Indian Computer Emergency Response Team
The Indian Computer Emergency Response Team (CERT-In) is the national nodal agency under the Ministry of Electronics and Information Technology, Government of India, tasked with coordinating the response to cybersecurity incidents affecting the Indian cyberspace.[1][2] Operational since January 2004 and formalized under Section 70B of the Information Technology Act, 2000, CERT-In's core functions encompass collecting and analyzing cyber threat intelligence, issuing advisories and alerts, providing incident response support, conducting vulnerability assessments, and fostering security awareness among stakeholders.[2][3][2] It maintains a 24x7 help desk for incident reporting and operates as the point of contact for international cybersecurity coordination, enabling rapid dissemination of threat information to mitigate risks such as website intrusions, malware propagation, and phishing campaigns.[4][5] In 2021 alone, CERT-In processed 1,402,809 reported incidents, underscoring its pivotal role in handling high-volume cyber threats amid India's expanding digital ecosystem.[6] While praised for bolstering national cyber defenses through empirical incident data analysis and proactive guidelines, CERT-In's 2022 directions mandating six-hour incident reporting and five-year data retention by intermediaries have drawn scrutiny for potentially straining compliance burdens on entities without commensurate privacy safeguards.[4][7][8]History and Establishment
Legal Foundation and Inception
The Indian Computer Emergency Response Team (CERT-In) derives its legal foundation from Section 70B of the Information Technology Act, 2000 (IT Act), which mandates the Central Government to appoint, by notification in the Official Gazette, a government agency to serve as the national computer emergency response team for addressing cyber security incidents.[9] This section outlines CERT-In's core functions, including incident coordination, early warning, and response guidelines, while granting it authority to collect information and issue directions to service providers and intermediaries.[10] The IT Act itself was enacted by Parliament on June 9, 2000, to provide legal recognition for electronic transactions and combat cyber threats, with most provisions coming into force on October 17, 2000.[11] CERT-In was formally designated as India's nodal agency under this framework and became operational in January 2004, marking the inception of structured national cyber incident response capabilities.[1] This establishment addressed the growing need for centralized coordination amid rising cyber vulnerabilities in India's expanding digital infrastructure, building on international models like the U.S. CERT while adapting to domestic legal and technical contexts.[12] Prior to 2004, cyber security efforts were ad hoc, handled by various ministries without a unified response mechanism, underscoring the causal link between legislative empowerment and operational readiness. The agency's placement under the Ministry of Electronics and Information Technology (initially under Communications and Information Technology) ensured alignment with national IT policy objectives.[2] Subsequent notifications, such as the October 27, 2009, gazette clarifying CERT-In's status and functions under Section 70B(4), reinforced its mandate but did not alter the foundational 2004 inception.[13] This legal structure emphasizes proactive threat mitigation over reactive measures, privileging empirical incident data for policy formulation.[14]Initial Operations and Evolution
CERT-In commenced operations in January 2004, shortly after its inauguration on 19 January 2004 by Arun Shourie, the Minister of Communications, Information Technology, and Disinvestment. The facility, established under the Department of Information Technology (now Ministry of Electronics and Information Technology), served as the nodal point for addressing computer security incidents reported by the Indian cyber community, with an initial emphasis on real-time monitoring, threat forecasting, and coordinated emergency responses. Its core functions from inception included collecting and analyzing incident data, issuing security alerts to mitigate vulnerabilities, and providing guidance to affected entities such as government departments, service providers, and private organizations.[15][1] Early activities prioritized building foundational cybersecurity capacity amid rising internet penetration and nascent threats like malware propagation and unauthorized access. CERT-In handled initial incidents through a structured response lifecycle involving detection, containment, eradication, recovery, and post-incident review, often collaborating with domestic stakeholders to prevent escalation. Awareness initiatives, including advisories and training sessions, were launched to educate users on secure practices, while vulnerability assessments targeted critical infrastructure sectors. By 2004–2005, the agency had begun disseminating regular threat intelligence, marking a shift from reactive firefighting to proactive risk management in India's expanding digital ecosystem.[16][1] The evolution of CERT-In's operations accelerated with the Information Technology (Amendment) Act, 2008, which enshrined its status as the national agency under Section 70B, mandating functions like incident coordination and policy formulation. This legislative reinforcement enabled expanded capabilities, including mandatory reporting protocols for service providers and enhanced forensic analysis tools. Incident volumes grew substantially, reflecting increased cyber activities; for instance, by the late 2000s, CERT-In was processing thousands of reports annually, evolving from ad-hoc responses to systematic threat hunting and international liaisons with bodies like US-CERT. Subsequent milestones included the 2013 National Cyber Security Policy integration, which broadened its remit to vulnerability management and capacity building, adapting to sophisticated attacks such as advanced persistent threats. Over this period, resource allocation shifted toward intelligence-driven operations, with annual reports documenting a transition to handling multifaceted incidents involving data breaches and network intrusions.[17][16]Organizational Structure and Governance
Leadership and Administrative Oversight
The Indian Computer Emergency Response Team (CERT-In) is led by a Director General, who functions as the head of the organization and oversees its operational and strategic activities, including incident response coordination and policy implementation. As of September 2025, Dr. Sanjay Bahl serves in this role, concurrently holding the position of Controller of Certifying Authorities.[18][19] The Director General reports to the Ministry of Electronics and Information Technology (MeitY) and is empowered under Section 70B of the Information Technology Act, 2000, which designates CERT-In as the national nodal agency for cybersecurity threats.[10][14] Administrative oversight of CERT-In resides with MeitY, which exercises control over its functions, resource allocation, and alignment with national cybersecurity policies since the agency's formal designation in 2004.[10][20] This structure ensures CERT-In's integration into broader government digital initiatives, though in July 2024, the Ministry of Home Affairs advocated for supervisory authority amid debates on coordinating internal security threats, with no subsequent transfer reported.[21] Governance is supplemented by an Advisory Committee, which provides strategic guidance on emerging threats, policy formulation, and operational enhancements, drawing from expertise in government, academia, and technology sectors.[22] Known members include Prof. N. Balakrishnan, Chairman of the Division of Information Sciences at the Indian Institute of Science, and the Director General of the National Informatics Centre, reflecting a multi-stakeholder approach to oversight.[22] The committee's composition supports CERT-In's mandate without altering MeitY's primary administrative authority.[10]Internal Operations and Resource Allocation
CERT-In's internal operations are structured around a hierarchical framework led by a Director General, with core functions divided into specialized groups: the Security Assurance Group, responsible for vulnerability assessments and compliance; the CERT Operations Group, handling incident detection and response; the CERT Infrastructure Group, managing technical support and systems; and the Training Group, focused on capacity building and skill development.[23] These groups coordinate to process cybersecurity incidents, issue advisories, and conduct audits, with operational activities scaling to address over 1.5 million reported incidents in 2023.[24] Resource allocation prioritizes incident response and infrastructure resilience, as evidenced by the execution of nearly 9,700 cybersecurity audits across critical sectors in fiscal year 2024–25.[25] Budgetary provisions from the Ministry of Electronics and Information Technology support these efforts, with CERT-In receiving ₹255 crore in the 2025–26 budget estimates, marking a 5.8% increase from the ₹241 crore revised estimate for 2024–25 to enhance operational capabilities amid rising threats.[26] [27] Funds are directed toward maintaining 24/7 response mechanisms, technical tools, and personnel training, though specific breakdowns by group remain undisclosed in public allocations. Manpower constraints have impacted efficiency, with the agency reporting an urgent need for additional staff to manage escalating ransomware and other incidents, as highlighted in submissions to parliamentary panels in early 2025.[28] Recruitment drives, including calls for technical experts in October 2024, aim to bolster teams, but persistent shortages limit proactive resource deployment for threat forecasting and recovery operations.[29] Despite these challenges, internal protocols emphasize coordinated group-level responses, leveraging centralized infrastructure for real-time threat intelligence sharing.Core Functions and Responsibilities
Cyber Incident Response
The Indian Computer Emergency Response Team (CERT-In) serves as the national nodal agency for coordinating and responding to cybersecurity incidents across India's cyberspace, as designated under Section 70B of the Information Technology Act, 2000 (amended 2008).[1] Its primary responsibilities include collecting, analyzing, and disseminating information on incidents; issuing emergency measures for containment and mitigation; and providing technical assistance to affected entities for recovery and prevention.[30] CERT-In coordinates response activities among government, private sector, and international partners, ensuring a unified approach to incident handling that prioritizes rapid threat neutralization and lessons learned dissemination.[14] Incident response begins with mandatory reporting by service providers, intermediaries, data centers, and body corporates for specified cyber events, such as targeted scanning of critical networks, unauthorized access leading to data breaches, website defacement, or denial-of-service attacks, required within six hours of detection or awareness as per CERT-In's 2022 directions.[31] Reports must include details like the nature of the incident, affected systems, vulnerability exploited, and mitigation steps taken, submitted via CERT-In's online portal.[32] Upon receipt, CERT-In verifies the report, conducts forensic analysis where necessary, and issues advisories or directives under Section 70B to enforce protective actions, such as system isolation or patch deployment.[30] This process aligns with global standards outlined in RFC 2350, emphasizing structured handling to minimize damage and prevent recurrence.[14] CERT-In provides specialized assistance to victims, including guidance on incident triage, malware reverse engineering, and network forensics, while maintaining a 24/7 operations center for real-time monitoring and response.[30] It also conducts post-incident reviews to extract actionable intelligence, sharing anonymized lessons through vulnerability notes and security advisories to bolster community resilience.[33] In ransomware cases, for instance, CERT-In advises on decryption feasibility, backup restoration, and attacker attribution without endorsing ransom payments, focusing instead on systemic hardening.[34] Operational scale underscores CERT-In's impact: it recorded 1.3 million incidents in 2022 and 1.5 million in 2023, spanning categories like phishing, malware propagation, and intrusions, with coordinated responses aiding resolution in critical infrastructure sectors.[24] Drills such as "Cyber Shock-3" in 2023 simulated multi-sector attacks on banking and financial entities, testing response protocols and enhancing inter-agency collaboration.[35] These efforts contribute to a Cyber Crisis Management Plan, emphasizing proactive forecasting integrated with reactive handling to address evolving threats like state-sponsored intrusions.[24]Threat Forecasting and Intelligence
CERT-In conducts threat forecasting by continuously monitoring domestic and international cyber threat environments, enabling the prediction and early warning of potential incidents to stakeholders. This includes the proactive collection and analysis of threat data to generate forecasts, alerts, and indicators of compromise (IoCs) that inform defensive strategies.[2] The agency maintains an automated cyber threat intelligence exchange platform designed for real-time gathering, processing, and distribution of customized alerts across sectors, facilitating rapid response to emerging risks.[36][37] CERT-In's intelligence efforts emphasize forensic analysis of incidents to derive actionable insights, including evidence collection and trend identification that underpin forecasting models.[2] Key outputs of these activities include regular security alerts, advisories, and vulnerability notes disseminated to elevate awareness and preparedness. In 2023, CERT-In released 657 security alerts, 52 advisories, and 397 vulnerability notes, reflecting analyzed threats such as malware campaigns, phishing vectors, and network vulnerabilities.[38] Incident data processing further supports forecasting; with 1.5 million cybersecurity incidents handled in 2023—up from 1.3 million in 2022—CERT-In categorizes threats to project patterns like rising ransomware or supply chain attacks, aiding national prioritization of defenses.[24]Public Awareness and Capacity Building
CERT-In conducts public awareness campaigns to educate individuals and organizations on cybersecurity risks, emphasizing best practices for threat mitigation. These initiatives include the release of the Cyber Security Awareness Booklet during National Cyber Security Awareness Month (NCSAM) in October, targeting digital users ("Digital Nagriks") and enterprises with guidance on recognizing and countering threats such as phishing, vishing, malware, malicious mobile apps, and social media frauds.[39] The 2023 edition, themed "Secure Our World," addressed vulnerabilities specific to groups like senior citizens, children, women, and persons with disabilities, while promoting tools like free bot removal software, eScan antivirus, and M-Kavach 2 for endpoint protection, alongside reporting mechanisms via CERT-In's portal or the national helpline 1930.[39] Annually, CERT-In observes NCSAM to foster nationwide vigilance, with the 2025 edition under the theme "CyberJagritBharat" (Cyber Awake India) promoting proactive cyber hygiene and incident reporting to reduce fraud and attacks.[40] These efforts extend to advisories on emerging threats, encouraging public adoption of secure password practices, software updates, and avoidance of suspicious links or attachments, as detailed in CERT-In's vulnerability notes and public alerts.[1] For capacity building, CERT-In collaborates with cybersecurity firms and product vendors to develop best practices, facilitate threat intelligence sharing, and enhance organizational response capabilities, including support for establishing sectoral Computer Security Incident Response Teams (CSIRTs).[41] This includes training components aimed at building technical expertise among stakeholders, such as law enforcement and critical infrastructure entities, to improve incident handling and resilience against cyber incidents, though specific program metrics remain limited in public disclosures.[42]Regulatory Guidelines and Directives
Incident Reporting Mandates
The Directions for Information Security Practices, Procedure and Response to Cyber Security Incidents in India, issued by CERT-In on 28 April 2022 under Section 70B of the Information Technology Act, 2000, establish mandatory reporting obligations for cyber incidents to enhance national cybersecurity coordination.[13] These directives apply to a broad range of entities, including service providers, intermediaries, data centres, body corporates, and government organisations handling computer resources in India or providing services to Indian users.[13] [32] Compliance became enforceable 60 days after issuance, effective from 27 June 2022, with no subsequent revocation or major amendments as of October 2025.[13] Entities must notify CERT-In of specified cyber security incidents within six hours of noticing the event or being informed of it, enabling rapid triage and response.[13] [32] The report must be submitted in the prescribed format available on the CERT-In website, detailing the incident's nature, affected systems, and initial impact assessment.[13] Reporting channels include the online form at https://www.cert-in.org.in/portal/emergency-incident-response/reporting-form.do, email to [email protected], toll-free phone (1800-11-4949), or fax (1800-11-6969).[13] [32] Failure to report promptly may result in penalties under the IT Act, though specific enforcement actions remain at CERT-In's discretion.[13] The directives enumerate 21 categories of reportable incidents, encompassing threats to data integrity, system availability, and confidentiality:- Targeted scanning of critical networks or information infrastructure.
- Unauthorized access to IT systems, including identity theft or phishing leading to compromise.
- Website defacement or compromise of critical information infrastructure.
- Malware or malicious code distribution affecting networks.
- Denial-of-service attacks, including distributed variants.
- Theft of data, including personal or sensitive information breaches.
- Attacks on e-governance, critical infrastructure, SCADA systems, or servers with public-facing services.
- Unauthorized access causing damage to computer resources.
- Service disruptions in critical sectors like banking or power.
- Manipulation of data or injection of malicious code into hosted services.
- Compromise of IoT devices or operational technology.
- Unauthorized surveillance or espionage attempts.
- Attacks on cloud or virtualisation environments.
- Ransomware or similar encryption-based extortion.
- Supply chain compromises via third-party software.
- Insider threats leading to data exfiltration.
- Multi-stage attacks involving persistence mechanisms.
- Exploitation of zero-day vulnerabilities.
- Incidents involving critical national information infrastructure.
- Any other event deemed a cyber security incident by CERT-In guidelines.
Compliance Frameworks for Entities
The primary compliance framework for entities under CERT-In's mandate derives from the Directions issued on April 28, 2022, under Section 70B(7) of the Information Technology Act, 2000, which apply to service providers, intermediaries, data centres, body corporates, and government organizations. These require reporting of specified cybersecurity incidents—such as targeted scanning of critical networks, unauthorized access to IT systems, website defacement, compromise of critical systems, theft of sensitive data, attacks on e-governance or critical information infrastructure, malicious code, denial-of-service, and identity theft, among 22 categories—within six hours of becoming aware or reasonably suspecting the incident.[13] Entities must designate a point of contact for such reporting and enable comprehensive logging of ICT infrastructure, retaining logs securely for a rolling period of 180 days to support forensic analysis and regulatory enforcement.[13] Additional retention obligations target specific intermediaries: virtual private server (VPS) providers, cloud service providers, and record-of-purchase maintainers must log and retain subscriber details, including KYC information, IP addresses, email addresses, and timestamps, for five years, while VPN service records require similar five-year retention of user identification and usage data.[13] All entities are directed to synchronize system clocks with Indian Standard Time via trusted Network Time Protocol (NTP) servers and report any identified vulnerabilities or exposures in ICT systems. Non-adherence constitutes an offense under the IT Act, punishable by fines up to ₹1 crore or imprisonment, emphasizing CERT-In's authority to direct measures for securing critical information infrastructure.[13] CERT-In supplements these directives with advisory guidelines to facilitate proactive compliance, including the 2023 Guidelines on Information Security Practices for Government Entities, which prescribe controls for network security, access management, encryption, and incident response, such as mandatory multi-factor authentication and regular vulnerability assessments.[43] For private and MSME entities, frameworks encompass the Guidelines for Secure Application Design, Development, Deployment, and Maintenance (emphasizing input validation, secure coding, and penetration testing) and the 2025 15 Elemental Cyber Defense Controls for MSMEs, outlining baseline measures like asset inventory, access controls, data backups, and employee training to mitigate common threats.[44] [45] The July 2025 Comprehensive Cyber Security Audit Policy Guidelines establish standardized audit methodologies, including risk assessments, control evaluations, and reporting protocols, enabling empaneled auditors to verify adherence, with implications for sectors handling sensitive data or critical infrastructure.[46] These frameworks collectively aim to enforce minimum cybersecurity hygiene, though implementation challenges persist due to varying entity capacities and the directives' broad scope.International Cooperation and Agreements
Bilateral and Multilateral Partnerships
CERT-In has established bilateral partnerships primarily through memoranda of understanding (MoUs) focused on threat intelligence sharing and incident response coordination. In January 2017, CERT-In signed an MoU with the United States Computer Emergency Readiness Team (US-CERT), enabling real-time exchange of cybersecurity information, collaborative vulnerability analysis, and mutual assistance in handling cross-border incidents.[47] Similarly, India entered into a cybersecurity cooperation agreement with Brazil, which includes provisions for CERT-level exchanges on cyber attack data, joint response mechanisms, and technology sharing relevant to emergency operations, though the exact signing date remains unspecified in public records.[48] These agreements emphasize operational interoperability but have been limited in number, reflecting CERT-In's selective approach to formal bilateral ties amid geopolitical considerations. On the multilateral front, CERT-In maintains active membership in key global and regional forums to facilitate standardized incident handling and threat dissemination. It has been a full member of the Forum of Incident Response and Security Teams (FIRST) since 2006, participating in its collaborative platform for over 600 teams worldwide to share indicators of compromise and coordinate responses to large-scale attacks.[14] As an operational member of the Asia-Pacific Computer Emergency Response Team (AP-CERT) since the same year, CERT-In engages in regional exercises and intelligence feeds tailored to Asia-Pacific threats, such as state-sponsored intrusions prevalent in the area.[49][14] CERT-In's multilateral engagements extend to high-level diplomatic platforms, including the G20, where it led a cybersecurity exercise and drill on January 31, 2023, involving over 400 participants from more than 12 countries to simulate cross-border incident response.[38] Through these forums, CERT-In contributes to and benefits from global norms on vulnerability disclosure and malware analysis, though participation often prioritizes capacity building over binding commitments. Such collaborations enhance India's situational awareness but depend on reciprocal trust, which can be strained by differing national priorities in attribution and enforcement.[24]Role in Global Cyber Diplomacy
CERT-In facilitates India's engagement in global cyber diplomacy by serving as the technical focal point for international information sharing on cyber threats and vulnerabilities, acting as a liaison with foreign CERTs and agencies to align incident response practices across borders.[5] As a member of the Forum of Incident Response and Security Teams (FIRST), a global association of over 600 incident response teams, CERT-In participates in collaborative exercises and threat coordination that underpin diplomatic confidence-building measures.[50] [24] Similarly, its involvement in the Asia-Pacific Computer Emergency Response Team (APCERT) network supports regional multilateral efforts to standardize responses to transnational attacks, contributing to broader diplomatic initiatives on cyber norms.[42] [24] Through bilateral agreements, such as the 2020 operational collaboration protocol with Spain's counterpart agency, CERT-In enables real-time exchange of incident data, best practices, and technical infrastructure support, which strengthens diplomatic ties and mutual legal assistance in cyber investigations.[51] It also engages with networks like the G7 24/7 International Contact Group for cybercrime, sharing intelligence to facilitate arrests and evidence preservation in cross-jurisdictional cases.[52] In 2021, CERT-In contributed to planning and scenario development for three international exercises while participating as an active player in seven others, demonstrating its role in building operational interoperability that informs India's positions in multilateral forums.[6] These activities extend to partnerships with Interpol, where CERT-In aids in attributing state-sponsored threats, thereby supporting diplomatic attributions and sanctions discussions.[52] CERT-In's technical inputs have indirectly advanced India's advocacy for inclusive cyber governance frameworks, such as those discussed in UN processes, by providing empirical data on incident trends that highlight the need for attributable state responsibility without endorsing unverified attribution claims from biased sources.[53] Annual reports emphasize ongoing expansion of these partnerships to address evolving threats like supply chain attacks, positioning CERT-In as a key enabler of India's strategic autonomy in cyber diplomacy amid geopolitical tensions.[38]Achievements and Operational Impact
Key Metrics and Incident Resolutions
CERT-In has tracked and coordinated responses to a rapidly increasing volume of cybersecurity incidents, reflecting the growing threat landscape in India. In 2022, it handled 1,391,457 incidents, encompassing website intrusions, malware propagation, malicious code, phishing, and distributed denial-of-service attacks.[54] This rose to 1,592,917 incidents in 2023 and further to 2,041,360 in 2024, with coordination involving mitigation of vulnerable services and targeted responses to high-impact threats like viruses and malicious codes, where 161,757 such incidents were addressed in 2022 alone.[36][55] Key response metrics include proactive issuance of vulnerability notes, security alerts, and advisories to enable rapid resolutions across sectors. In 2023, CERT-In published 397 vulnerability notes detailing exploitable flaws, 657 security alerts on emerging threats, and 52 advisories providing mitigation guidance, contributing to the containment of incidents such as ransomware campaigns that saw a 53% year-over-year increase in reports during 2022.[38][56] These outputs support entity-level resolutions by outlining patching, scanning, and recovery steps, with CERT-In's coordination facilitating takedowns of phishing sites and malware distribution networks.| Year | Incidents Handled | Notable Response Outputs |
|---|---|---|
| 2022 | 1,391,457 | 488 vulnerability notes; 653 alerts; 38 advisories; 19,793 website defacements addressed[57][58] |
| 2023 | 1,592,917 | 397 vulnerability notes; 657 alerts; 52 advisories[38] |
| 2024 | 2,041,360 | Enhanced ransomware analysis and sector-specific mitigations[59][36] |