Search Your Queries Related To Trilegal


2022 CERT-In Directions on Reporting Cyber Incidents

04 May 2022

Deemed thumb image
The CERT-In has issued fresh directions mandating compliances in relation to cyber security incidents, ranging from the requirement to report incidents within six hours to storing system logs locally in India. These directions are likely to bring sweeping changes to the law relating to cyber security and data breaches in India.
Partners: Rahul Matthan, Nikhil Narendran, Jyotsna Jayaram, Counsel: Jishnu Sanyal, Senior Associates: Thomas J. Vallianeth, Puja Saha, Associate: Shantanu Mathur

On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions (2022 Directions) under Section 70B (6) of the Information Technology Act, 2000 (IT Act) incorporating a host of cyber-security, breach reporting, and record maintenance requirements. In India, the CERT-In is appointed as the national agency for performing various functions in the area of cyber security as per provisions of section 70B of the IT Act. The CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation. The 2022 Directions have been issued to augment incident response measures. This update provides a brief overview of the new requirements imposed by the 2022 Directions

  • Six Hour Timeline for Reporting and Expanded List of Reportable Cyber Security Incidents

    The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (CERT-In Rules) had not prescribed a timeframe within which cyber-security incidents must be reported and only required reporting within a reasonable time frame. The 2022 Directions, on the other hand, make this requirement more stringent by requiring cyber security incidents to be reported within six hours of noticing or being brought to notice of such incident to the CERT-In. Given the short time frame, organisations would need to reassess their practices and procedures in relation to breach reporting, and ensure that appropriate organisational capabilities are deployed in order to identify and report cyber security incident in this time frame.

    Further, under the CERT-In Rules only those cyber security incidents specified as mandatorily reportable were required to be reported. However, the 2022 Directions expand this list to include: (i) data breach; (ii) data leak; (iii) attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers; (iv) attacks or incidents affecting digital payment systems; (v) attacks through malicious mobile apps; (vii) unauthorised access to social media accounts; (viii) attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications; (ix) attacks or malicious/suspicious activities affecting systems/servers/networks/software/applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones; (x) attacks or malicious/suspicious activities affecting systems/servers/software/applications related to Artificial Intelligence and Machine Learning. There is no clarity on the specifics of what these incidents entail, and no impact threshold has been specified presently.

Download PDF to read more

Subscribe to our Knowledge Repository

If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.


    Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website,, you acknowledge that:

    • You are seeking information about Trilegal of your own accord and there has been no form of solicitation, advertisement or inducement by Trilegal or its members.
    • This website should not be construed as providing legal advice for any purpose.
    • All information, content, and materials available on this website are for general informational purposes only.
    • Any information obtained or material downloaded from this website is completely at the user’s volition, and any transmission, receipt or use of this website is not intended to, and will not, create any lawyer-client relationship.
    • Information on this website may not constitute the most up-to-date legal or other information. Trilegal is not liable for the consequences of any action taken by any person based on any material or information available on this website, or for any inaccuracy in or exclusion of any information or interpretation thereof.
    • Readers of this website or recipients of content or information available on this website should not act based on any or all such content or information, and should always seek advice of competent legal counsel licensed to practice in the appropriate jurisdiction.
    • Third party links contained on this website re-directing users to such third-party websites should neither be construed as legal reference / legal advice, nor considered as referrals to, endorsements of, or affiliations with, any such third party website operators.
    • The communication platform provided on this website should not be used for exchange of any confidential, business or politically sensitive information.
    • The contents of this website are the intellectual property of Trilegal.

    We prioritize your privacy. Before proceeding, we encourage you to read our privacy policy, which outlines the below, and terms of use to understand how we handle your data:

    • The types of information we collect and why we collect them.
    • How we use your information to provide a personalized experience.
    • The measures we take to ensure the security of your data.
    • Your rights and choices in managing your personal information.
    • How we may share information with trusted partners for specific purpose.

    For more information, please read our terms of use and our privacy policy.

    Up arrow