On Thursday, India’s Computer Emergency Response Team (CERT-In) announced new regulations mandating that service providers, intermediaries, and government entities report cybersecurity incidents, including data breaches, within six hours. This move is aimed at enhancing the national cybersecurity framework, reflecting an urgency to respond effectively to emerging threats.
The government clarified, “Any service provider, intermediary, data center, body corporate, and government organization must report cyber incidents to CERT-In within six hours of detection or awareness of such incidents.” This directive underscores the need for rapid reporting to ensure timely investigations and responses to potential threats.
Types of incidents covered by these regulations include the compromise of critical systems, unauthorized access to personal and organizational accounts, malware deployments, identity theft, and distributed denial-of-service (DDoS) attacks, among others. This broad scope indicates a comprehensive approach to cybersecurity, highlighting vulnerabilities in a range of digital assets.
The Indian government emphasized that these measures are necessary to ensure the prompt availability of important indicators of compromise (IoC). Such indicators are crucial for conducting thorough investigations and coordinating appropriate responses under legal frameworks.
Additionally, organizations are now required to synchronize their Information and Communication Technology (ICT) system clocks with the National Informatics Centre (NIC) or National Physical Laboratory (NPL) servers. They must also maintain ICT system logs for a minimum of 180 days, while Virtual Private Network (VPN) providers are obligated to retain subscriber information for at least five years. This ensures complete traceability and accountability during cybersecurity incidents.
The new regulations, set to take effect in 60 days, will require virtual asset service providers, including exchanges and custodian wallets, to hold records related to Know Your Customer (KYC) and financial transactions for five years. This move reflects a growing awareness of the importance of rigorous tracking and reporting in combating cybercrime.
India’s Ministry of Electronics and Information Technology (MeitY) stated that these directives aim to bolster the overall cybersecurity posture of the nation, fostering a safer and more trusted internet landscape. By imposing these obligations, the government is taking proactive steps to enhance its cybersecurity framework, anticipating that such measures will mitigate risks and improve the resilience of its digital infrastructure.
