

👥 DPO / POC Registration Support

Help your organisation designate and register a CERT-In Point of Contact, prepare registration documentation, and establish the communication channel with CERT-In.

Who Must Comply with CERT-In Directions?

The Directions apply broadly to all organisations with ICT infrastructure in India. Specific obligations vary by entity type:

All Corporates & SMEs Banks & NBFCs Government Bodies Cloud Service Providers VPN Providers Data Centres Intermediaries Virtual Asset Service Providers Critical Infrastructure Operators

Are You CERT-In Compliant?

Most Indian organisations are still not fully compliant with the 2022 Directions — particularly on log retention, NTP synchronisation, and the 6-hour reporting window. Get a free assessment today.

Get a Free CERT-In Assessment