The Indian Computer Emergency Response Team (CERT-In) issued a specific directive on ransomware incident reporting on 20 September 2025, issued under its powers under Section 70B(6) of the Information Technology Act 2000. The directive supplements CERT-In's mandatory incident reporting framework established by the Directions under the IT Act issued in April 2022, which require all service providers, intermediaries, data centres, and body corporates to report certain cybersecurity incidents — including ransomware attacks — to CERT-In within six hours of detection. The September 2025 directive addresses the persistent gaps in ransomware-specific reporting quality that CERT-In identified through its review of incident reports received since 2022.
The Six-Hour Reporting Obligation: What It Requires
The April 2022 Directions require initial notification to CERT-In within six hours of becoming aware of a ransomware attack. The September 2025 directive clarifies what "becoming aware" means in the ransomware context: awareness is triggered when the organisation's security operations centre, IT personnel, or any employee identifies ransomware indicators — including encrypted files with unfamiliar extensions, ransom notes, or suspicious outbound network traffic to known command-and-control addresses — regardless of whether a full incident assessment has been completed.
The directive confirms that the six-hour clock begins from first awareness, not from completion of incident analysis. Organisations that have been treating the six-hour window as commencing from the completion of a forensic root-cause analysis — a practice that effectively deferred reporting by 24 to 48 hours — are in non-compliance with the 2022 Directions as interpreted by the directive.
Required Information in the Initial Report
The September 2025 directive prescribes the minimum information that must be included in the initial six-hour report. The required information is: name, contact details, and sector classification of the reporting entity; date and approximate time of discovery; systems affected (by category — servers, endpoints, cloud infrastructure, operational technology); whether critical infrastructure is affected; the ransomware variant identified (if known); whether ransom demand has been received and the quantum and payment method demanded; whether any data exfiltration is suspected or confirmed; and the containment actions taken.
The directive explicitly states that reports that contain only generic information — "we have been the victim of a cyberattack" — without the prescribed content will be treated as non-compliant and CERT-In will issue a follow-up notice requiring a completed report within 24 hours. Repeated non-compliant reports may be referred to the appropriate enforcement authority for action under Section 70B(7) of the IT Act, which provides for penalties against entities that fail to comply with CERT-In directions.
Post-Incident Cooperation Requirements
The directive introduces new post-incident cooperation obligations that go beyond the initial reporting requirement. Following the initial report, CERT-In may request — and affected entities must provide — system images, malware samples, logs from affected systems (network, DNS, authentication, and endpoint), and a timeline of the incident from first indicator to containment. These forensic artefacts must be preserved from the moment of detection; organisations that commence recovery operations — including system wipes and reinstallation — without preserving forensic artefacts first will be unable to meet the post-incident cooperation obligation and may face penalties.
The directive also requires that affected entities cooperate with any CERT-In-directed vulnerability disclosure if CERT-In determines that the ransomware attack exploited a previously unknown or unpatched vulnerability that poses a systemic risk to other Indian organisations in the same sector. Cooperation with sector-wide disclosure is a significant obligation for organisations that have suffered proprietary system vulnerabilities being publicly identified.
Interaction with DPDP and Sector-Specific Obligations
A ransomware incident frequently constitutes both a CERT-In-reportable cybersecurity incident and a data breach under the DPDP Act 2023 (once the DPDP Rules' breach notification provisions are fully operative from March 2027). Organisations must run parallel reporting obligations — CERT-In within six hours and the Data Protection Board within the DPDP-prescribed period. The CERT-In report and the DPDP breach notification serve different purposes and have different required content; organisations should not file an identical report to both authorities. SEBI-regulated entities, RBI-regulated entities, and IRDAI-regulated insurers face additional sectoral incident reporting obligations that run concurrently and must be coordinated.
Organisations that pay ransoms — an increasingly common response particularly among mid-market companies without robust backup infrastructure — must be aware that ransom payments to entities on the OFAC Specially Designated Nationals list or on India's sanctions-designated list may themselves constitute violations of applicable sanctions law. The decision to pay or not pay a ransom must be made with legal advice covering the sanctions dimension, not purely as a business recovery decision.
Building a CERT-In Compliant Incident Response Programme
Delhi NCR businesses across banking, technology, healthcare, and critical infrastructure must have an incident response plan that has been tested through tabletop exercises, that explicitly addresses the six-hour reporting obligation, and that assigns clear ownership for CERT-In notification. The most common compliance failure identified in CERT-In's review is the absence of a named individual — with 24/7 contact information — responsible for making the initial report. In the chaos of a live ransomware incident, the absence of pre-assigned reporting responsibility causes the six-hour window to expire without notification.
Action Items for Delhi NCR Businesses
- Test your incident response plan against the September 2025 directive's six-hour reporting trigger — awareness, not analysis completion, starts the clock.
- Assign a named CERT-In Reporting Officer with 24/7 contact details and ensure all security and IT staff know who to escalate ransomware indicators to immediately.
- Implement a forensic preservation protocol that prevents system recovery actions before evidence is captured — logs, images, and malware samples must be preserved before remediation begins.
- Map all parallel reporting obligations — CERT-In, DPDP Board, SEBI/RBI/IRDAI where applicable — and ensure coordination protocols exist to file within each deadline.
- Before any ransom payment decision is made, obtain legal advice on sanctions compliance — the paying entity, not the attacker, carries the sanctions violation risk.
- Conduct a tabletop exercise simulating a ransomware incident and measure actual response time against the six-hour reporting obligation.