CERT-In Directions 2022 Copilot
Understand India's mandatory cyber-incident reporting and log-retention obligations under the CERT-In Directions
What the CERT-In Directions 2022 Copilot Can Do
Identify which of the six Directions apply to your entity type
Understand the 6-hour reporting trigger and all twenty Annexure I incident categories
Navigate the 180-day ICT log retention requirement under Direction (iv)
Map subscriber data and 5-year retention obligations under Direction (v) for VPS, cloud, and VPN providers
Interpret KYC and transaction record requirements under Direction (vi) for virtual asset providers
Draft a Point of Contact submission aligned with the Annexure II format for Direction (iii)
About CERT-In Directions 2022 Copilot
The CERT-In Directions (No. 20(3)/2022-CERT-In, dated 28 April 2022) impose mandatory cyber-incident reporting, ICT log retention, time synchronisation, and subscriber or KYC record-keeping obligations on service providers, intermediaries, data centres, body corporates, and government organisations in India. ISMS Copilot helps you interpret each of the six Directions, map your obligations by entity type, and prepare for compliance.
Who it's for
DPDPA
Dual breach-reporting clock — DPDP Rules require Data Protection Board intimation without delay and detailed follow-up within 72 hours, alongside CERT-In's 6-hour cyber-incident report.
RBI IT Governance
RBI Master Direction on IT Governance defers to CERT-In for the cyber-incident-reporting clock — banks and NBFCs are CERT-In's largest constituency.
SEBI CSCRF
CSCRF builds on CERT-In's reporting obligations for SEBI-regulated entities, adding tier-specific audit and VAPT requirements.
Frequently Asked Questions
What are the CERT-In Directions 2022?
The CERT-In Directions (No. 20(3)/2022-CERT-In) are legally binding directions issued by the Indian Computer Emergency Response Team under s. 70B(6) of the Information Technology Act, 2000, imposing obligations on service providers, intermediaries, data centres, body corporates, and government organisations covering cyber-incident reporting, ICT log retention, NTP synchronisation, subscriber record-keeping, and KYC maintenance.
How does the CERT-In Directions 2022 Copilot help?
The Copilot helps you interpret each of the six Directions by reference to the source text, identify which obligations apply to your organisation's entity type, and understand the scope of reportable incident categories listed in Annexure I — so your team can make informed decisions about compliance steps.
Which incidents must be reported to CERT-In, and how quickly?
Direction (ii) requires reporting of all twenty incident categories listed in Annexure I — including data breach, data leak, ransomware, DoS/DDoS, and unauthorised access — within 6 hours of noticing the incident or being brought to notice of it, to CERT-In via email at incident@cert-in.org.in, phone 1800-11-4949, or fax 1800-11-6969.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.