The 6-Hour CERT-In Rule & Penalties
What happens when the clock starts ticking on a cybersecurity incident in India?
The CERT-In cybersecurity directives of 2022 (and the 2025 updates) codified one of the world's most aggressive reporting windows: the 6-hour mandate. For Indian organizations, every minute spent NOT reporting a breach is a potential legal liability.
The 6-Hour Reporting Pulse
Any organization—government or private—servicing the Indian digital sector MUST report cybersecurity incidents to CERT-In within 6 hours of detection. This encompasses not just "stolen data," but any incident that compromises infrastructure integrity.
Incidents Types to Report
- Unauthorized access of critical IT systems.
- Targeted attacks on application layers (SQLi, CSRF, prompt injection).
- Identity theft and identity poisoning.
- Data breach or compromise of PII.
- Ransomware and sophisticated malware infections.
Non-Compliance & Legal Penalties
Failing to report an incident isn't just a "loss of face"—it is a direct violation of the Information Technology Act, 2000. Organizations and their leadership can face:
- Financial penalization of lakhs or even crores.
- Mandatory government audits and regulatory monitoring.
- Delisting from government empanelment and NIC infrastructure.
- Criminal liability for senior management in cases of gross negligence.
Are You Reporting-Ready?
If an incident happened in the next 5 minutes, would your team be able to report to CERT-In within 6 hours? Prepare with an IR-focused audit.
Start Incident PlanningBuild Resilience
Explore our dedicated CERT-In Security Audit services roadmap.
Compliant Defense is the Best Defense
Consult with ARM Innovations' security researchers for an Incident Readiness Audit.
Related Resources
Continue your research with these relevant guides and services.