The 180-Day Rule for CERT-In Log Retention

If you're building or scaling a digital platform in India, log management is no longer just for debugging. CERT-In's mandatory directive defines a specific threshold for log retention that is legally enforceable.

The 180-Day Mandate

Under the CERT-In cybersecurity directives of 2022 (and reaffirmed in the 2025 updates), all service providers, virtual private server (VPS) providers, and enterprises are mandated to maintain logs of all their ICT systems within the Indian jurisdiction for a minimum period of 180 days.

Critical Logs to Retain

• Access logs (system login/logout attempts).
• API request logs (internal and external traffic).
• Server console logs and command history.
• Database access records and modifications.
• VPN and remote session logs.

Jurisdiction & Localization

One of the most misunderstood details of the rule is the Indian jurisdiction requirement. While you can host your production servers anywhere globally (AWS, Azure, Google Cloud), the relevant logs of the users' and systems' interactions within the Indian digital space must be accessible and maintained in a format that can be provided to CERT-In upon official request.

Are You Ready?

Failing to provide logs within a specified timeframe during an active investigation is considered a regulatory violation. At ARM Innovations, we help you design your logging architecture to meet national standards without overcomplicating your cloud bill.