Opsio - Cloud and AI Solutions
12 min read· 2,770 words

CERT-In Directions 2026: MSP Compliance Checklist (India)

Published: ·Updated: ·Reviewed by Opsio Engineering Team
Praveena Shenoy
For Managed Service Providers operating in India, the CERT-In Directions 2022 represent a significant shift in cybersecurity compliance requirements. These directives mandate specific operational practices around incident reporting, log retention, and security monitoring that directly impact how MSPs design and deliver their services. With strict timelines for implementation and substantial penalties for non-compliance, understanding and operationalizing these requirements has become a critical priority for service providers across the technology landscape.

What the CERT-In Directions are (and who must comply)

CERT-In Directions 2022 Framework: Key Compliance Areas for MSPs

The CERT-In (Indian Computer Emergency Response Team) Directions 2022, issued on April 28, 2022, under Section 70B of the Information Technology Act, 2000, establish mandatory cybersecurity incident reporting and information security practices for a wide range of entities operating in India. These directions significantly expand the scope and specificity of cybersecurity compliance requirements.

The directives apply to a broad spectrum of organizations, including:

  • Service providers (including Managed Service Providers)
  • Intermediaries
  • Data centers
  • Body corporates
  • Virtual private server (VPS) providers
  • Cloud service providers
  • Virtual private network service (VPN) providers
  • Virtual asset service providers
  • Virtual asset exchange providers
  • Custodian wallet providers
  • Government organizations

For Managed Service Providers specifically, these directions create both compliance obligations and new service opportunities. MSPs must not only ensure their own operations comply with the directives but also help their clients implement compliant security practices. This dual responsibility makes understanding the technical and operational requirements especially critical.

The directives are legally binding under Indian law, with non-compliance potentially resulting in penalties under the IT Act. For MSPs, this creates both a compliance imperative and a strategic opportunity to develop and deliver CERT-In compliance services to clients who fall within the scope of these requirements.

The 5 operational requirements MSPs must engineer for

1. Incident reporting timelines and escalation design

The most time-sensitive requirement in the CERT-In Directions is the mandatory 6-hour incident reporting timeline. MSPs must design their security operations to detect, validate, and report cybersecurity incidents to CERT-In within this narrow window. This requires:

  • Incident detection capabilities that operate 24×7 across all managed environments
  • Clear incident classification criteria to identify reportable events
  • Defined escalation paths with designated decision-makers authorized to trigger reports
  • Templated reporting mechanisms that can be quickly populated with incident details
  • Multi-tenant reporting processes that clarify responsibilities between MSPs and their clients

Reportable incidents include targeted scanning of critical systems, compromised critical systems, unauthorized access to IT systems, website defacements, malware deployments, identity theft, phishing attacks, DDoS, ransomware incidents, and data breaches. MSPs must establish clear criteria for each category to ensure consistent reporting.

2. Log retention architecture (central log store + tamper controls)

The CERT-In Directions mandate maintaining logs of all ICT systems for a rolling period of 180 days within Indian jurisdiction. This requirement necessitates a robust log management architecture that includes:

  • Comprehensive log collection from all ICT systems (servers, network devices, security tools, applications)
  • Centralized log storage with appropriate capacity planning for 180 days of retention
  • Tamper-evident controls to prevent unauthorized modification of stored logs
  • Data sovereignty compliance ensuring logs are stored within India
  • Log format standardization to facilitate analysis and investigation
  • Access controls restricting who can view, modify, or delete logs

MSPs must design their log retention architecture to balance performance, storage costs, and compliance requirements. This typically involves a tiered approach with hot storage for recent logs and cold storage for older logs, all while maintaining searchability and integrity throughout the 180-day retention period.

3. Time synchronization (NTP design and monitoring)

The CERT-In Directions require all ICT systems to be synchronized to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers traceable to these agencies. This requirement demands:

  • NTP server architecture with primary and secondary time sources
  • Configuration management to ensure all systems point to compliant time sources
  • Continuous monitoring of time synchronization status across all managed systems
  • Drift detection and alerting to identify systems that fall out of synchronization
  • Documentation of time source traceability to demonstrate compliance

Accurate time synchronization is critical for security operations, as it ensures that logs from different systems can be correlated during incident investigation. MSPs must implement robust time synchronization architectures and monitoring to maintain compliance and support effective security operations.

4. Customer data / subscriber info handling (contract + process)

The CERT-In Directions impose specific requirements for handling customer information, particularly for VPN, VPS, cloud service, and virtual asset service providers. While the applicability varies by service type, MSPs must establish:

  • Know Your Customer (KYC) processes appropriate to the services provided
  • Customer information collection and validation workflows
  • Secure storage of subscriber information with appropriate access controls
  • Data retention policies aligned with the 5-year requirement for certain service types
  • Contract clauses that address information collection, retention, and disclosure requirements

MSPs must review their service offerings to determine which aspects trigger the enhanced KYC and information retention requirements. Service contracts and privacy notices should be updated to reflect these requirements while maintaining compliance with data protection regulations.

5. Evidence retention (tickets, incident forms, case timelines)

Beyond the specific requirements for log retention, MSPs must establish comprehensive evidence retention practices to demonstrate compliance with the CERT-In Directions. This includes:

  • Incident ticket documentation with complete chronologies of detection and response
  • Copies of submitted incident reports with timestamps of submission
  • Records of communication with CERT-In and other authorities
  • System configuration documentation demonstrating compliance with time synchronization requirements
  • Audit logs of access to security systems and log repositories

This documentation serves as evidence of compliance during audits and investigations. MSPs should implement secure, searchable repositories for compliance documentation with appropriate retention policies and access controls.

Free Expert Consultation

Need expert help with cert-in directions 2026: msp compliance checklist (india)?

Our cloud architects can help you with cert-in directions 2026: msp compliance checklist (india) — from strategy to implementation. Book a free 30-minute advisory call with no obligation.

Solution ArchitectAI ExpertSecurity SpecialistDevOps Engineer
50+ certified engineers4.9/5 rating24/7 IST support
Completely free — no obligationResponse within 24h

"CERT-In-ready SOC" — runbooks and staffing

To meet the 6-hour reporting requirement consistently, MSPs must establish a Security Operations Center (SOC) with specific capabilities and processes designed for CERT-In compliance. Key elements include:

On-call model, severity matrix, and reporting authority

A CERT-In-ready SOC requires a well-defined operational model that ensures continuous monitoring and rapid response:

  • 24×7 coverage model with clear shift handover procedures
  • Tiered analyst structure with escalation paths for potential reportable incidents
  • Severity classification matrix that aligns with CERT-In reportable incident categories
  • Decision authority framework designating who can authorize CERT-In reports
  • SLA tracking mechanisms to monitor time-to-report metrics

The severity matrix should clearly define criteria for each incident type, helping analysts quickly determine whether an event meets the reporting threshold. The decision authority framework should designate specific roles authorized to approve and submit reports to CERT-In, ensuring that reports can be sent within the 6-hour window even during non-business hours.

Tabletop exercises

Regular testing of incident response and reporting procedures is essential to ensure readiness for actual incidents:

  • Quarterly tabletop exercises simulating different reportable incident scenarios
  • Role-specific training for all SOC team members on CERT-In requirements
  • Cross-functional exercises involving technical teams, management, and legal/compliance
  • Scenario-based testing of detection, analysis, and reporting workflows
  • Post-exercise reviews to identify and address process gaps

These exercises should test the end-to-end incident response process, from initial detection through analysis, decision-making, and report preparation. Scenarios should cover various incident types specified in the CERT-In Directions, with particular attention to complex scenarios that test the limits of the 6-hour reporting window.

Proving response time

MSPs must maintain comprehensive documentation to demonstrate compliance with the 6-hour reporting requirement during audits or investigations:

  • Timestamped incident records documenting detection, analysis, and reporting activities
  • System-generated audit logs corroborating manual documentation
  • Report submission receipts from CERT-In portal or email communications
  • SLA compliance reports showing historical performance against the 6-hour requirement
  • Process documentation demonstrating how the organization ensures timely reporting

This documentation should be maintained in a secure, easily accessible repository to support audit readiness. Regular reviews of documentation completeness and accuracy should be conducted to ensure that evidence of compliance is always available.

Technical blueprint

Reference architecture: SIEM/SOAR + log pipelines + immutable storage

A robust technical architecture is the foundation for CERT-In compliance. The reference architecture should include:

This architecture should be designed for scalability, reliability, and compliance with the 180-day retention requirement. Performance considerations are critical, as the system must support both real-time analysis for incident detection and historical searches for investigations.

Alerting: identity, privileged access, exfil, ransomware, outage

Effective alerting is essential for detecting reportable incidents within the timeframe required for CERT-In compliance. Key alert categories include:

These alerts should be tuned to balance sensitivity with precision, ensuring that potential reportable incidents are detected quickly while minimizing false positives that could overwhelm the SOC team.

Controls that reduce false positives but protect reporting windows

To manage the challenge of meeting the 6-hour reporting window while avoiding unnecessary reports, MSPs should implement:

These controls should be continuously refined based on performance metrics and lessons learned from both real incidents and exercises. The goal is to create a detection and triage process that reliably identifies reportable incidents while filtering out false positives, all within a timeframe that allows for proper analysis and reporting within the 6-hour window.

Compliance evidence pack

Incident Response SOP aligned to CERT-In

A comprehensive Incident Response Standard Operating Procedure (SOP) is essential for CERT-In compliance. This document should include:

The SOP should emphasize the 6-hour reporting requirement and include process flows that ensure this timeline can be met consistently. It should be regularly reviewed and updated based on changes to CERT-In requirements, lessons from incidents, and feedback from exercises.

Log retention policy and system design note

A formal Log Retention Policy and accompanying System Design Note should document the approach to meeting the 180-day retention requirement. These documents should cover:

The System Design Note should provide technical details on the implementation, including component specifications, data flows, and security controls. This documentation serves both as an operational reference and as evidence of compliance during audits.

Time sync policy + monitoring report

A Time Synchronization Policy and accompanying Monitoring Report template should document the approach to meeting the NTP synchronization requirement. These documents should include:

The Monitoring Report should provide a snapshot of time synchronization status across the environment, highlighting any systems that are out of compliance and documenting remediation actions. This report should be generated regularly to demonstrate ongoing compliance with the time synchronization requirement.

FAQs

Is the 6-hour clock from detection or confirmation?

The 6-hour reporting timeline begins from the point of detection or notification of the incident, not from the point of confirmation. This interpretation is based on the language in the CERT-In Directions, which states that organizations must report "within 6 hours of noticing such incidents or being brought to notice about such incidents."

This means that MSPs must establish efficient triage and validation processes to quickly determine whether a detected event constitutes a reportable incident. While thorough analysis is important to avoid unnecessary reports, the process must be designed to complete within the 6-hour window, even for complex incidents.

Best practice is to implement a staged approach where initial detection triggers immediate triage, followed by rapid validation and escalation for potential reportable incidents. The final determination and report preparation should be completed with enough margin to ensure submission within the 6-hour window.

What logs count, and what's the minimum retention design?

The CERT-In Directions require retention of "all logs of all ICT systems" for a period of 180 days within Indian jurisdiction. This broad language encompasses a wide range of log types, including:

The minimum retention design should include:

Organizations should implement a risk-based approach to log verbosity, capturing detailed logs for critical systems while implementing more selective logging for lower-risk systems, all while ensuring that security-relevant events are consistently captured across the environment.

How do we handle multi-tenant MSP logging and customer data separation?

Multi-tenant environments present unique challenges for CERT-In compliance, particularly around log management and incident reporting. Best practices for managing these challenges include:

MSPs should implement technical controls that maintain separation between tenant data while still enabling efficient log collection and analysis. This typically involves tagging logs with tenant identifiers at the point of collection and enforcing access controls throughout the log management lifecycle.

Service agreements should clearly define the roles and responsibilities of the MSP and the customer in meeting CERT-In requirements, particularly around incident reporting and log retention. These agreements should address scenarios where incidents affect multiple tenants and establish protocols for coordinating responses while maintaining appropriate separation.

Expert Guidance for Your CERT-In Compliance Journey

Implementing CERT-In compliance requirements involves complex technical and operational considerations. Our team of security and compliance specialists can help you design and implement a comprehensive CERT-In compliance program tailored to your MSP environment. Contact us today for a consultation on your specific compliance needs.

Schedule Your CERT-In Compliance Consultation

Related Compliance Resources

DPDP Compliance

Understand how CERT-In requirements intersect with India's Digital Personal Data Protection Act and develop integrated compliance strategies.

Financial Sector Compliance

Explore how RBI, SEBI, and IRDAI regulations align with CERT-In requirements for MSPs serving financial sector clients.

ISO 27001 Alignment

Discover how to integrate CERT-In compliance requirements into your existing ISO 27001 Information Security Management System.

Conclusion

The CERT-In Directions 2022 represent a significant evolution in India's cybersecurity regulatory landscape, imposing specific and time-sensitive requirements on MSPs and other service providers. Successfully implementing these requirements demands a combination of technical infrastructure, operational processes, and organizational readiness.

By establishing robust incident detection and reporting capabilities, implementing comprehensive log management solutions, ensuring accurate time synchronization, and maintaining appropriate documentation, MSPs can achieve compliance while enhancing their overall security posture. These capabilities not only satisfy regulatory requirements but also improve the MSP's ability to protect both their own environment and those of their clients.

As the regulatory landscape continues to evolve, MSPs that establish strong foundations for CERT-In compliance will be well-positioned to adapt to new requirements and maintain the trust of their clients. By treating compliance as an opportunity to enhance security capabilities rather than simply a regulatory burden, MSPs can derive strategic value from their compliance investments.

About the Author

Praveena Shenoy
Praveena Shenoy

Country Manager, India at Opsio

AI, Manufacturing, DevOps, and Managed Services. 17+ years across Manufacturing, E-commerce, Retail, NBFC & Banking

View all articles →LinkedIn

Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.