How to comply with CERT-In’s new six-hour time frame to report cyber incidents

By Karthik Koragal (Senior Associate) and Pratibha Sharma (Senior Executive)

This article was first published in LiveLaw

The Indian Computer Emergency Response Team (CERT-In) recently issued a set of new directions under the Information Technology Act, 2000 (IT Act), in relation to information security practices, procedure prevention, response and reporting of cyber incidents for safe and trusted internet (CERTIN Directions), followed by Frequently Asked Questions (FAQs) dated 19 May 2022 issued by CERTIN, to clarify the requirements under the directions.

CERT-IN Directions mandate service providers, intermediaries, data centres and body corporates (Applicable Entities) to mandatorily report cyber incidents (as defined under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-IN Rules)) within: (a) six hours of noticing such incidents; or (b) such incident being brought to such Applicable Entities. Prior to this update, CERT-In had stipulated reporting cyber security incidents (as defined under CERT-IN Rules) as early as possible, and within a reasonable time of occurrence or noticing the incident.

In addition to the Applicable Entities being mandated to report cyber incidents, within the prescribed time and in the prescribed manner, they are also required to report cyber security incidents (prescribed under CERT-IN Directions), on meeting the following threshold (as laid out in the FAQs):

Download PDF to read more