Search Your Queries Related To Trilegal


2022 CERT-In Directions on Reporting Cyber Incidents

04 May 2022

2022 CERT
The CERT-In has issued fresh directions mandating compliances in relation to cyber security incidents, ranging from the requirement to report incidents within six hours to storing system logs locally in India. These directions are likely to bring sweeping changes to the law relating to cyber security and data breaches in India.
Partners: Rahul Matthan, Nikhil Narendran, Jyotsna Jayaram, Counsel: Jishnu Sanyal, Senior Associates: Thomas J. Vallianeth, Puja Saha, Associate: Shantanu Mathur

On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions (2022 Directions) under Section 70B (6) of the Information Technology Act, 2000 (IT Act) incorporating a host of cyber-security, breach reporting, and record maintenance requirements. In India, the CERT-In is appointed as the national agency for performing various functions in the area of cyber security as per provisions of section 70B of the IT Act. The CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation. The 2022 Directions have been issued to augment incident response measures. This update provides a brief overview of the new requirements imposed by the 2022 Directions

  • Six Hour Timeline for Reporting and Expanded List of Reportable Cyber Security Incidents

    The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (CERT-In Rules) had not prescribed a timeframe within which cyber-security incidents must be reported and only required reporting within a reasonable time frame. The 2022 Directions, on the other hand, make this requirement more stringent by requiring cyber security incidents to be reported within six hours of noticing or being brought to notice of such incident to the CERT-In. Given the short time frame, organisations would need to reassess their practices and procedures in relation to breach reporting, and ensure that appropriate organisational capabilities are deployed in order to identify and report cyber security incident in this time frame.

    Further, under the CERT-In Rules only those cyber security incidents specified as mandatorily reportable were required to be reported. However, the 2022 Directions expand this list to include: (i) data breach; (ii) data leak; (iii) attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers; (iv) attacks or incidents affecting digital payment systems; (v) attacks through malicious mobile apps; (vii) unauthorised access to social media accounts; (viii) attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications; (ix) attacks or malicious/suspicious activities affecting systems/servers/networks/software/applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones; (x) attacks or malicious/suspicious activities affecting systems/servers/software/applications related to Artificial Intelligence and Machine Learning. There is no clarity on the specifics of what these incidents entail, and no impact threshold has been specified presently.

Download PDF to read more

Subscribe to our Knowledge Repository

If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.


    This page contains general information regarding Trilegal and is not intended as a solicitation or an advertisement of its services or any invitation or inducement of any sort. Nothing contained in this website constitutes legal advice or creation of a lawyer-client relationship. If you have any issues, you must seek legal advice. Trilegal is not liable for the consequences of any action taken by relying on the material/information provided on this website. For more information, please read our terms of use and our privacy policy.

    Trilegal - Up Arrow