In April 2022, India's Computer Emergency Response Team (CERT-In) issued directives that sent shockwaves through the technology industry. The directives, which took effect on June 28, 2022, impose some of the strictest cybersecurity reporting requirements in the world—including a six-hour incident reporting mandate that makes even the EU's 72-hour timeline look leisurely.
For organizations operating in India, building software for the Indian market, or using infrastructure hosted in India, these directives are mandatory. Noncompliance can result in penalties under the Information Technology Act, 2000.
The Six-Hour Reporting Mandate
The headline requirement: organizations must report cybersecurity incidents to CERT-In within six hours of becoming aware of them. Not six business hours. Six hours, period.
The types of incidents covered include:
- Targeted scanning and probing of critical systems
- Compromise of critical systems or information
- Unauthorized access to IT systems or data
- Website defacement
- Malicious code attacks (including ransomware)
- Attacks on servers, applications, and databases
- Identity theft, spoofing, and phishing
- Denial-of-service attacks
- Data breaches or leaks
- Attacks on critical infrastructure and IoT devices
- Supply chain attacks affecting software or hardware
That last item is particularly relevant. If a compromised software dependency or supply chain attack affects your systems in India, you have six hours from awareness to report.
Log Retention Requirements
The directives mandate that organizations maintain logs of all their ICT systems for a rolling period of 180 days. These logs must be maintained within Indian jurisdiction and provided to CERT-In when requested.
For software supply chain security, this means:
- Build system logs must be retained
- Dependency resolution and package download logs should be preserved
- Deployment and configuration change logs need to be maintained
- Access logs for development environments are in scope
The 180-day retention period is significant. Many organizations purge logs after 30 or 90 days. Extending retention to 180 days requires additional storage infrastructure and log management processes.
Synchronized Time
All organizations covered by the directives must synchronize their system clocks with the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or National Physical Laboratory (NPL), or with NTP servers traceable to these sources.
This requirement exists to ensure that timestamps across different systems are consistent—critical for incident investigation and forensic analysis. For supply chain incidents that span multiple organizations and systems, synchronized time is essential for reconstructing the timeline of a compromise.
VPN and Cloud Service Provider Requirements
The directives impose specific requirements on VPN providers, cloud service providers, and data centers operating in India:
- Maintain accurate customer information for five years after cancellation
- Record and retain customer registration data including names, addresses, contact numbers, email addresses, IP addresses, and purpose of use
- Maintain logs of all activities for 180 days
These requirements were controversial because they potentially impact user privacy and have led some VPN providers to remove Indian servers. However, for organizations focused on software supply chain security, they reinforce the broader theme: comprehensive logging and record-keeping are now mandatory.
Impact on Software Development Organizations
For companies that develop software in India or maintain development infrastructure there, the directives have practical implications:
Development Environment Security
The incident reporting and logging requirements mean that software development environments need to be monitored and logged comprehensively. This includes:
- Source code repository access
- CI/CD pipeline activities
- Package manager interactions (downloading dependencies)
- Build system operations
- Deployment activities
Dependency Management
Supply chain attacks are explicitly listed as reportable incidents. This creates a direct obligation to:
- Monitor for compromised dependencies
- Detect when a supply chain attack affects your systems
- Report such incidents within six hours
Organizations that don't actively monitor their software supply chain may not even become aware of a supply chain compromise within six hours, let alone report it. This makes continuous dependency monitoring an implicit requirement of the directives.
Incident Response Readiness
Six hours is an extremely tight timeline. Organizations need:
- Automated threat detection and alerting
- Pre-established incident response procedures
- Clear escalation paths
- Templates for CERT-In reporting
- On-call personnel who can assess and report incidents
For supply chain incidents specifically, this means having tooling that can quickly identify which systems are affected when a compromised component is discovered.
Penalties and Enforcement
Noncompliance with CERT-In directives can result in penalties under the Information Technology Act, including:
- Imprisonment of up to one year
- Fines
- Both imprisonment and fines
While enforcement has been evolving, the legal framework exists for significant penalties. More practically, failure to comply can affect an organization's ability to operate in India and its relationships with Indian government and enterprise customers.
Comparison with Global Standards
India's six-hour reporting requirement is among the strictest globally:
| Jurisdiction | Reporting Timeline | |---|---| | India (CERT-In) | 6 hours | | Australia (SOCI Act - critical) | 12 hours | | EU (NIS2 - early warning) | 24 hours | | US (CIRCIA) | 72 hours | | EU (GDPR) | 72 hours |
The compressed timeline reflects India's approach of prioritizing rapid awareness over detailed reporting. The initial report can be a preliminary notification, with detailed follow-up provided later.
Practical Recommendations
For organizations operating in India:
-
Establish CERT-In reporting procedures. Don't wait for an incident. Have reporting templates, contact information, and escalation procedures ready.
-
Implement comprehensive logging. Ensure all systems—including development infrastructure—are logging at a level that supports 180-day retention and incident investigation.
-
Deploy continuous monitoring. Automated monitoring is the only practical way to detect incidents and begin the six-hour clock with enough time to assess and report.
-
Synchronize your clocks. Ensure all systems use appropriate NTP sources. This is a simple requirement but easy to overlook.
-
Monitor your supply chain. Since supply chain attacks are reportable incidents, you need visibility into your software dependencies and the ability to quickly determine if a known compromise affects your systems.
How Safeguard.sh Helps
Safeguard.sh provides the continuous supply chain monitoring that India's CERT-In directives implicitly require. When a compromised dependency or supply chain attack is identified, Safeguard.sh immediately flags affected systems—giving security teams the situational awareness needed to meet the six-hour reporting window. The platform maintains comprehensive records of software components, vulnerability assessments, and dependency changes, supporting the 180-day log retention requirement. With real-time alerting and clear impact analysis, Safeguard.sh turns the demanding CERT-In timeline from an operational nightmare into a manageable process.