TL;DR for founders
If you run a company in India — or a foreign company with Indian users — you must report any of twenty listed cyber incidents (ransomware, data breach, unauthorised access, DDoS, phishing, AI/ML compromise, and more) to CERT-In within 6 hours of noticing. The law is Direction (ii) of the 28 April 2022 CERT-In Directions under Section 70B(6) of the IT Act, 2000 (effective 28 June 2022). Miss the deadline and the penalty under Section 70B(7) is up to 1 year jail and/or ₹1 lakh fine, plus downstream regulator exposure. First step tonight: confirm your CERT-In Point of Contact is on file and reachable at 2am.
Who this playbook is for
In scope — entities that must comply with all provisions of the 28 April 2022 CERT-In Directions:
- Service providers of every kind serving users in India (telecom, ISP, SaaS, PaaS, IaaS, managed services)
- Intermediaries as defined in Section 2(1)(w) of the Information Technology Act, 2000 ('IT Act') — social media platforms, marketplaces, hosting providers, search engines
- Data Centres — colocation, hyperscale, captive
- Body corporates — any company, firm, sole proprietorship or other commercial/professional association (definition borrowed from Section 43A IT Act, as confirmed in CERT-In FAQ Q.25, May 2022)
- Virtual Private Server (VPS) providers, Cloud Service providers, and VPN Service providers (the public-facing "Internet proxy like services" variety — CERT-In FAQ Q.34 clarified enterprise/corporate VPNs are out of scope)
- Virtual asset service providers, virtual asset exchange providers, custodian wallet providers (as defined from time to time by the Ministry of Finance)
- Government organisations at Union, State and local level
Foreign entities: CERT-In FAQ Q.26 (May 2022) confirms applicability to any entity — including foreign companies — "in the matter of cyber incidents and cyber security incidents". Sections 1 and 75 IT Act provide the extraterritorial hook.
MSMEs: in scope, but the original Directions became effective on 25 September 2022 for Micro, Small and Medium Enterprises (per the extension order dated 27 June 2022, relying on Ministry of MSME notification S.O. 1702(E) dated 1 June 2020 under Section 7 of the Micro, Small and Medium Enterprises Development Act, 2006 to classify MSMEs).
Not in scope:
- Individual citizens (CERT-In FAQ Q.7, May 2022) — though citizens may voluntarily report via cybercrime.gov.in
- Enterprise/corporate VPNs used internally by a company for its own workforce (FAQ Q.34)
- Standalone vulnerability disclosure unconnected to an incident (FAQ Q.15 — voluntary only at present)
Prerequisites
Everything on this list must be in place before an incident occurs. The 6-hour clock does not wait for you to build it.
Documents needed:
- Board-approved Incident Response (IR) Policy naming CERT-In reporting as a mandatory step and fixing internal escalation timelines of ≤ 2 hours from detection to classification
- Current CERT-In Annexure II Point of Contact submission (Name, Designation, Organisation Name, Office Address, Email ID, Mobile No., Office Phone, Office Fax — filed with info@cert-in.org.in)
- Network Time Protocol (NTP) synchronisation design document confirming all ICT systems sync either to NIC (samay1.nic.in, samay2.nic.in) or NPL (time.nplindia.org), or to an accurate standard source that does not deviate from them (Direction (i); FAQ Q.40–43)
- Log retention architecture document showing rolling 180-day retention within Indian jurisdiction per Direction (iv), covering firewall, IPS, SIEM, web/DB/mail/FTP/proxy, critical system event logs, application logs, VPN logs, SSH logs — including both successful and unsuccessful events (FAQ Q.37)
- Pre-drafted initial notification email template (see Section 6 below)
- Evidence naming convention:
{incident-id}_{entity}_{yyyymmddhhmm-IST}_{artefact-type}.{ext}
Roles required:
- CERT-In Point of Contact — individual (not a role mailbox) with 24x7 reachability; backup PoC mandatory
- Chief Information Security Officer (or equivalent) — signs off classification decision
- General Counsel / outside counsel — reviews notification wording in parallel with technical triage (not sequentially)
- Data Protection Officer — assesses simultaneous Section 8(6) DPDP Act obligation if personal data is involved
- Executive sponsor (CEO, MD, or CRO) — informed within 60 minutes of classification as a reportable incident
Approvals needed:
- Board or senior-management resolution adopting the IR Policy and pre-authorising the PoC to file incident reports without further internal clearance
- Pre-approved external counsel retainer or panel, so the 6-hour window is not consumed by procurement
Step-by-step incident reporting process
Step 1: Detect and timestamp the event
What: Capture the precise moment the incident was noticed or brought to the entity's notice. This is the start of the 6-hour clock (Direction (ii); CERT-In FAQ Q.24, May 2022).
Where: SIEM console, helpdesk ticketing system, IR war-room channel, and a write-once detection log.
How: Record (a) detection source (alert, customer complaint, external disclosure, regulator notice); (b) wall-clock timestamp in IST and UTC with time zone noted; (c) detecting analyst name; (d) first-seen indicator. Direction (i) requires NTP-synchronised clocks so this timestamp is forensically defensible.
Templates: Use a standing "Incident First-Notice" form in the ticketing system with NTP-source metadata automatically stamped.
Common mistakes: Treating a customer tweet as the detection time when helpdesk only escalated it four hours later; failing to record the external reporter's identity; timestamping in "server local" time without UTC offset.
Step 2: Trigger the incident response team within 60 minutes
What: Escalate from first-line to the IR team including the CERT-In PoC, CISO, General Counsel and DPO.
Where: IR war-room (Teams/Slack channel or bridge line) kept perpetually live for activation.
How: Single page-out to all tier-1 responders including the 24x7 mobile of the CERT-In PoC. Treat this as a no-regrets activation — stand-down is easier than starting late.
Templates: Pre-saved distribution list "IR-T1" in the page-out tool.
Common mistakes: Waiting for "confirmation" before paging — the statute measures from noticing, not from confirming; routing the page-out through an approval chain that sleeps between 10pm and 8am.
Step 3: Classify against CERT-In Annexure I
What: Determine whether the event falls within the twenty reportable categories listed in Annexure I to the 28 April 2022 Directions.
Where: IR war-room; decision recorded in the incident ticket.
How: Walk the Annexure I list of twenty reportable categories: (i) targeted scanning/probing of critical networks; (ii) compromise of critical systems/information; (iii) unauthorised access of IT systems/data; (iv) website defacement or malicious-code/link insertion; (v) malicious code (virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers); (vi) attacks on Database/Mail/DNS servers and Routers; (vii) identity theft, spoofing and phishing; (viii) DoS and DDoS; (ix) attacks on Critical Infrastructure, SCADA, OT and Wireless networks; (x) attacks on e-governance/e-commerce applications; (xi) Data Breach; (xii) Data Leak; (xiii) IoT device attacks; (xiv) digital-payment system attacks; (xv) malicious mobile apps; (xvi) fake mobile apps; (xvii) unauthorised access to social media accounts; (xviii) cloud computing attacks; (xix) Big Data / Blockchain / virtual assets / custodian wallets / Robotics / 3D-4D Printing / additive manufacturing / Drones; (xx) Artificial Intelligence and Machine Learning system attacks.
Per FAQ Q.30, incidents meeting any of these criteria must also be reported within 6 hours even if narrowly outside the twenty categories: (a) severe incidents (intrusion, ransomware, DoS/DDoS) on public-information or backbone infrastructure; (b) Data Breaches or Data Leaks; (c) large-scale or high-frequency intrusions; (d) incidents impacting human safety.
Templates: Annexure I checklist embedded in the incident ticket template with one-click mapping.
Common mistakes: Treating ransomware in a "development environment" as non-reportable (category v — there is no dev-vs-prod carve-out); deciding unilaterally that an AI/ML model compromise (category xx) is "not a cyber event"; parking the decision for "more evidence" past Hour 4.
Step 4: Preserve evidence and freeze logs
What: Snapshot affected systems and ring-fence the relevant log segments covered by Direction (iv)'s 180-day retention obligation.
Where: Immutable storage tier (WORM bucket or offline tape) within Indian jurisdiction.
How: (a) Disk/memory imaging of compromised hosts; (b) export of the last 72 hours of firewall, IPS, SIEM, web server, application, DB, VPN and authentication logs; (c) hash each artefact (SHA-256) and record in a chain-of-custody register; (d) ensure NTP-sync metadata is preserved alongside. CERT-In FAQ Q.37 lists the non-exhaustive log inventory; capture both successful and unsuccessful events.
Templates: Chain-of-custody register with columns — Artefact ID | Source Host | Collection Time (IST/UTC) | Collector | SHA-256 | Storage Location | Access Log.
Common mistakes: Re-imaging a compromised host to "recover service" before the image is preserved; allowing 31-day log rotation to silently overwrite relevant windows; storing evidence only outside India (FAQ Q.35 permits logs outside India only if production to CERT-In in reasonable time is assured — and only logs, not the 180-day requirement being within Indian jurisdiction under Direction (iv)).
Step 5: Draft the initial incident notification
What: Prepare the first report to CERT-In with the facts available at the time — partial information is acceptable (FAQ Q.30).
Where: IR war-room; template stored in the IR runbook.
How: Populate the CERT-In incident reporting form (hosted at https://www.cert-in.org.in/PDF/certinirform.pdf per FAQ Q.30) with: reporter identity, affected entity, incident type (Annexure I category), first-noticed timestamp, systems affected, preliminary impact, containment actions taken, initial IoCs, PoC contact.
Templates: See Section 6 below — short initial notification email template.
Common mistakes: Waiting for "complete" information before filing (the Directions permit and FAQ Q.30 encourages a first-cut report with follow-ups); attaching un-redacted customer PII in the first email without legal review; omitting the Annexure I category number.
Step 6: Transmit to CERT-In before Hour 6
What: Submit the initial notification via one of the three statutorily specified channels.
Where: Channels authorised in Direction (ii) and Annexure I of the 28 April 2022 Directions:
- Email:
incident@cert-in.org.in - Phone:
1800-11-4949(toll-free) - Fax:
1800-11-6969(toll-free) - Web form reference:
https://www.cert-in.org.in/PDF/certinirform.pdf(attach the completed PDF to the email)
How: Primary channel is email to incident@cert-in.org.in with the completed form as a PDF attachment and the initial notification body in the email. For critical incidents (public-infrastructure impact, safety of human beings, large-scale breach) place a parallel call to the toll-free number to confirm receipt. Save the sent-item and read-receipt as part of the chain-of-custody.
Templates: Email template in Section 6.
Common mistakes: Sending from a role mailbox whose bounce-back goes unchecked; sending without CC to the filing entity's PoC; claiming the 6-hour clock starts at email-send rather than at detection.
Step 7: Notify other regulators in parallel (where applicable)
What: CERT-In reporting does not discharge parallel obligations to sectoral regulators or to the Data Protection Board of India.
Where: Sectoral regulator channels — RBI-CSITE (banks), SEBI (CSCRF-covered entities), IRDAI (insurers), TRAI/DoT (telecom), MeitY for intermediaries whose incident engages Rule 3(1)(l) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Where personal data is involved, file a parallel intimation under Section 8(6) of the Digital Personal Data Protection Act, 2023 ('DPDP Act') to the Data Protection Board of India and to each affected Data Principal in the form and manner under Rule 7 of the DPDP Rules 2025.
How: Use regulator-specific templates on regulator timelines — independent of CERT-In's 6-hour clock. FAQ Q.22 confirms Section 81 IT Act overrides contractual confidentiality; it does not substitute for sectoral filings.
Common mistakes: Treating CERT-In as a one-stop filing; assuming MeitY or RBI is automatically copied by CERT-In; filing the DPDP intimation days later when it should be concurrent.
Step 8: Respond to CERT-In follow-up and supplementary directions
What: Under Direction (iii), CERT-In may issue further orders calling for action, information or assistance — up to near-real-time data.
Where: Communications go to the registered Annexure II PoC.
How: Acknowledge every CERT-In ask within the specified timeframe; non-response is itself non-compliance. An officer not below the rank of Deputy Secretary to the Government of India may requisition logs (FAQ Q.38). Maintain a correspondence log: inbound request → acknowledgement → response → artefact hash.
Common mistakes: Unmonitored PoC mailbox; objecting on confidentiality grounds (Section 81 IT Act overrides — FAQ Q.22); producing logs without chain-of-custody.
Step 9: File supplementary and closure reports
What: Supplementary updates as investigation progresses; a closure report when remediation is complete.
Where: Same incident@cert-in.org.in thread; keep the original incident ID in the subject line.
How: Supplementary reports cover updated scope, root cause, containment/eradication, recovery timeline, and lessons learned. Closure report confirms the incident is contained, remediated and monitored, with a residual-risk note.
Common mistakes: Letting the thread go silent for weeks; closing internally without a closure update to CERT-In.
Step 10: Post-incident review and control uplift
What: Document the incident, update the IR Policy, run a tabletop within 30 days of closure, and refresh the Annexure II PoC if roles changed.
Where: Security governance forum (IR Committee or Board Risk Committee).
How: Produce a written after-action report covering detection lag (target < 60 min), classification lag (< 120 min), notification lag (< 4 hours — 2-hour buffer against the 6-hour limit), control gaps, and remediation owners. Refile Annexure II if any field changed.
Common mistakes: Closing "done" without fixing the control gap; failing to refile Annexure II when the PoC leaves.
Timeline
| Milestone | Statutory deadline | Realistic timeline (target buffer) |
|---|---|---|
| Detection logged | Direction (ii) — 6-hour clock starts from "noticing" | Hour 0 (instantaneous) |
| Internal escalation to IR team | Not prescribed | Hour 0 to Hour 1 |
| Classification against Annexure I | Not prescribed | Hour 1 to Hour 2 |
| Initial notification drafted | Not prescribed | Hour 2 to Hour 3 |
| Notification transmitted to CERT-In | Hour 6 hard limit | Hour 4 (2-hour buffer) |
| Regulator parallel filings (RBI/SEBI/IRDAI/DPDP where applicable) | Sector-specific | Hour 4 to Hour 12 |
| Supplementary report | On CERT-In request or as facts evolve | Hour 24, Hour 72, Day 7 |
| Closure report | When incident is remediated | Typically Day 30 – Day 90 |
The 6-hour clock does not pause for weekends, holidays or night hours. CERT-In FAQ Q.24 confirms the clock runs from "noticing the incident or being brought to notice about such incident" — not from business-hours start.
Template clauses / language
Template A — Initial incident notification email to CERT-In
To: incident@cert-in.org.in
Cc: [Internal PoC], [Internal Legal], [Internal DPO]
Subject: Cyber Incident Report — [Entity Name] — [Annexure I Category] — [YYYY-MM-DD HH:MM IST]
Dear Team CERT-In,
This is an initial notification under Direction (ii) of the CERT-In Directions dated
28 April 2022 issued under Section 70B(6) of the Information Technology Act, 2000.
1. Reporting entity: [Legal name, registered office address, CIN/LLPIN]
2. Annexure II PoC on file: [Name, Designation, Mobile, Email]
3. Incident type (Annexure I category): [e.g., "(v) Malicious code attack – Ransomware"
or "(xi) Data Breach"]
4. First noticed / brought to notice: [YYYY-MM-DD HH:MM IST / UTC]
5. Affected systems / services (preliminary): [Brief list]
6. Preliminary scope: [Number of users/records/systems if known, else "under assessment"]
7. Containment actions taken so far: [Brief list — network isolation, credential reset,
patching, forensic imaging]
8. Indicators of compromise available: [Attach IOC list or "under collection"]
9. Information still being gathered: [Gap list]
10. Attachment: Completed CERT-In Incident Reporting Form
(https://www.cert-in.org.in/PDF/certinirform.pdf)
A supplementary report will follow as further facts become available. Please revert
to the undersigned PoC with any queries or directions.
Regards,
[CERT-In PoC Name]
[Designation]
[Entity]
Mobile: [24x7 number] | Email: [PoC mailbox]
Template B — Incident Response Policy excerpt (CERT-In obligations)
Clause [X.X] — CERT-In Reporting Obligation
The [Entity] shall report every cyber security incident falling within any of the
twenty categories listed in Annexure I to the CERT-In Directions dated 28 April 2022
issued under sub-section (6) of section 70B of the Information Technology Act, 2000,
or meeting any of the criteria set out in CERT-In FAQ Q.30 (May 2022), to CERT-In
within 6 hours of the incident being noticed or brought to the [Entity]'s notice.
The CERT-In Point of Contact designated under Direction (iii) is [Name / Designation]
and the backup Point of Contact is [Name / Designation]. The current Annexure II
submission is held at [document repository reference].
Reporting shall be made by email to incident@cert-in.org.in, with the CERT-In
Incident Reporting Form completed to the extent of then-available information,
supported where relevant by a parallel toll-free call to 1800-11-4949.
The 6-hour clock shall not be treated as pausing for weekends, public holidays or
non-business hours. The [Entity]'s contractual confidentiality obligations shall not
delay or dilute CERT-In reporting; Section 81 of the Information Technology Act, 2000
overrides such clauses.
Internal audit checklist
Run this quarterly; re-run the top six items after every senior-leadership change.
- CERT-In PoC currency — Annexure II submission filed within the last 12 months and all eight fields (Name, Designation, Organisation Name, Office Address, Email ID, Mobile No., Office Phone, Office Fax) accurate.
- PoC reachability test — two unscheduled out-of-hours calls to the PoC mobile in the last quarter, both answered within 15 minutes.
- NTP sync — automated monitoring confirms all ICT systems sync to NIC (samay1.nic.in / samay2.nic.in), NPL (time.nplindia.org) or a verifiable non-deviating alternate source; last drift report ≤ 50 ms.
- Log retention — rolling 180-day log archive present, within Indian jurisdiction, tamper-evident, covering firewall/IPS/SIEM/web-DB-mail-FTP-proxy/application/VPN/SSH/critical-system-event logs.
- Both successful and unsuccessful events captured in logs per FAQ Q.37.
- 6-hour rehearsal — at least one tabletop exercise in the last 90 days measured end-to-end from detection to mock CERT-In notification, completing within 4 hours.
- Classification playbook — Annexure I checklist embedded in the incident ticket template; mapping verified against the twenty categories.
- Email template freshness — Template A reviewed by General Counsel within the last 6 months.
- Evidence chain-of-custody — last three incidents have complete registers with SHA-256 hashes and IST/UTC timestamps.
- Regulator map — DPDP Section 8(6), RBI, SEBI, IRDAI, TRAI/DoT, MeitY (Rule 3(1)(l) IT Rules 2021) rows reconciled.
- Board awareness — IR Policy tabled at the Board Risk Committee within the last financial year.
- MSME status confirmed — where relevant, MSME classification refreshed annually against Ministry of MSME notification S.O. 1702(E) thresholds (investment up to ₹50 crore and turnover up to ₹250 crore for medium enterprises).
What if things go wrong
Failure 1 — Missed the 6-hour window
- Symptom: Incident noticed at 00:30 IST, report filed at 09:30 IST after the morning stand-up.
- Cause: No 24x7 PoC coverage; escalation tree pauses between 22:00 and 08:00.
- Action: File immediately with a transparent cover note on the actual first-noticed time and reasons for delay. Section 70B(7) IT Act penal exposure (up to 1 year imprisonment and/or ₹1 lakh fine) may apply, though FAQ Q.23 indicates the power is exercised reasonably for deliberate non-compliance. Never backdate a detection timestamp — the NTP-synced SIEM record is independently discoverable.
Failure 2 — Reportable incident that is also a personal data breach
- Symptom: Ransomware (Annexure I category v) exposing Data Principal records.
- Cause: Treating CERT-In filing as a substitute for DPDP Section 8(6) intimation.
- Action: File CERT-In within 6 hours and intimate the Data Protection Board and affected Data Principals under Section 8(6) DPDP Act in the form and manner under Rule 7 DPDP Rules 2025. Two independent regimes — neither discharges the other.
Failure 3 — CERT-In requests logs the entity no longer has
- Symptom: Direction (iii) order asks for logs from 200 days ago; rolling retention expired at day 180.
- Cause: The 180-day retention (Direction (iv)) is a minimum; incident-specific logs must be preserved beyond that window once engaged by a live incident.
- Action: Explain the retention design; provide all logs within the 180-day window; extend retention to indefinite-until-closure for any ICT system touching the incident.
Failure 4 — Foreign-hosted logs cannot be produced fast enough
- Symptom: Logs mirrored to a US region; Indian copy not available in reasonable time.
- Cause: Direction (iv) requires logs within Indian jurisdiction; FAQ Q.35 permits logs stored outside India only if production to CERT-In in reasonable time is assured.
- Action: Rectify the architecture. Interim: produce via the foreign region with a written SLA commitment and a migration plan to an Indian region.
Failure 5 — Annexure II PoC left the company six months ago
- Symptom: CERT-In order goes to a stale mailbox; PoC mobile disconnected; entity learns of the order only when a follow-up reaches the CEO.
- Cause: No quarterly PoC-currency audit.
- Action: Refile Annexure II immediately with fresh PoC details; written apology with offer of enhanced cooperation on the pending matter; CISO/GC 72-hour corrective plan.
Founder checklist
- Know your 6-hour clock. The statutory deadline under Direction (ii) of the 28 April 2022 CERT-In Directions runs from noticing, not from confirming. Rehearse a full end-to-end tabletop in under 4 hours this quarter.
- File Annexure II today. A designated PoC reachable 24x7 is Direction (iii)'s central compliance hook. Refile every time the person changes — within 7 days.
- Audit your logs. Confirm rolling 180-day retention within Indian jurisdiction, covering both successful and unsuccessful events (FAQ Q.37). No NTP sync, no defensible timeline.
- Wire DPDP into the same runbook. Section 8(6) of the Digital Personal Data Protection Act, 2023 is a separate obligation; design the IR Policy so the CERT-In and DPDP filings are triggered together where personal data is involved.
- Ring-fence budget of ₹2–8 lakh/year for SIEM tuning, log-archive storage, 24x7 on-call and counsel retainer. The cost of compliance is a small fraction of the downstream cost of a missed 6-hour window.
FAQ
Does the 6-hour clock run on weekends and holidays?
Yes. The CERT-In Directions dated 28 April 2022 do not contain any business-hours carve-out. The clock begins when the entity notices the incident or when the incident is brought to its notice — weekends, holidays and night hours included. Rotating 24x7 on-call for the CERT-In Point of Contact is therefore a practical compliance requirement under Direction (iii).
What if the breach is discovered weeks after it actually happened?
The statutory clock runs from the time the incident is noticed or brought to notice, not from the time of actual occurrence. CERT-In FAQ Q.24 (May 2022) confirms this. However, the entity must still be prepared to explain why detection was delayed, since Direction (iv) requires logs for a rolling 180 days to be preserved within Indian jurisdiction for exactly this forensic purpose. NTP-synced timestamps across the log estate give the entity the evidentiary base to narrate both the delayed detection and the actual earliest-known occurrence.
Does this apply to foreign service providers serving Indian users?
Yes. CERT-In FAQ Q.26 (May 2022) confirms that the Directions apply to any entity, Indian or foreign, in so far as cyber incidents and cyber security incidents are concerned. Sections 1 and 75 of the Information Technology Act, 2000 give the Act extra-territorial reach where the offence or contravention involves a computer resource located in India. Foreign entities offering services to users in India must designate a CERT-In Point of Contact under Direction (iii) (FAQ Q.29).
What was the MSME extension?
The extension order dated 27 June 2022 (No. 20(3)/2022-CERT-In) deferred the effective date of the 28 April 2022 Directions to 25 September 2022 for MSMEs, as classified under notification S.O. 1702(E) dated 1 June 2020 issued by the Ministry of MSME under Section 7 of the Micro, Small and Medium Enterprises Development Act, 2006. The same order also extended the subscriber-validation requirements at Direction (v)(a) and (v)(f) — "Validated names of subscribers/customers hiring the services" and "Validated address and contact numbers" — to 25 September 2022 for Data Centres, VPS providers, Cloud Service providers and VPN Service providers. All other provisions, including the 6-hour reporting rule for non-MSMEs, remained effective from 28 June 2022.
How does CERT-In reporting interact with DPDP Act breach notification?
They are two independent regimes. CERT-In reporting under Section 70B(6) of the Information Technology Act, 2000 covers any of the twenty cyber incident categories in Annexure I within 6 hours. Personal data breach intimation under Section 8(6) of the Digital Personal Data Protection Act, 2023 is owed separately to the Data Protection Board of India and to each affected Data Principal, in the form and manner prescribed by Rule 7 of the DPDP Rules 2025 (notified via G.S.R. 846(E) on 13 November 2025). A single incident can trigger both — file both, and do not substitute one for the other.
What is the penalty for missing the 6-hour deadline?
Section 70B(7) of the Information Technology Act, 2000 prescribes imprisonment for a term that may extend to one year, or fine that may extend to one lakh rupees, or both. CERT-In FAQ Q.23 (May 2022) clarifies this power will be exercised reasonably and on occasions where the non-compliance is deliberate — but reputational exposure, parallel sectoral-regulator action (RBI, SEBI, IRDAI, TRAI), DPDP Board proceedings where personal data is involved, and contractual indemnity triggers with customers typically dwarf the statutory fine.
Sources
CERT-In Directions dated 28 April 2022 — "Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet" (No. 20(3)/2022-CERT-In). Available at https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
CERT-In FAQs on Cyber Security Directions of 28.04.2022 (May 2022) — Official operational clarifications. Available at https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf
CERT-In Extension Order dated 27 June 2022 — "Extension of timelines for enforcement of Cyber Security Directions of 28th April, 2022 for MSMEs and implementation of mechanism for validation of subscribers/customers" (No. 20(3)/2022-CERT-In). Available at https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf
Information Technology Act, 2000 — Section 70B (CERT-In) and Section 81 (overriding effect). Available at https://www.indiacode.nic.in/
Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 — notified 16 January 2014 under Section 87(2)(zf) read with Section 70B(5) IT Act.
Ministry of MSME Notification S.O. 1702(E) dated 1 June 2020 — criteria for classification of micro, small and medium enterprises under Section 7 of the Micro, Small and Medium Enterprises Development Act, 2006. Available via https://egazette.gov.in/
Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), Section 8(6) — separate breach intimation regime. DPDP Rules 2025 (G.S.R. 846(E), 13 November 2025) prescribes form and manner.
This playbook is prepared by Veritect Legal Intelligence for general informational purposes and does not constitute legal advice. Entities should consult qualified counsel for incident-specific advice. Statutory citations are current as of 21 April 2026.