Background
The Indian Computer Emergency Response Team (CERT-In) Directions, 2022 were issued under the Information Technology Act, 2000 to strengthen cybersecurity and incident response mechanisms in India. These directions mandate timely reporting of cyber incidents, synchronization of system clocks, retention of ICT logs, and maintenance of user and transaction records by service providers. They aim to enhance coordination, improve threat detection, and ensure rapid response to cybersecurity incidents. Overall, the framework seeks to build a secure and resilient digital ecosystem in the country.
Applicability
This shall be applicable to All Data Centres, VPS providers, Cloud Service providers, and VPN service providers and Entities having ICT infrastructure & spanning multiple geographies
Compliance Requirements under the Directions
All ICT systems must be synchronized with NTP servers of NIC/NPL or their traceable sources. Organizations operating globally may use alternative time sources but must ensure they do not deviate from NPL/NIC time.
Any service provider, intermediary, data centre, body corporate or Government organisation must report cyber incidents (Annexure I) to CERT-In within 6 hours of noticing or being informed. Reporting via email, phone or fax.
Enable and maintain logs of all ICT systems for a rolling 180-day period. Logs must be stored within India and shared with CERT-In upon incident reporting or when directed
All Data Centres, VPS providers, Cloud Service providers, and VPN service providers are mandated to maintain accurate and up-to-date records of their subscribers/customers. These records must be preserved for a minimum period of five years or longer as required by applicable law
Virtual Asset Service Providers, Virtual Asset Exchange Providers, and Custodian Wallet Providers are required to mandatorily maintain all information obtained through KYC processes, as well as comprehensive records of all financial transactions, for a minimum period of five years.
The service providers, intermediaries, data centres and body corporate shall designate a Point of Contact to interface with CERT-In. The information relating to a Point of Contact shall be sent to CERT-In in the format specified by it and shall be updated from time to time. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact.
Penalty & Punishment
Residuary penalty u/s 45 of the Act – Whoever contravenes any rules, regulations, directions or orders made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a penalty not exceeding one lakh rupees, in addition to compensation to the person affected by such contravention not exceeding—
(a) ten lakh rupees, by an intermediary, company or body corporate; or
(b) one lakh rupees, by any other person.
Disclaimer: The information contained in this Article is intended solely for personal non-commercial use of the user who accepts full responsibility of its use. The information in the article is general in nature and should not be considered to be legal, tax, accounting, consulting or any other professional advice. We make no representation or warranty of any kind, express or implied regarding the accuracy, adequacy, reliability or completeness of any information on our page/article.