Why This Matters in 2026
Many organizations still believe that the CERT-In Cyber Security Directions, 2022 are outdated because of the year mentioned in the title.
This is incorrect.
The year 2022 only refers to the notification date, not validity.
As of 2026, these directions are fully active, legally binding, and enforced under the Information Technology Act, 2000.
🔗 Official CERT-In Notification (Primary Proof)
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
Are CERT-In Directions Still Applicable in 2026?
Yes. 100% applicable.
- No expiry date is mentioned in the notification
- No withdrawal or replacement has been issued by CERT-In or MeitY
- CERT-In continues to reference these directions officially
🔗 CERT-In Official Website
https://www.cert-in.org.in/
👉 This makes the directions current compliance requirements, not historical rules.
Who Must Follow CERT-In Directions (2026)
As per the official document, the following must comply:
- Companies & body corporates
- Cloud service providers
- VPS & hosting providers
- Data centres
- VPN providers
- Intermediaries & platforms
- Virtual asset service providers
- Government organizations
🔗 Scope Defined by CERT-In (Official PDF)
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
CERT-In 6-Hour Incident Reporting Rule (Explained)
Organizations must report specific cyber incidents within 6 hours of detection or notification.
Reportable incidents include:
- Data breach or data leak
- Ransomware or malware attacks
- Unauthorized system access
- DDoS attacks
- Phishing & identity theft
- Attacks on cloud, IoT, mobile apps
🔗 Annex-I – Official Incident List
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
🔗 CERT-In Incident Reporting Portal
https://www.cert-in.org.in/
📧 incident@cert-in.org.in
📞 1800-11-4949
Log Retention Rule – 180 Days (India Only)
All organizations must:
- Enable system logs
- Retain logs for 180 days
- Store logs inside India
- Share logs with CERT-In when requested
🔗 Log Retention Rule – Official Proof
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
This applies to servers, firewalls, authentication systems, DNS, email, and applications.
Time Synchronization Requirement (NTP Rule)
ICT systems must sync time with:
- NIC (National Informatics Centre) servers
- NPL (National Physical Laboratory)
- Or traceable equivalent sources
🔗 Time Sync Rule – Official Source
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
Accurate timestamps are critical for cyber-incident investigations.
Cloud, VPS & VPN Data Retention – 5 Years
Cloud, VPS, VPN, and data-centre providers must maintain:
- Verified customer identity
- IP address allocation records
- Usage timestamps
- Contact & ownership details
Retention period:
- Minimum 5 years, even after service termination
🔗 Data Retention Clause – Official Proof
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
Point of Contact (PoC) Requirement
Every organization must appoint a Point of Contact (PoC) for CERT-In coordination.
🔗 Annex-II – PoC Format (Official)
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
Penalties for Non-Compliance
Failure to follow CERT-In directions can lead to:
- Legal action under Section 70B(7) of the IT Act
- Regulatory scrutiny
- Investigation delays
- Reputational damage
🔗 CERT-In FAQs (Official Clarifications)
https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf