CERT-In already requires cyber-incident reporting within 6 hours
Separate from DPDP, CERT-In's 2022 directions require you to report specified cyber incidents within 6 hours of noticing them. This has been enforceable since June 2022 — it's a present-day obligation, not a future one.
What the law says
CERT-In Directions No. 20(3)/2022 — issued 28 April 2022 under section 70B(6) of the IT Act, 2000 and in force since 27 June 2022 — require organisations to report specified cyber incidents to CERT-In within 6 hours of noticing them.
This is independent of the DPDP Act. It already applies, today.
What it covers
Targeted scanning, unauthorised access, website defacement, ransomware, data breaches, attacks on servers/apps and more. The directions also cover log retention (180 days in India) and, for certain providers, KYC and record-keeping.
What this means for you
Six hours is short. If you have no detection or no named person to act, you'll miss the window. Set up basic monitoring and a simple "who reports what, to whom" runbook now.
On penalties: non-compliance under IT Act s.70B(7) can mean imprisonment up to 1 year and/or a fine up to ₹1 lakh — not the crore-scale figures some blogs quote. The bigger risk is operational and reputational, not the statutory fine.
What to do now
ProjectStand up basic incident detection and a named contact so you can report a covered cyber incident to CERT-In within 6 hours of noticing it. This is enforceable now.
- you run any internet-facing service in India
- you operate servers, websites or apps
CERT-In · CERT-In Directions No. 20(3)/2022; IT Act s.70B
Don't just read it — find out where you stand.
A free scan shows what your live site is exposing today. When you're ready to be audit-ready, our Compliance Sprint gets you DPDPA-ready in 30 days.
General information, not legal advice. Verify against the cited primary source and confirm specifics with a qualified advisor before acting.