CERT-In 6-Hour Breach Reporting: A Plain-English Guide for Regulated Entities

The CERT-In Direction of 2022: Background

In April 2022, CERT-In (the Indian Computer Emergency Response Team, operating under the Ministry of Electronics and Information Technology) issued a Direction under Section 70B(6) of the IT Act. This Direction imposed several significant obligations on Indian entities, of which the 6-hour incident reporting requirement is the most immediately operationally impactful. The Direction applies to all service providers, intermediaries, data centres, body corporates, and government organisations.

What Qualifies as a Reportable Incident?

CERT-In lists over 20 types of incidents that must be reported. These include (but are not limited to):

• Targeted scanning / probing of critical networks or systems
• Compromise of critical systems or information
• Unauthorised access to IT systems / data
• Defacement of websites or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
• Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers
• Attack on servers such as Database, Mail & DNS and network devices such as Routers
• Identity theft, spoofing and phishing attacks
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Attacks on Critical infrastructure, SCADA, Operational Technology Systems, and Wireless networks
• Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
• Data breach or data leakage
• Rogue / Unauthorised Wi-Fi access points
• Supply chain attacks
• Fake mobile Apps
• Cryptocurrency-mining malware
• Incidents affecting digital payment systems

If you are uncertain whether an event qualifies, report it. The cost of over-reporting is administrative. The cost of under-reporting is regulatory.

How to Report: The Process

CERT-In provides multiple reporting channels:

• Online portal: incident.cert-in.org.in (the primary channel)
• Email: incident@cert-in.org.in
• Phone: CERT-In helpdesk number (published on cert-in.org.in)

Your report should include as much of the following as you can provide within the 6-hour window (you can submit a preliminary report and follow up with details):

• Name and contact details of the reporting entity
• Type of incident (from CERT-In's list)
• Date and time of detection
• Affected systems, networks, and services
• Estimated impact (users, data, services affected)
• Actions taken so far (containment steps)
• Any indicators of compromise (IOCs) identified

Who Must Comply?

The CERT-In Direction applies universally to all entities in India, including:

• All service providers (cloud providers, managed services, SaaS companies)
• Intermediaries (as defined under the IT Act)
• Data centres
• Body corporates (effectively all registered companies)
• Government entities

There is no minimum size threshold. A two-person startup and a large bank are equally obligated to report qualifying incidents within 6 hours.

Common Mistakes That Lead to Non-Compliance

• Not knowing what counts as an incident: Many teams classify only "major" breaches as incidents, missing phishing attacks, unauthorised access attempts, or malware detections that clearly qualify under CERT-In's list.
• No pre-built SOP: When an incident occurs, teams scramble to figure out who to call, what to report, and how to access the CERT-In portal — all while containing the incident. Without a pre-built SOP, 6 hours disappears before anyone has drafted a report.
• Confusing CERT-In reporting with RBI/SEBI reporting: CERT-In reporting (6 hours) is separate from your sectoral regulator's incident reporting requirements. You may need to file multiple reports to multiple recipients within different timeframes for the same incident. Do not assume filing with CERT-In satisfies SEBI or RBI.
• No designated point of contact: CERT-In expects entities to have a designated SPOC for incident reporting. Without one, there is ambiguity about who files the report — and accountability gaps lead to missed deadlines.

Building Your 6-Hour SOP

A 6-hour SOP for CERT-In incident reporting should cover the following stages:

• Hour 0: Detection — Alert received from SIEM, security tool, internal report, or external tip. Timestamp documented.
• Hour 0–1: Initial triage — Incident response team activated. Preliminary assessment: is this a qualifying CERT-In incident? What systems are affected?
• Hour 1–2: Preliminary containment — Isolate affected systems if safe to do so. Preserve logs (do not wipe).
• Hour 2–4: Initial report preparation — Designated SPOC drafts CERT-In incident report using the standard form. Management notified.
• Hour 4–5: Internal approval — CISO / senior management approves the report. SEBI/RBI/other regulator notification assessed — separate reports initiated if required.
• Hour 5–6: Report submitted to CERT-In — Submitted via portal or email. Confirmation reference number documented. Follow-up report timeline noted.
• Post-6 hours: Ongoing reporting — CERT-In may request additional information. Incident response continues. Incident log maintained for post-incident review.

A 6-hour clock starts the moment you detect an incident — not when you understand it. Build your SOP for speed, not thoroughness. You can always supplement with a follow-up report.

Infosek Team