The Indian Computer Emergency Response Team or CERT-In (“CERT”), an office within the Ministry of Electronics and Information Technology of the Government of India, issued directions on April 28, 2022 (“Directions”), under sub-section (6) of Section 70B of the Information Technology Act, 2000 (“IT Act”).

These Directions were due to fully come into force 60 (sixty) days from the date on which they were issued, i.e., June 27, 2022. However, vide notification dated June 27, 2022[1], implementation of the Directions was extended to September 25, 2022 for the Micro, Small, & Medium Enterprises (MSME) sector. Further, the requirement relating to the aspects of registration and maintenance of “validated names of subscribers/customers hiring the services” and “validated address and contact numbers” by data centers, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers was also extended to September 25, 2022 vide the same notification dated June 27, 2022.[2]

The Directions place certain obligations on service providers, intermediaries[3], data centers, body corporates and governmental organizations (together, “Data Points”). They are summarized below:

1. System Clock Synchronization. Data Points are required to connect to the Network Time Protocol (“NTP”) Server of (i) National Informatics Centre (“NIC”) or (ii) National Physical Laboratory (“NPL”) or (iii) with NTP servers traceable to these NTP servers, for synchronization of all their ICT systems clocks. However, Data Points with infrastructure spanning across multiple geographies are permitted to use time sources other than NIC or NPL so long as their time source does not deviate from NPL and NIC.
2. Reporting of Cyber Incidents. Data Points are required to report specified cyber incidents[4] within 6 (six) hours of such incident coming to their attention. Incidents must be reported to CERT via email, phone or fax (contact details for all of the said options are provided in the Directions). The formats for reporting incidents are available on the CERT website, cert-in.org.in[5].
3. Power to Request Action/Information/Assistance. As per the Directions, CERT may require any Data Point (other than governmental organizations, which appear to have been omitted from the relevant provision) to take action, or to provide information or assistance to CERT which “may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness”, and such order or direction from CERT may specify the format by which such information is to be provided.
4. Point of Contact. All data points are required to designate a “Point of Contact” who shall be responsible for interacting with CERT in the format specified in Annexure II.
5. Maintenance of Logs. The Directions require all data points to mandatorily maintain logs for a rolling period of 180 (One-Hundred Eighty) days within the jurisdiction of India which ought to be provided to CERT along with any incident that is reported or as requisitioned by CERT.[6]
6. Data Centers, VPSs, VPNs and Cloud Service Providers. An additional burden has been placed on data centers, virtual private server providers (VPS), virtual private network providers (VPN) and cloud service providers who are required to maintain, for a period of 5 (five) years or longer, if mandated by law: (i) Validated names of subscribers/customers hiring the services, (ii) Period of hire including dates, (iii) IPs allotted to / being used by the members, (iv) Email address and IP address and time stamp used at the time of registration / on-boarding, (v) Purpose for hiring services, (vi) Validated address and contact numbers, (vii) Ownership pattern of the subscribers / customers hiring services.
7. Virtual Asset Service Providers, Virtual Asset Exchange Providers and Custodian Wallet Provider. Virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance) must maintain KYC details and records of financial transactions for a period of 5 (five) years. For the purpose of KYC, Officially Valid Documents (OVD) prescribed under Annexure III of the Directions must be used. Further, transactions must be maintained in a way that an individual transaction can be reconstructed along with identifying elements such as: (i) IP Addresses along with time stamps and time zones, (ii) addresses or accounts involved, (iii) nature and date of the transaction, and (iv) the amount transferred.

[1] Available at: https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf

[2] Ibid

[3] Defined under Section 2(w) of the IT Act. See also, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 [Notification dated, the 25th February, 2021 G.S.R. 139(E)].

[4] Types of “cyber incidents” covered by this mandate are provided in Annexure I of the Directions.

[5] As on May 7, 2022, available at: https://www.cert-in.org.in/PDF/certinirform.pdf

[6] The Directions are silent on the type and nature of logs to be maintained.