CERT-In (Indian Computer Emergency Response Team)

The Indian Computer Emergency Response Team (CERT-In) is the national agency designated to coordinate responses to cybersecurity incidents across India's networks. It was established in 2004 under the Department of Information Technology and given explicit statutory footing through the Information Technology (Amendment) Act, 2008, which inserted Section 70B into the Information Technology Act, 2000. Section 70B(1) authorises the Central Government to appoint CERT-In as the national nodal agency for incident response, and Section 70B(4) enumerates its core functions: collection, analysis and dissemination of information on cyber incidents; forecast and alerts; emergency measures; and coordination of response activities. CERT-In operates under the Ministry of Electronics and Information Technology (MeitY), and its conduct is further governed by the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. Section 70B(7) makes non-compliance with directions punishable with imprisonment up to one year, a fine up to one lakh rupees, or both, giving the agency genuine coercive authority rather than advisory status.

Operationally, CERT-In runs a round-the-clock Incident Response Help Desk that receives reports from government bodies, critical-sector operators, service providers and the general public. When an incident is reported or detected, the agency triages it, issues vulnerability notes and advisories, and may direct affected entities to take remedial action. Under Section 70B(6), CERT-In can call for information from and give directions to service providers, intermediaries, data centres and body corporates, and these parties are legally bound to comply. The agency publishes security advisories, conducts security drills, and operates the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) launched in 2017 to help users detect and remove malicious software. It also functions as the coordination point for cross-border incidents, working with foreign CERTs and the global Forum of Incident Response and Security Teams (FIRST), of which it is a member.

A defining feature of the contemporary CERT-In regime is the set of Directions issued on 28 April 2022 under Section 70B(6), which took effect from 27 June 2022. These directions impose a mandatory obligation on service providers, intermediaries, data centres, body corporates and government organisations to report specified cyber incidents to CERT-In within six hours of noticing or being made aware of them — one of the most stringent reporting windows in the world. The directions also require all entities to synchronise system clocks to the Network Time Protocol servers of the National Informatics Centre or the National Physical Laboratory, to maintain logs for a rolling period of 180 days within Indian jurisdiction, and obligate data centres, virtual private server providers, cloud service providers and VPN providers to retain subscriber and customer registration data for five years. Virtual asset and exchange service providers must maintain Know-Your-Customer records and transaction details for five years.

Contemporary practice illustrates the agency's expanding remit. CERT-In is headquartered in New Delhi and is led by a Director General. It issued public advisories during the 2017 WannaCry and Petya ransomware waves and coordinated India's response. In November 2022 it was involved in the response to the major ransomware attack on the All India Institute of Medical Sciences (AIIMS) in Delhi, which crippled hospital servers for days. CERT-In also organises the biennial cyber-security exercise "Cyber Suraksha" and contributes to the National Cyber Security Strategy work led by the National Cyber Security Coordinator under the National Security Council Secretariat. It frequently issues joint advisories with the Reserve Bank of India and sectoral regulators for the financial system.

CERT-In must be distinguished from adjacent institutions in India's cyber architecture. The National Critical Information Infrastructure Protection Centre (NCIIPC), created under Section 70A of the IT Act and housed within the National Technical Research Organisation, is the nodal agency specifically for protecting critical information infrastructure such as power, banking and telecommunications — a narrower, protective mandate distinct from CERT-In's general incident-response role. The National Cyber Security Coordinator (NCSC) within the NSCS handles strategy and inter-agency coordination, not operational triage. Sector-specific bodies such as CERT-Fin for the financial sector and the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs, which handles cybercrime investigation and the 1930 helpline, operate alongside CERT-In rather than within it.

The 2022 Directions generated significant controversy. Industry bodies, civil-liberties groups and several VPN providers objected to the logging and data-retention mandates as disproportionate and inconsistent with privacy norms recognised in the Supreme Court's 2017 Puttaswamy judgment. Providers including ExpressVPN, NordVPN and Surfshark withdrew their physical servers from India in 2022 rather than comply with the registration-data retention requirement. The six-hour reporting window was criticised as unrealistically short compared with the 72-hour standard under the EU's GDPR. CERT-In responded with an FAQ in May 2022 clarifying scope but did not relax the core obligations. The forthcoming operationalisation of the Digital Personal Data Protection Act, 2023 will interact with these requirements.

For the working practitioner, CERT-In is the operational fulcrum of India's cyber-incident governance and a mandatory point of contact for any organisation operating digital infrastructure in the country. Desk officers tracking internal-security and GS-III subjects should treat Section 70B and the 2022 Directions as the legal anchors. Compliance teams, multinational service providers and diplomats negotiating cross-border data and cyber-cooperation frameworks must understand that India's reporting timeline, data-localisation logging rules and retention mandates are among the strictest globally, and that CERT-In's directions carry criminal penalties rather than mere administrative consequences.