CERT-In Compliance for Regulated Enterprises
CERT-In directives apply to every organization operating in India. Incident reporting timelines, log retention requirements, and cybersecurity obligations that cut across industries. eQomply helps you track and demonstrate compliance in one system.
What CERT-In compliance covers
CERT-In's 2022 directives introduced mandatory cybersecurity requirements for all organizations. These apply regardless of industry, but regulated entities face additional scrutiny from their sectoral regulators referencing CERT-In requirements.
Incident Reporting
Mandatory reporting of cybersecurity incidents to CERT-In within six hours of detection. Covers a defined list of incident types including data breaches, ransomware, and unauthorized access.
Log Retention
All ICT system logs must be retained for 180 days within Indian jurisdiction. Logs must be provided to CERT-In on request during incident investigation.
Time Synchronization
All ICT systems must synchronize to Network Time Protocol servers provided by NIC or NPL, or traceable to these sources. Accurate timestamps required for incident investigation.
KYC for Service Providers
Data centers, VPS providers, cloud service providers, and VPN providers must maintain KYC records of customers and retain them for five years after service termination.
Vulnerability Disclosure
Service providers, intermediaries, and data centers must report vulnerabilities in their systems to CERT-In. Timelines and formats specified in the directives.
Point of Contact Registration
Organizations must designate and register a point of contact with CERT-In for cybersecurity incident coordination. Contact details must be kept updated.
The compliance challenge for organizations
CERT-In requirements apply to all organizations, but compliance sits awkwardly between IT, security, legal, and compliance functions. Most organizations lack a single system to track obligations and demonstrate compliance during audits or investigations.
1
Six-hour reporting window is unforgiving
Incident detection, classification, internal escalation, and CERT-In reporting must all happen within six hours. Without predefined workflows, teams scramble and miss timelines.
2
Log retention spans multiple systems
180-day retention applies to all ICT systems. Firewalls, servers, applications, cloud infrastructure. Most organizations cannot confirm compliance across their entire environment.
3
Ownership is fragmented
IT owns the systems. Security owns incident response. Legal worries about liability. Compliance tracks regulatory obligations. No single function owns CERT-In compliance end-to-end.
4
Evidence is scattered
When regulators or auditors ask for proof of compliance, teams pull together screenshots, email confirmations, and spreadsheet logs. Nothing centralized, nothing audit-ready.
What you get with eQomply
eQomply brings CERT-In compliance into your broader GRC framework. Obligations tracked alongside other regulatory requirements. Evidence captured as work happens. Incident workflows built in.
Pre-mapped CERT-In obligations
Incident reporting, log retention, time synchronization, POC registration, vulnerability disclosure. Key requirements mapped and ready to assign.
Incident reporting workflows
Incident detected. Classification triggered. Internal escalation automated. CERT-In reporting template populated. Six-hour timeline tracked with audit trail.
Log retention tracking
Map log sources across your environment. Track retention compliance by system. Identify gaps before auditors or investigators find them.
Cross-functional task assignment
IT, security, legal, compliance. Assign CERT-In obligations to owners across functions. Track completion in one place, not across email threads.
Evidence captured as work happens
POC registration confirmations, NTP configuration records, incident reports filed. Evidence logged at the source, timestamped, and linked to the relevant obligation.
Audit-ready documentation
Regulator asks for proof of CERT-In compliance. Pull reports showing obligation status, evidence records, and incident history. No more assembling documentation after the fact.
Industries and roles this applies to
CERT-In directives apply to all organizations operating in India. But regulated enterprises face additional pressure, with sectoral regulators increasingly referencing CERT-In requirements in their own frameworks.
01.
By Industry
Organizations where CERT-In compliance intersects with sectoral regulation.
-
Banks
-
NBFCs
-
Housing Finance Companies
-
Payment Aggregators & Payment Companies
-
Credit Information Companies
-
Pharma & Healthcare
02.
By Role
The people responsible for making CERT-In compliance operational.
-
Compliance Leaders
-
Chief Risk Officers
-
CISOs
-
Data Protection Officers
See how eQomply handles CERT-In compliance
A walkthrough covering incident workflows, log retention tracking, and audit-ready documentation.