CERT-In Directions 2026: MSP Compliance Checklist (India)
Country Manager, India
AI, Manufacturing, DevOps, and Managed Services. 17+ years across Manufacturing, E-commerce, Retail, NBFC & Banking
What the CERT-In Directions are (and who must comply)
CERT-In Directions 2022 Framework: Key Compliance Areas for MSPsThe CERT-In (Indian Computer Emergency Response Team) Directions 2022, issued on April 28, 2022, under Section 70B of the Information Technology Act, 2000, establish mandatory cybersecurity incident reporting and information security practices for a wide range of entities operating in India. These directions significantly expand the scope and specificity of cybersecurity compliance requirements.
The directives apply to a broad spectrum of organizations, including:
- Service providers (including Managed Service Providers)
- Intermediaries
- Data centers
- Body corporates
- Virtual private server (VPS) providers
- Cloud service providers
- Virtual private network service (VPN) providers
- Virtual asset service providers
- Virtual asset exchange providers
- Custodian wallet providers
- Government organizations
For Managed Service Providers specifically, these directions create both compliance obligations and new service opportunities. MSPs must not only ensure their own operations comply with the directives but also help their clients implement compliant security practices. This dual responsibility makes understanding the technical and operational requirements especially critical.
The directives are legally binding under Indian law, with non-compliance potentially resulting in penalties under the IT Act. For MSPs, this creates both a compliance imperative and a strategic opportunity to develop and deliver CERT-In compliance services to clients who fall within the scope of these requirements.
The 5 operational requirements MSPs must engineer for
1. Incident reporting timelines and escalation design
The most time-sensitive requirement in the CERT-In Directions is the mandatory 6-hour incident reporting timeline. MSPs must design their security operations to detect, validate, and report cybersecurity incidents to CERT-In within this narrow window. This requires:
- Incident detection capabilities that operate 24×7 across all managed environments
- Clear incident classification criteria to identify reportable events
- Defined escalation paths with designated decision-makers authorized to trigger reports
- Templated reporting mechanisms that can be quickly populated with incident details
- Multi-tenant reporting processes that clarify responsibilities between MSPs and their clients
Reportable incidents include targeted scanning of critical systems, compromised critical systems, unauthorized access to IT systems, website defacements, malware deployments, identity theft, phishing attacks, DDoS, ransomware incidents, and data breaches. MSPs must establish clear criteria for each category to ensure consistent reporting.
2. Log retention architecture (central log store + tamper controls)
The CERT-In Directions mandate maintaining logs of all ICT systems for a rolling period of 180 days within Indian jurisdiction. This requirement necessitates a robust log management architecture that includes:
- Comprehensive log collection from all ICT systems (servers, network devices, security tools, applications)
- Centralized log storage with appropriate capacity planning for 180 days of retention
- Tamper-evident controls to prevent unauthorized modification of stored logs
- Data sovereignty compliance ensuring logs are stored within India
- Log format standardization to facilitate analysis and investigation
- Access controls restricting who can view, modify, or delete logs
MSPs must design their log retention architecture to balance performance, storage costs, and compliance requirements. This typically involves a tiered approach with hot storage for recent logs and cold storage for older logs, all while maintaining searchability and integrity throughout the 180-day retention period.
3. Time synchronization (NTP design and monitoring)
The CERT-In Directions require all ICT systems to be synchronized to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers traceable to these agencies. This requirement demands:
- NTP server architecture with primary and secondary time sources
- Configuration management to ensure all systems point to compliant time sources
- Continuous monitoring of time synchronization status across all managed systems
- Drift detection and alerting to identify systems that fall out of synchronization
- Documentation of time source traceability to demonstrate compliance
Accurate time synchronization is critical for security operations, as it ensures that logs from different systems can be correlated during incident investigation. MSPs must implement robust time synchronization architectures and monitoring to maintain compliance and support effective security operations.
4. Customer data / subscriber info handling (contract + process)
The CERT-In Directions impose specific requirements for handling customer information, particularly for VPN, VPS, cloud service, and virtual asset service providers. While the applicability varies by service type, MSPs must establish:
- Know Your Customer (KYC) processes appropriate to the services provided
- Customer information collection and validation workflows
- Secure storage of subscriber information with appropriate access controls
- Data retention policies aligned with the 5-year requirement for certain service types
- Contract clauses that address information collection, retention, and disclosure requirements
MSPs must review their service offerings to determine which aspects trigger the enhanced KYC and information retention requirements. Service contracts and privacy notices should be updated to reflect these requirements while maintaining compliance with data protection regulations.
5. Evidence retention (tickets, incident forms, case timelines)
Beyond the specific requirements for log retention, MSPs must establish comprehensive evidence retention practices to demonstrate compliance with the CERT-In Directions. This includes:
- Incident ticket documentation with complete chronologies of detection and response
- Copies of submitted incident reports with timestamps of submission
- Records of communication with CERT-In and other authorities
- System configuration documentation demonstrating compliance with time synchronization requirements
- Audit logs of access to security systems and log repositories
This documentation serves as evidence of compliance during audits and investigations. MSPs should implement secure, searchable repositories for compliance documentation with appropriate retention policies and access controls.
Need expert help with cert-in directions 2026: msp compliance checklist (india)?
Our cloud architects can help you with cert-in directions 2026: msp compliance checklist (india) — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
"CERT-In-ready SOC" — runbooks and staffing
To meet the 6-hour reporting requirement consistently, MSPs must establish a Security Operations Center (SOC) with specific capabilities and processes designed for CERT-In compliance. Key elements include:
On-call model, severity matrix, and reporting authority
A CERT-In-ready SOC requires a well-defined operational model that ensures continuous monitoring and rapid response:
- 24×7 coverage model with clear shift handover procedures
- Tiered analyst structure with escalation paths for potential reportable incidents
- Severity classification matrix that aligns with CERT-In reportable incident categories
- Decision authority framework designating who can authorize CERT-In reports
- SLA tracking mechanisms to monitor time-to-report metrics
The severity matrix should clearly define criteria for each incident type, helping analysts quickly determine whether an event meets the reporting threshold. The decision authority framework should designate specific roles authorized to approve and submit reports to CERT-In, ensuring that reports can be sent within the 6-hour window even during non-business hours.
Tabletop exercises
Regular testing of incident response and reporting procedures is essential to ensure readiness for actual incidents:
- Quarterly tabletop exercises simulating different reportable incident scenarios
- Role-specific training for all SOC team members on CERT-In requirements
- Cross-functional exercises involving technical teams, management, and legal/compliance
- Scenario-based testing of detection, analysis, and reporting workflows
- Post-exercise reviews to identify and address process gaps
These exercises should test the end-to-end incident response process, from initial detection through analysis, decision-making, and report preparation. Scenarios should cover various incident types specified in the CERT-In Directions, with particular attention to complex scenarios that test the limits of the 6-hour reporting window.
Proving response time
MSPs must maintain comprehensive documentation to demonstrate compliance with the 6-hour reporting requirement during audits or investigations:
- Timestamped incident records documenting detection, analysis, and reporting activities
- System-generated audit logs corroborating manual documentation
- Report submission receipts from CERT-In portal or email communications
- SLA compliance reports showing historical performance against the 6-hour requirement
- Process documentation demonstrating how the organization ensures timely reporting
This documentation should be maintained in a secure, easily accessible repository to support audit readiness. Regular reviews of documentation completeness and accuracy should be conducted to ensure that evidence of compliance is always available.
Technical blueprint
Reference architecture: SIEM/SOAR + log pipelines + immutable storage
A robust technical architecture is the foundation for CERT-In compliance. The reference architecture should include:
- Distributed log collection agents deployed across all managed systems
- Log forwarding infrastructure with redundancy and failure handling
- SIEM platform for log aggregation, normalization, and correlation
- SOAR capabilities for automated incident triage and response
- Immutable storage solution for tamper-proof log retention
- Data sovereignty controls ensuring logs remain within India
- Search and retrieval mechanisms for rapid incident investigation
This architecture should be designed for scalability, reliability, and compliance with the 180-day retention requirement. Performance considerations are critical, as the system must support both real-time analysis for incident detection and historical searches for investigations.
Alerting: identity, privileged access, exfil, ransomware, outage
Effective alerting is essential for detecting reportable incidents within the timeframe required for CERT-In compliance. Key alert categories include:
- Identity-based alerts for account compromise, privilege escalation, and unauthorized access
- Privileged access monitoring for administrative account misuse and unauthorized actions
- Data exfiltration detection for unusual outbound data transfers and potential breaches
- Ransomware indicators including file encryption activities and known malware signatures
- Service availability monitoring for outages and denial of service conditions
- Network-based detection for scanning, lateral movement, and command-and-control traffic
These alerts should be tuned to balance sensitivity with precision, ensuring that potential reportable incidents are detected quickly while minimizing false positives that could overwhelm the SOC team.
Controls that reduce false positives but protect reporting windows
To manage the challenge of meeting the 6-hour reporting window while avoiding unnecessary reports, MSPs should implement:
- Multi-stage alert validation with automated enrichment of initial detections
- Baseline-aware detection that considers normal patterns for each environment
- Correlation rules that combine multiple indicators to reduce false positives
- Machine learning-based anomaly detection to identify unusual behaviors
- Automated playbooks for initial triage and evidence collection
- Risk-based prioritization to focus analyst attention on the most critical alerts
These controls should be continuously refined based on performance metrics and lessons learned from both real incidents and exercises. The goal is to create a detection and triage process that reliably identifies reportable incidents while filtering out false positives, all within a timeframe that allows for proper analysis and reporting within the 6-hour window.
Compliance evidence pack
Incident Response SOP aligned to CERT-In
A comprehensive Incident Response Standard Operating Procedure (SOP) is essential for CERT-In compliance. This document should include:
- Incident classification framework aligned with CERT-In reportable incident categories
- Detection and triage procedures with clear responsibilities and timelines
- Escalation paths for potential reportable incidents
- Analysis and validation workflows with decision criteria
- Reporting procedures including templates and submission methods
- Post-incident activities including documentation and lessons learned
- Contact information for CERT-In and other relevant authorities
The SOP should emphasize the 6-hour reporting requirement and include process flows that ensure this timeline can be met consistently. It should be regularly reviewed and updated based on changes to CERT-In requirements, lessons from incidents, and feedback from exercises.
Log retention policy and system design note
A formal Log Retention Policy and accompanying System Design Note should document the approach to meeting the 180-day retention requirement. These documents should cover:
- Scope of log collection identifying all systems subject to the requirement
- Log types and formats to be collected from each system
- Collection mechanisms and transport security
- Storage architecture including capacity planning and scaling
- Retention periods and deletion procedures
- Access controls and audit logging for the log repository
- Backup and recovery procedures for the log management system
- Data sovereignty controls ensuring logs remain within India
The System Design Note should provide technical details on the implementation, including component specifications, data flows, and security controls. This documentation serves both as an operational reference and as evidence of compliance during audits.
Time sync policy + monitoring report
A Time Synchronization Policy and accompanying Monitoring Report template should document the approach to meeting the NTP synchronization requirement. These documents should include:
- NTP server architecture with primary and secondary time sources
- Traceability documentation showing alignment with NIC or NPL time sources
- Configuration standards for different system types
- Monitoring approach including metrics and thresholds
- Alerting procedures for synchronization issues
- Remediation workflows for addressing time drift
- Reporting templates showing compliance status across the environment
The Monitoring Report should provide a snapshot of time synchronization status across the environment, highlighting any systems that are out of compliance and documenting remediation actions. This report should be generated regularly to demonstrate ongoing compliance with the time synchronization requirement.
FAQs
Is the 6-hour clock from detection or confirmation?The 6-hour reporting timeline begins from the point of detection or notification of the incident, not from the point of confirmation. This interpretation is based on the language in the CERT-In Directions, which states that organizations must report "within 6 hours of noticing such incidents or being brought to notice about such incidents."
This means that MSPs must establish efficient triage and validation processes to quickly determine whether a detected event constitutes a reportable incident. While thorough analysis is important to avoid unnecessary reports, the process must be designed to complete within the 6-hour window, even for complex incidents.
Best practice is to implement a staged approach where initial detection triggers immediate triage, followed by rapid validation and escalation for potential reportable incidents. The final determination and report preparation should be completed with enough margin to ensure submission within the 6-hour window.
What logs count, and what's the minimum retention design?The CERT-In Directions require retention of "all logs of all ICT systems" for a period of 180 days within Indian jurisdiction. This broad language encompasses a wide range of log types, including:
- System logs (operating system events, authentication, authorization)
- Application logs (web servers, databases, business applications)
- Security logs (firewalls, IDS/IPS, endpoint protection)
- Network logs (routers, switches, load balancers)
- Cloud service logs (infrastructure, platform, and software services)
The minimum retention design should include:
- Centralized log collection infrastructure with agents or forwarders on all systems
- Tiered storage architecture balancing performance and cost
- Tamper-evident controls to prevent unauthorized modification
- Access controls restricting who can view or manage logs
- Search and retrieval capabilities for incident investigation
- Data sovereignty controls ensuring logs remain within India
Organizations should implement a risk-based approach to log verbosity, capturing detailed logs for critical systems while implementing more selective logging for lower-risk systems, all while ensuring that security-relevant events are consistently captured across the environment.
How do we handle multi-tenant MSP logging and customer data separation?Multi-tenant environments present unique challenges for CERT-In compliance, particularly around log management and incident reporting. Best practices for managing these challenges include:
- Logical separation of logs using tenant identifiers or separate log stores
- Role-based access controls restricting visibility to authorized personnel
- Clear contractual language defining responsibilities for incident reporting
- Customer notification procedures for incidents affecting their environments
- Tenant-aware incident response processes that respect data separation
MSPs should implement technical controls that maintain separation between tenant data while still enabling efficient log collection and analysis. This typically involves tagging logs with tenant identifiers at the point of collection and enforcing access controls throughout the log management lifecycle.
Service agreements should clearly define the roles and responsibilities of the MSP and the customer in meeting CERT-In requirements, particularly around incident reporting and log retention. These agreements should address scenarios where incidents affect multiple tenants and establish protocols for coordinating responses while maintaining appropriate separation.
Expert Guidance for Your CERT-In Compliance Journey
Implementing CERT-In compliance requirements involves complex technical and operational considerations. Our team of security and compliance specialists can help you design and implement a comprehensive CERT-In compliance program tailored to your MSP environment. Contact us today for a consultation on your specific compliance needs.
Related Compliance Resources
DPDP Compliance
Understand how CERT-In requirements intersect with India's Digital Personal Data Protection Act and develop integrated compliance strategies.
Financial Sector Compliance
Explore how RBI, SEBI, and IRDAI regulations align with CERT-In requirements for MSPs serving financial sector clients.
ISO 27001 Alignment
Discover how to integrate CERT-In compliance requirements into your existing ISO 27001 Information Security Management System.
Conclusion
The CERT-In Directions 2022 represent a significant evolution in India's cybersecurity regulatory landscape, imposing specific and time-sensitive requirements on MSPs and other service providers. Successfully implementing these requirements demands a combination of technical infrastructure, operational processes, and organizational readiness.
By establishing robust incident detection and reporting capabilities, implementing comprehensive log management solutions, ensuring accurate time synchronization, and maintaining appropriate documentation, MSPs can achieve compliance while enhancing their overall security posture. These capabilities not only satisfy regulatory requirements but also improve the MSP's ability to protect both their own environment and those of their clients.
As the regulatory landscape continues to evolve, MSPs that establish strong foundations for CERT-In compliance will be well-positioned to adapt to new requirements and maintain the trust of their clients. By treating compliance as an opportunity to enhance security capabilities rather than simply a regulatory burden, MSPs can derive strategic value from their compliance investments.
For hands-on delivery in India, see RBI compliance assessment.
Related Articles
About the Author
Country Manager, India at Opsio
AI, Manufacturing, DevOps, and Managed Services. 17+ years across Manufacturing, E-commerce, Retail, NBFC & Banking
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.
