Know about CERT-In (Understanding CERT-In: Mandate and Origins)

In an era where cyber threats loom ever larger and India’s digital infrastructure expands rapidly, the Indian Computer Emergency Response Team (CERT-In) stands as the nation’s primary bulwark against cyber-incidents. As the nodal cybersecurity agency under the Ministry of Electronics and Information Technology (MeitY), CERT-In’s evolving directives, incident-reporting mandates and audit frameworks are shaping how Indian organisations of all sizes — from startups to large enterprises — address cyber risk. In this blog post, we’ll explore CERT-In’s mandate, its recent regulatory shifts, and what businesses and citizens need to know to stay secure and compliant.

Established under the Information Technology Act, 2000, CERT-In was designated as the national agency responsible for responding to cybersecurity incidents, analysing threats, issuing advisories and coordinating with stakeholders to strengthen India’s cyber-defence posture. (cert-in.org.in) Its core functions include the collection, analysis and dissemination of information on cyber-incidents; forecasting and issuing alerts; taking emergency measures to mitigate damage; and issuing guidelines for information security practices. (cert-in.org.in)
Over time, CERT-In has emerged as a key institutional actor in India’s digital ecosystem, interacting with service providers, intermediaries, data centres, cloud providers, and government organisations.

Key Responsibilities and Functions

CERT-In’s role spans proactive and reactive cybersecurity functions:

• Advisories and Vulnerability Notes: When vulnerabilities are discovered, CERT-In issues alerts and publishes notes for the public and private sectors to act. (cert-in.org.in)
• Incident Response: When a cyber-incident occurs, CERT-In coordinates response efforts, investigates impact, and works to restore systems. (cert-in.org.in)
• Coordination & Collaboration: CERT-In liaises across government, industry and international bodies (including being a full member of the Forum of Incident Response and Security Teams (FIRST) and the Asia Pacific Computer Emergency Response Teams (APCERT)).
• Security Audits & Assurance: One of the newer and rapidly evolving roles — overseeing audits, setting baselines, and in some cases empanelling audit firms to ensure organisations meet cybersecurity standards.
• Training & Capacity-Building: CERT-In provides training in cyber-forensics and awareness programmes for law-enforcement, judiciary and critical infrastructure outfits. (nic.in)

Recent Regulatory Shifts: What’s New?

CERT-In’s evolving directive framework has introduced a number of significant changes in recent years — especially relevant for businesses operating in India.

Incident Reporting & Compliance

In April 2022, CERT-In issued new directions that broadened the scope of “cyber-security incidents” which must be reported, and instituted a stringent timeline: entities must report incidents to CERT-In within six hours of noticing or being made aware of them. (Internet Society)
These rules applied to service providers, intermediaries, data centres, cloud providers, VPN and VPS providers, virtual asset service providers, as well as corporate entities. (Internet Society) The guidelines also mandated that certain entities maintain customer and subscriber information (including validated names, IP addresses, timestamps, purpose of service usage) for five years. (Internet Society)
However, the industry pushed back, citing the six-hour timeline and the expansive definition of reportable incidents as onerous. (The Indian Express)

Annual Cybersecurity Audit Mandate

In July 2025, CERT-In announced a landmark directive making annual third-party cybersecurity audits mandatory for both public and private organisations in India. (cybertimesindia.com)
The audit framework emphasises a risk-based and domain-specific approach (rather than pure checklist compliance), aligning with business context and threat landscapes. (Business Standard)
Non-compliance may trigger enforcement under Section 70B of the IT Act, and sectoral regulators may demand more frequent audits. (cybertimesindia.com)

Implications for Businesses and Entities

For organisations operating in India — whether domestic or global — the evolving CERT-In framework implies several practical requirements:

• Incident Readiness & Reporting: Entities need internal systems to detect, classify and report cyber-incidents promptly (within the prescribed timeline) to CERT-In.
• Record-keeping & Data Retention: Service providers (especially cloud, VPN, data centres, crypto exchanges) must maintain validated subscriber/customer information, logs and timestamps for defined periods (often up to five years). (Internet Society)
• Annual Audit Requirement: Organisations must plan for an annual third-party cybersecurity audit (by a CERT-In empanelled auditor), covering infrastructure, applications, cloud, OT/ICS as applicable. (com)
• Governance & Board Oversight: The audit guidelines emphasise involvement of senior management and board-level review for remediation, making cybersecurity a governance priority. (com)
• Global Operating Considerations: Entities with cross-border operations need to consider how CERT-In’s Indian-jurisdiction mandates align (or conflict) with global frameworks, especially where data flows, logs, localisation and incident definitions differ. (Internet Society)

Challenges & Industry Concerns

While the regulatory push by CERT-In strengthens India’s cyber-defence posture, there are notable concerns:

• The six-hour timeline for incident reporting has been criticised as too short and misaligned with global practice. (The Indian Express)
• The requirement for prolonged data retention (e.g., five years for VPN logs) raises privacy and operational cost issues for providers. (Internet Society)
• CERT-In’s broadened regulatory mandate (from purely emergency-response to quasi-regulator) has raised questions about the voluntary, collaborative nature typically expected of CERT organisations. (Internet Society)
• Compliance burden for smaller organisations (MSMEs) can be significant, especially in terms of audit cost, log-management, and governance uplift.

The Road Ahead: How to Prepare

For organisations and individuals looking to navigate the CERT-In landscape effectively:

1. Build Incident Response Capabilities: Establish a clear incident detection, classification and escalation process aligned with CERT-In’s reporting timelines and formats.
2. Ensure Log Management & Retention Compliance: If you are a service provider, VPN, cloud, data-centre or crypto-entity, verify you can record required subscriber/customer metadata and logs and retain them as per direction.
3. Plan for Annual Audits: Begin budget and programme planning for the annual cybersecurity audit; evaluate empanelled auditors and map scope of audit to your risk profile.
4. Elevate Governance & Awareness: Engage senior management in cybersecurity oversight, create awareness across business units and prioritise cyber-hygiene as a continuous journey.
5. Monitor Regulatory Updates: CERT-In’s directives and guidelines evolve rapidly — stay updated on FAQs, clarifications, sector-specific carve-outs and enforcement precedents.

Conclusion

As India’s digital economy progresses at pace and cyber-threats become increasingly sophisticated, CERT-In’s role is more critical than ever. For businesses, it means shifting from a reactive “patch-and-pray” mindset to proactive cyber-resilience — where incident readiness, detailed audits, governance and compliance are embedded into organisational DNA. By aligning with CERT-In’s evolving mandate today, organisations can not only meet regulatory obligations but also build trust, reduce risk and enhance robust digital operations in the long run. If you’re involved in compliance, security operations or governance and would like a deeper dive into any of CERT-In’s specific directives (like incident-reporting formats, audit checklists or India-specific data retention obligations), I’d be happy to explore further.