CERT‐In Rules and Directions 

With an increasing number of Indians using the Internet and cyberspace and  the goal of a $1 trillion digital economy by 2026, the Government of India is taking  steps to strengthen cybersecurity in India. It has established an evolving framework  comprising statutes, rules, directions and supervisory agencies intended to keep  cyberspace safe for individuals and businesses.  


The Indian Computer Emergency Response Team (“CERT‐In”) is a national  organisation appointed1 by the Government of India to ensure cyber safety in India.  

Functions of CERT‐In. The functions of the CERT-In are2:  

  • a) collection, analysis, and dissemination of information on cyber incidents; 
    b) forecast and alerts of cyber security incidents;
  • c) determining emergency measures for handling cyber security incidents;
  • d) coordination of cyber incidents response activities;  
  • e) issuing guidelines, advisories, vulnerability notes and white papers  relating to information security practices, procedures, prevention,  response, and reporting of cyber incidents; and  
  • f) such other functions relating to cyber security as may be prescribed.  

1 The appointment was made vide notification dated 27 October 2009 in terms of section 70B of the  Information Technology Act, 2000 (“IT Act”)

2 Section 70B(4) of the Information Technology Act, 2000 

The CERT-In Rules3 prescribe how CERT-In performs its functions and  provide for the level of support provided by CERT-In concerning different types of  ‘cyber security incidents.’4 

Powers of CERT‐In. CERT-In is the referral agency for cyber users in India for  responding to cyber security incidents.5 CERT-In is empowered to seek information  from and issue directions to service providers, intermediaries, data centres, body  corporate, and other persons to carry out its functions.6 Information regarding logs  may be requisitioned by an officer of CERT-In, not below the rank of Deputy Secretary  to the Government of India. The CERT-In Rules also set out the procedure to be  followed if such information is not provided. Persons that fail to provide the  information called for or follow directions issued by the CERT-In may be punished  with imprisonment, a fine or both7.  

Cyber Security Directions 8

The Cyber Security Directions provide a framework for ensuring cyber security in India. They were issued pursuant to consultations with industry and government organisations and other stakeholders.  

3 Information Technology (The Indian Computer Emergency Response Team and Manner Performing  Functions and Duties) Rules, 2013 published vide notification dated 16 January 2014 pursuant to  section 70B(5) of the IT Act read with section 87(zf) of the IT Act 

4 Rule 11 of the CERT-In Rules  

5 Rule 8 of the CERT-In Rules  

6 Rule 14 of the CERT-In Rules  

7 Section 70B(7) of the IT Act  

8 Directions dated 28 April 2022 issued by the Ministry of Electronics and Information Technology,  CERT-In under section 70B(6) of the Information Technology Act, 2000 relating to information  security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted  Internet, No. 20 (3)/2022-CERT-In 

Person Covered by Cyber Security Directions. Service providers,  ‘intermediaries’9, data centres, body corporate, Virtual Private Server (VPS)  providers, cloud service providers, Virtual Private Network (VPN) Service providers,  virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations (“Parties Covered by CERT‐In Directions”) are required to comply with the Cyber Security Directions.  

Duty to Report. Parties Covered by CERT-In Directions are required to immediately report10 cyber security incidents to the CERT-In. The methods and formats of reporting cyber security incidents are published on CERT-In’s website.  

Duty to Synchronise. Parties Covered by CERT-In Directions are required to connect to the Network Time Protocol (NTP) Server of the National Informatics  Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. This means that the clocks in the network of the service providers, intermediaries, data centres, body corporate and governmental organizations must be in sync with the NTP server and will provide the exact same time as NTP. This, in turn, will help in determining the  exact time when a cyber security incident took place.  

Duty to Maintain Logs. Cyber Securities Directions also mandate that Parties  Covered by CERT-In Directions maintain logs of all their ICT systems and maintain  them securely for a rolling period of 180 days. The said logs are to be maintained  within the jurisdiction of India and must be provided to the CERT-In while reporting  an cyber security incident or when so directed or sought by the CERT-In.  

9 Defined in section 2(w) of the IT Act.  

10 Rule 12 of the CERT-In Rules 

Duty to Know Customer. Data centres, VPS providers, Cloud Service providers and VPN service providers are required to maintain accurate information about subscribers/customers and the hiring services availed by subscribers etc. for a period  of five years or such longer duration according to law after cancellation or withdrawal of the registration.  

Overall, the Cyber Security Directions are intended to improve India’s overall cyber security framework so that the Internet is safe for its citizens.  

Things to Think About

Issues related to the CERT-In Rules or the Cuber Security Directions that  require deeper thinking include:  

  • How do the CERT-In Rules or the Cuber Security Directions affect the  individual right to privacy?  
  • Are confidentiality agreements affected by CERT-In Rules or the Cuber  Security Directions?  
  • Do the CERT-In Rules or the Cuber Security Directions cover non Indian entities?  
  • How is the confidentiality of customer data that may be reported to  CERT-In ensured? How should data that is required to be disclosed to CERT In that belongs to data subjects covered by data protection regimes such as  GDPR be handled?  ∙ Where should the logs that may be requisitioned by the CERT-In be  stored?