CERT-In Directions 2026: MSP Compliance Checklist (India)

What the CERT-In Directions are (and who must comply)

The CERT-In (Indian Computer Emergency Response Team) Directions 2022, issued on April 28, 2022, under Section 70B of the Information Technology Act, 2000, establish mandatory cybersecurity incident reporting and information security practices for a wide range of entities operating in India. These directions significantly expand the scope and specificity of cybersecurity compliance requirements.

The directives apply to a broad spectrum of organizations, including:

• Service providers (including Managed Service Providers)
• Intermediaries
• Data centers
• Body corporates
• Virtual private server (VPS) providers
• Cloud service providers
• Virtual private network service (VPN) providers
• Virtual asset service providers
• Virtual asset exchange providers
• Custodian wallet providers
• Government organizations

For Managed Service Providers specifically, these directions create both compliance obligations and new service opportunities. MSPs must not only ensure their own operations comply with the directives but also help their clients implement compliant security practices. This dual responsibility makes understanding the technical and operational requirements especially critical.

The directives are legally binding under Indian law, with non-compliance potentially resulting in penalties under the IT Act. For MSPs, this creates both a compliance imperative and a strategic opportunity to develop and deliver CERT-In compliance services to clients who fall within the scope of these requirements.

The 5 operational requirements MSPs must engineer for

1. Incident reporting timelines and escalation design

The most time-sensitive requirement in the CERT-In Directions is the mandatory 6-hour incident reporting timeline. MSPs must design their security operations to detect, validate, and report cybersecurity incidents to CERT-In within this narrow window. This requires:

• Incident detection capabilities that operate 24×7 across all managed environments
• Clear incident classification criteria to identify reportable events
• Defined escalation paths with designated decision-makers authorized to trigger reports
• Templated reporting mechanisms that can be quickly populated with incident details
• Multi-tenant reporting processes that clarify responsibilities between MSPs and their clients

Reportable incidents include targeted scanning of critical systems, compromised critical systems, unauthorized access to IT systems, website defacements, malware deployments, identity theft, phishing attacks, DDoS, ransomware incidents, and data breaches. MSPs must establish clear criteria for each category to ensure consistent reporting.

2. Log retention architecture (central log store + tamper controls)

The CERT-In Directions mandate maintaining logs of all ICT systems for a rolling period of 180 days within Indian jurisdiction. This requirement necessitates a robust log management architecture that includes:

• Comprehensive log collection from all ICT systems (servers, network devices, security tools, applications)
• Centralized log storage with appropriate capacity planning for 180 days of retention
• Tamper-evident controls to prevent unauthorized modification of stored logs
• Data sovereignty compliance ensuring logs are stored within India
• Log format standardization to facilitate analysis and investigation
• Access controls restricting who can view, modify, or delete logs

MSPs must design their log retention architecture to balance performance, storage costs, and compliance requirements. This typically involves a tiered approach with hot storage for recent logs and cold storage for older logs, all while maintaining searchability and integrity throughout the 180-day retention period.

3. Time synchronization (NTP design and monitoring)

The CERT-In Directions require all ICT systems to be synchronized to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers traceable to these agencies. This requirement demands:

• NTP server architecture with primary and secondary time sources
• Configuration management to ensure all systems point to compliant time sources
• Continuous monitoring of time synchronization status across all managed systems
• Drift detection and alerting to identify systems that fall out of synchronization
• Documentation of time source traceability to demonstrate compliance

Accurate time synchronization is critical for security operations, as it ensures that logs from different systems can be correlated during incident investigation. MSPs must implement robust time synchronization architectures and monitoring to maintain compliance and support effective security operations.

4. Customer data / subscriber info handling (contract + process)

The CERT-In Directions impose specific requirements for handling customer information, particularly for VPN, VPS, cloud service, and virtual asset service providers. While the applicability varies by service type, MSPs must establish:

• Know Your Customer (KYC) processes appropriate to the services provided
• Customer information collection and validation workflows
• Secure storage of subscriber information with appropriate access controls
• Data retention policies aligned with the 5-year requirement for certain service types
• Contract clauses that address information collection, retention, and disclosure requirements

MSPs must review their service offerings to determine which aspects trigger the enhanced KYC and information retention requirements. Service contracts and privacy notices should be updated to reflect these requirements while maintaining compliance with data protection regulations.

5. Evidence retention (tickets, incident forms, case timelines)

Beyond the specific requirements for log retention, MSPs must establish comprehensive evidence retention practices to demonstrate compliance with the CERT-In Directions. This includes:

• Incident ticket documentation with complete chronologies of detection and response
• Copies of submitted incident reports with timestamps of submission
• Records of communication with CERT-In and other authorities
• System configuration documentation demonstrating compliance with time synchronization requirements
• Audit logs of access to security systems and log repositories

This documentation serves as evidence of compliance during audits and investigations. MSPs should implement secure, searchable repositories for compliance documentation with appropriate retention policies and access controls.

“CERT-In-ready SOC” — runbooks and staffing

To meet the 6-hour reporting requirement consistently, MSPs must establish a Security Operations Center (SOC) with specific capabilities and processes designed for CERT-In compliance. Key elements include:

On-call model, severity matrix, and reporting authority

A CERT-In-ready SOC requires a well-defined operational model that ensures continuous monitoring and rapid response:

• 24×7 coverage model with clear shift handover procedures
• Tiered analyst structure with escalation paths for potential reportable incidents
• Severity classification matrix that aligns with CERT-In reportable incident categories
• Decision authority framework designating who can authorize CERT-In reports
• SLA tracking mechanisms to monitor time-to-report metrics

The severity matrix should clearly define criteria for each incident type, helping analysts quickly determine whether an event meets the reporting threshold. The decision authority framework should designate specific roles authorized to approve and submit reports to CERT-In, ensuring that reports can be sent within the 6-hour window even during non-business hours.

Tabletop exercises

Regular testing of incident response and reporting procedures is essential to ensure readiness for actual incidents:

• Quarterly tabletop exercises simulating different reportable incident scenarios
• Role-specific training for all SOC team members on CERT-In requirements
• Cross-functional exercises involving technical teams, management, and legal/compliance
• Scenario-based testing of detection, analysis, and reporting workflows
• Post-exercise reviews to identify and address process gaps

These exercises should test the end-to-end incident response process, from initial detection through analysis, decision-making, and report preparation. Scenarios should cover various incident types specified in the CERT-In Directions, with particular attention to complex scenarios that test the limits of the 6-hour reporting window.

Proving response time

MSPs must maintain comprehensive documentation to demonstrate compliance with the 6-hour reporting requirement during audits or investigations:

• Timestamped incident records documenting detection, analysis, and reporting activities
• System-generated audit logs corroborating manual documentation
• Report submission receipts from CERT-In portal or email communications
• SLA compliance reports showing historical performance against the 6-hour requirement
• Process documentation demonstrating how the organization ensures timely reporting

This documentation should be maintained in a secure, easily accessible repository to support audit readiness. Regular reviews of documentation completeness and accuracy should be conducted to ensure that evidence of compliance is always available.

Technical blueprint

Reference architecture: SIEM/SOAR + log pipelines + immutable storage

A robust technical architecture is the foundation for CERT-In compliance. The reference architecture should include:

• Distributed log collection agents deployed across all managed systems
• Log forwarding infrastructure with redundancy and failure handling
• SIEM platform for log aggregation, normalization, and correlation
• SOAR capabilities for automated incident triage and response
• Immutable storage solution for tamper-proof log retention
• Data sovereignty controls ensuring logs remain within India
• Search and retrieval mechanisms for rapid incident investigation

This architecture should be designed for scalability, reliability, and compliance with the 180-day retention requirement. Performance considerations are critical, as the system must support both real-time analysis for incident detection and historical searches for investigations.

Alerting: identity, privileged access, exfil, ransomware, outage

Effective alerting is essential for detecting reportable incidents within the timeframe required for CERT-In compliance. Key alert categories include:

• Identity-based alerts for account compromise, privilege escalation, and unauthorized access
• Privileged access monitoring for administrative account misuse and unauthorized actions
• Data exfiltration detection for unusual outbound data transfers and potential breaches
• Ransomware indicators including file encryption activities and known malware signatures
• Service availability monitoring for outages and denial of service conditions
• Network-based detection for scanning, lateral movement, and command-and-control traffic

These alerts should be tuned to balance sensitivity with precision, ensuring that potential reportable incidents are detected quickly while minimizing false positives that could overwhelm the SOC team.

Controls that reduce false positives but protect reporting windows

To manage the challenge of meeting the 6-hour reporting window while avoiding unnecessary reports, MSPs should implement:

• Multi-stage alert validation with automated enrichment of initial detections
• Baseline-aware detection that considers normal patterns for each environment
• Correlation rules that combine multiple indicators to reduce false positives
• Machine learning-based anomaly detection to identify unusual behaviors
• Automated playbooks for initial triage and evidence collection
• Risk-based prioritization to focus analyst attention on the most critical alerts

These controls should be continuously refined based on performance metrics and lessons learned from both real incidents and exercises. The goal is to create a detection and triage process that reliably identifies reportable incidents while filtering out false positives, all within a timeframe that allows for proper analysis and reporting within the 6-hour window.

Compliance evidence pack

Incident Response SOP aligned to CERT-In

A comprehensive Incident Response Standard Operating Procedure (SOP) is essential for CERT-In compliance. This document should include:

• Incident classification framework aligned with CERT-In reportable incident categories
• Detection and triage procedures with clear responsibilities and timelines
• Escalation paths for potential reportable incidents
• Analysis and validation workflows with decision criteria
• Reporting procedures including templates and submission methods
• Post-incident activities including documentation and lessons learned
• Contact information for CERT-In and other relevant authorities

The SOP should emphasize the 6-hour reporting requirement and include process flows that ensure this timeline can be met consistently. It should be regularly reviewed and updated based on changes to CERT-In requirements, lessons from incidents, and feedback from exercises.

Log retention policy and system design note

A formal Log Retention Policy and accompanying System Design Note should document the approach to meeting the 180-day retention requirement. These documents should cover:

• Scope of log collection identifying all systems subject to the requirement
• Log types and formats to be collected from each system
• Collection mechanisms and transport security
• Storage architecture including capacity planning and scaling
• Retention periods and deletion procedures
• Access controls and audit logging for the log repository
• Backup and recovery procedures for the log management system
• Data sovereignty controls ensuring logs remain within India

The System Design Note should provide technical details on the implementation, including component specifications, data flows, and security controls. This documentation serves both as an operational reference and as evidence of compliance during audits.

Time sync policy + monitoring report

A Time Synchronization Policy and accompanying Monitoring Report template should document the approach to meeting the NTP synchronization requirement. These documents should include:

• NTP server architecture with primary and secondary time sources
• Traceability documentation showing alignment with NIC or NPL time sources
• Configuration standards for different system types
• Monitoring approach including metrics and thresholds
• Alerting procedures for synchronization issues
• Remediation workflows for addressing time drift
• Reporting templates showing compliance status across the environment

The Monitoring Report should provide a snapshot of time synchronization status across the environment, highlighting any systems that are out of compliance and documenting remediation actions. This report should be generated regularly to demonstrate ongoing compliance with the time synchronization requirement.

FAQs

Related Compliance Resources

Conclusion

The CERT-In Directions 2022 represent a significant evolution in India’s cybersecurity regulatory landscape, imposing specific and time-sensitive requirements on MSPs and other service providers. Successfully implementing these requirements demands a combination of technical infrastructure, operational processes, and organizational readiness.

By establishing robust incident detection and reporting capabilities, implementing comprehensive log management solutions, ensuring accurate time synchronization, and maintaining appropriate documentation, MSPs can achieve compliance while enhancing their overall security posture. These capabilities not only satisfy regulatory requirements but also improve the MSP’s ability to protect both their own environment and those of their clients.

As the regulatory landscape continues to evolve, MSPs that establish strong foundations for CERT-In compliance will be well-positioned to adapt to new requirements and maintain the trust of their clients. By treating compliance as an opportunity to enhance security capabilities rather than simply a regulatory burden, MSPs can derive strategic value from their compliance investments.