India’s Computer Emergency Response Team (CERT-In) brings out new compliance requirements for reporting cyber incidents and storing system logs
13 May 2022

On April 28, 2022, India’s Computer Emergency Response Team (CERT-In) issued directions, imposing additional obligations on service providers regarding reporting cyber incidents and storing system logs. The text of the directions is at https://www.cert-in.org.in/Directions70B.jsp

CERT-In was formed by the Ministry of Electronics and Information Technology, Government of India under Section 70(B) of the Information Technology Act, 2000 (“IT Act”) to undertake certain functions including collection, analysis, and dissemination of information on cyber incidents and emergency measures for handling these incidents.

This latest direction is another example of the Government exercising tighter control over providers of digital services and minimizing problems in getting digital evidence caused by jurisdictional (conflict of law) and technical issues like lack of localization. This direction also seeks to partly harmonize the directives of CERT-In with the directives given under other regulations like the Intermediary Liability Guidelines, Banking Regulations, Telecom Regulations, etc. The direction will increase the cost of compliance for service providers due to storage requirements and the technical complexities.

Significant provisions are:
(i) All service providers to synchronize their system clocks with the system clock of India’s National Physical Laboratory (NPL) or the National Informatics Center (NIC)
(ii) All cyber incidents to be reported to CERT-In within six hours of occurrence
(iii) Logs of all activity to be maintained for 180 days and are to be stored within India
(iv) Logs of subscribers to be stored for five years after any subscriber terminates a service
(v) Service providers to designate a contact person for interface with CERT-In
(vi) Data centers, cloud service providers, and virtual private network (VPN) service providers to store customer data for five years
(vii) Financial data including transactions to be stored for five years

The industry has until June 28, 2022 to implement the provisions of the directions. The directions lack clarity on many aspects like the definition of service provider, standard operating procedures, and formats for reporting incidents. Further, there is no distinction between significant service providers and smaller ones. This is different from the intermediary guidelines issued last year which created a separate category of service providers called “Significant Social Media Intermediary” (SSMI) (a social media intermediary which has above five million registered users) with more stringent regulations than other social media intermediaries. The guidelines apply to service providers, intermediaries, data centers, body corporate, and any other person carrying out the activities stated in sub-section (4) of section 70B of the IT Act.

Clarity will emerge as the directions are implemented. However, if your company is providing bulk services through electronic means, or is an intermediary, it would be prudent to review your processes and, if required, reengineer those to comply with these directions. In particular, you must institute a process of promptly reporting cyber incidents to CERT-In.