CERT-In compliance: How to meet the 6-hour incident reporting deadline and avoid penalties

Cyberattacks targeting Indian businesses are no longer rare or isolated—they’re frequent, complex, and increasingly sophisticated. According to the Indian Computer Emergency Response Team (CERT-In), India reported over 1.59 million cyberattacks in 2023 alone.

To address this growing threat, the Government of India has strengthened its cybersecurity regulations through CERT-In, mandating that organizations report qualifying cybersecurity incidents within six hours of detection—as per Section 70B(7) of the Information Technology Act, 2000.

Miss that six-hour deadline, and your organization is considered non-compliant— exposing you to penalties, audits, and reputational harm.

On this page, we'll break down exactly what CERT-In expects, the risks of missing the six-hour rule, and how a security information and event management (SIEM) platform like ManageEngine Log360 can help you meet CERT-In's incident reporting requirements quickly and stay audit-ready.

Who must comply with CERT-In guidelines?

All entities operating in India—including private companies, service providers, data centres, cloud platforms, and government organizations—must comply with CERT-In’s 2022 cybersecurity directives.

Whether you're an enterprise or a startup, if you're managing IT infrastructure or processing user data, you're expected to follow the six-hour reporting rule.

What is CERT-In's 6-hour reporting rule?

The rule is simple:

Detection—not confirmation—triggers the six-hour clock.

If your firewall flags a brute-force attempt or your SIEM tool detects malware behaviour, the moment of detection is when the countdown begins. You must:

• Submit a preliminary report within six hours.
• Retain logs for at least 180 days.
• Follow up with a detailed report.

What cybersecurity incidents must be reported to CERT-In?

CERT-In outlined more than 20 categories of reportable incidents, including:

• Unauthorized access to IT systems
• Malware or ransomware infections
• DDoS attacks and service disruptions
• Attacks on cloud infrastructure or IoT infrastructure
• Data leaks, even if partially contained
• Network scanning or probing
• Phishing, spoofing, or impersonation
• Unauthorised firmware or software changes

You’re not expected to confirm full impact or scope in those six hours. You’re expected to raise the flag, submit the preliminary report, and maintain logs for audit.

What happens if you miss the CERT-In 6-hour deadline?

Failure to report a qualifying cybersecurity incident within the mandated six hours can lead to:

• Regulatory audits and investigations by the Ministry of Electronics and Information Technology (MeitY)
• Formal notices requiring explanations or corrective actions
• Financial penalties up to ₹1 lakh under Section 70B(7) of the Information Technology Act, 2000
• Long-term reputational damage impacting client trust and business partnerships

How to avoid missing CERT-In's 6-hour incident reporting deadline

Avoiding compliance violations takes more than awareness—it takes the right systems, processes, and team readiness.

Here are the critical steps your organization must take to meet CERT-In’s six-hour mandate consistently:

1. Implement real-time detection and alerting

The six-hour window begins at detection. If your tools don’t alert you immediately, the response window shrinks before you’ve even started. Implement a SIEM platform like Log360 that supports real-time alerts based on predefined threat indicators.

2. Centralize your log collection and retention

CERT-In requires organizations to retain logs for a minimum of 180 days. Disparate logging systems slow down investigations. A centralized log repository enables fast access to incident details—like user activity, file changes, and login anomalies—that support timely reporting.

3. Document a formal internal reporting process

Without a defined playbook, teams waste time figuring out what to do. Identify clear roles for detection, triage, escalation, and reporting. Build standard operating procedures and train cross-functional teams to execute them under pressure.

4. Use reporting templates aligned with CERT-In

CERT-In has a structured incident reporting format. Align your internal templates with it to reduce delays. Prefill reusable fields and keep templates ready for malware, phishing, DDoS, and other common attack scenarios.

5. Automate your compliance reporting where possible

Manual steps slow everything down. Use automation to pull log data, generate reports, and escalate incidents. A SIEM platform like Log360 automates much of this—reducing reporting time and improving consistency across events.

6. Regularly test and audit your incident response process

Run quarterly simulations to validate your team’s readiness. Simulate detection, alerting, and CERT-In submission to identify gaps and refine the process before a real incident forces the issue.

How ManageEngine Log360 helps meet CERT-IN's 6-hour rule

ManageEngine Log360 is a unified SIEM and log management platform that combines real-time monitoring, incident response automation, and audit readiness. It’s designed to help organizations like yours comply with CERT-In mandates—without relying on manual workarounds.

Here’s how Log360 maps to CERT-In’s requirements:

Real-time compliance dashboard and audit-ready reports

Log360 includes a built-in compliance dashboard that offers real-time insights into reportable security incidents, user activity logs, and system changes. These exportable, customizable reports align perfectly with CERT-IN incident reporting requirements and simplify audit preparations, minimizing manual effort.

Continuous log collection and secure retention

The platform continuously collects logs from across your entire IT infrastructure, including servers, network devices, cloud platforms, applications, and endpoints. By securely archiving this collected data for at least 180 days, Log360 meets CERT-In’s long-term log retention mandate, ensuring reliable forensic evidence is always available.

Centralized log monitoring with advanced search

Fragmented log management can delay incident investigations. Log360 consolidates all logs into a centralized repository featuring powerful search and filtering tools. This enables security teams to quickly retrieve pertinent data needed for timely incident analysis and CERT-In report submissions.

Intelligent threat detection and anomaly monitoring

With built-in UEBA and change monitoring capabilities, Log360 detects unusual user behaviour, privilege misuse, and unauthorized system changes. These capabilities help identify security incidents such as account compromise or data tampering early—well before they escalate.

Automated incident alerting and notifications

Timely alerts are critical to meeting CERT-In's six-hour deadline. Log360 supports automated, threshold-based alerting for suspicious activities and policy violations, instantly notifying relevant security teams to trigger rapid response and reporting.

Event correlation for faster investigations

Log360 correlates security events across multiple systems to reconstruct a comprehensive incident timeline. This centralized correlation shortens investigation times and enables teams to prepare detailed, CERT-In-compliant incident reports efficiently.

CERT-In vs. DPDP: Do you need to comply with both?

Yes—because they govern different but related aspects of cybersecurity and privacy.

India’s regulatory landscape doesn’t end with CERT-In. The Digital Personal Data Protection (DPDP) Act introduces another layer of compliance—this time focused on how organizations collect, process, and protect personal data.

CERT-In and the DPDP Act aren’t competing mandates—they’re complementary. While one addresses cybersecurity, the other ensures personal data protection. Here’s how they compare:

Common CERT-In compliance challenges

Despite clear CERT-In guidelines, many organizations struggle to comply due to operational and technical gaps. Here are the top roadblocks:

Fragmented detection tools and siloed alerts

Security signals are often scattered across firewalls, antivirus tools, and third-party applications. Without a centralized monitoring solution, critical incidents go undetected—or are detected too late for the six-hour clock.

Example: Your firewall detects a brute-force attempt, but the alert doesn’t escalate beyond the local admin. By the time security reviews it, the CERT-In window has already closed.

Manual, ad-hoc reporting workflows

Many teams still rely on spreadsheets, emails, or Slack threads to coordinate incident response. Without an automated or templated workflow, compiling information for CERT-In becomes a scramble—especially when incidents happen after hours.

Unclear roles and escalation paths

Who’s responsible for CERT-In reporting? If there’s no predefined owner, incidents may linger in limbo between IT, SecOps, and compliance teams. During a crisis, unclear responsibility equals delayed reporting.

Insufficient log visibility and retention

CERT-In mandates a 180-day log retention policy—but logs often get rotated or lost due to storage limits or unconfigured systems. Worse, logs from critical assets (like cloud resources or remote endpoints) may not be collected at all.

Lack of CERT-In-aligned templates

Teams often delay incident reporting while deciding what format to use, what fields to fill in, or how to categorize the incident. Without CERT-In-aligned templates, critical minutes are wasted during triage.

No simulation or audit-readiness testing

Compliance isn’t just a check box—it’s a process. If your teams haven’t simulated incident detection to submission within a six-hour drill, chances are the real event won’t go smoothly. Most organizations fail to stress-test their workflows under realistic scenarios.