India Cybersecurity Mandates: How Basirah Maps to CERT-In Directions and RBI Cybersecurity Framework

India’s cybersecurity regulatory landscape tightened significantly in 2022 when CERT-In issued mandatory directions requiring 6-hour incident reporting and log retention obligations. The Reserve Bank of India’s cybersecurity framework adds sector-specific requirements for financial institutions including Board-level reporting and periodic vulnerability assessment. Together, these frameworks create overlapping obligations for any organisation operating in India’s financial services sector.

India’s two primary regulators — CERT-In and RBI — are converging on verified, evidence-backed vulnerability management.

Regulatory note: This is an operational summary, not legal advice. Validate current statutory and assessor requirements with counsel and relevant regulatory guidance.

Consider a bank with operations across multiple Indian states, serving retail and corporate customers through digital channels. A vulnerability in their internet banking platform triggers CERT-In reporting timelines and RBI audit scrutiny simultaneously. The remediation evidence needs to satisfy both a national cyber agency and a financial sector regulator with different reporting formats.

CERT-In 2022 Directions

The Indian Computer Emergency Response Team (CERT-In) issued binding directions in April 2022 under Section 70B(6) of the Information Technology Act 2000. These directions apply to all service providers, intermediaries, data centres, body corporates, and government organisations, making them among the broadest cybersecurity mandates in Asia-Pacific.

Key requirements

• 6-hour incident reporting: Cyber incidents must be reported to CERT-In within 6 hours of “noticing or being brought to notice.” This is among the shortest mandatory reporting windows globally.
• Types of reportable incidents: Targeted scanning or probing, compromise of critical systems, unauthorised access, website defacements, malicious code attacks, attacks on servers, identity theft, data breaches, and attacks on critical infrastructure
• 60-day log retention: All service providers and data centres must maintain logs of ICT systems for a rolling period of 180 days, stored within Indian jurisdiction
• Synchronised system clocks: All ICT systems must connect to NTP servers of NIC or NPLI for accurate timestamping
• Vulnerability scanning: Organisations must enable logs on all ICT systems and conduct regular vulnerability assessments

The operational challenge

The 6-hour reporting window is extraordinarily tight. Organisations need real-time awareness of their vulnerability posture so that when an incident occurs, they can immediately assess whether known vulnerabilities were involved, what remediation status was, and what evidence exists of prior security measures. Manual processes cannot produce this context within 6 hours.

Platform Alignment

Basirah’s continuous vulnerability lifecycle management provides the real-time posture awareness that CERT-In’s 6-hour window demands. When an incident occurs, the platform can immediately surface the remediation status of related vulnerabilities: was the exploited vulnerability known, was remediation in progress, what SLA window applied, and what verification steps had been completed.

The platform’s audit trail with cryptographically signed records satisfies the log retention requirement with tamper-evident evidence. Every finding, work item, remediation action, and verification result is timestamped and attributed. The NTP synchronisation requirement is addressed at the infrastructure level, but Basirah’s timestamps provide a consistent remediation timeline that aligns with CERT-In’s evidence expectations.

SIEM forwarding to major security platforms integrates Basirah’s remediation telemetry into existing incident response infrastructure. When CERT-In reporting is triggered, the correlation between vulnerability management data and incident data is already established.

RBI Cybersecurity Framework

The Reserve Bank of India’s Cybersecurity Framework for banks (2016, updated through subsequent master directions) requires all scheduled commercial banks to establish a cyber security framework. The 2023 Master Direction on IT Governance, Risk, Controls and Assurance Practices further strengthened vulnerability management requirements.

Key requirements

• Board-level reporting: Cybersecurity posture, including vulnerability management metrics, must be reported to the Board of Directors at defined intervals
• Vulnerability Assessment and Penetration Testing (VAPT): Periodic VAPT assessments of critical systems, with defined remediation timelines based on severity
• Defined remediation timelines: Critical vulnerabilities must be remediated within defined timeframes, with documented justification for any exceptions or deferrals
• Continuous monitoring: Banks must implement continuous monitoring of cybersecurity threats and vulnerabilities with documented response procedures
• Cyber crisis management plan: Including vulnerability exploitation scenarios with tested response procedures
• IT risk management: Identification, assessment, monitoring, and management of IT risks including vulnerability exposure

The governance challenge

RBI requires Board-level reporting on cybersecurity posture, which means vulnerability management data must be translated from technical metrics into governance language. Boards need to understand remediation progress, SLA compliance, residual risk exposure, and trend data, not raw vulnerability counts or CVSS distributions.

Platform Alignment

Basirah’s executive dashboard provides the Board-level reporting format RBI requires. Risk quantification using FAIR methodology translates vulnerability exposure into financial terms: annualised loss expectancy with P50 and P95 confidence intervals. Board reports can show remediation ROI (baseline ALE minus post-remediation ALE), SLA attainment rates, and ownership coverage, all in the governance language that Board members and RBI examiners expect.

For VAPT requirements, Basirah integrates findings from vulnerability assessment tools and tracks them through the complete remediation lifecycle. The platform’s finding normalization ensures that findings from multiple assessment sources create single owned work items rather than duplicate tracking. Each work item carries a defined SLA based on severity and asset criticality, with automated escalation for SLA breaches.

Verification through re-scan, API probe, attestation, or external audit satisfies RBI’s requirement that remediation effectiveness be demonstrated, not just reported. A finding is not considered closed until independent verification produces a PASS result.

Compliance audit readiness features generate evidence packages aligned to RBI examination expectations. Control testing, test plans, and evidence collection per control can support the structured audit documentation that RBI assessors require during supervisory reviews.

The dual-regulator challenge

Indian financial institutions face a distinctive problem: CERT-In and RBI operate on completely different timescales and ask fundamentally different questions. CERT-In wants to know within 6 hours whether an incident is contained. RBI wants to see quarterly Board-level reporting on programme effectiveness and risk posture. One demands speed; the other demands governance depth.

Requirement	CERT-In 2022 Directions	RBI Cybersecurity Framework
Reporting timeline	6 hours (incidents)	Board-level (periodic)
Vulnerability assessment	Regular scanning required	Periodic VAPT mandated
Remediation evidence	Log retention (180 days)	Defined timelines with evidence
Risk governance	Incident classification	Board reporting in business terms
Audit/examination	CERT-In compliance audits	RBI supervisory reviews
Scope	All service providers	Scheduled commercial banks

The underlying remediation data is the same; the packaging differs. Basirah’s single remediation workflow can generate both the real-time incident context CERT-In needs and the governance-level evidence packages RBI examiners expect, without teams maintaining parallel processes for each regulator.

---

Need a regulatory mapping session for Indian compliance requirements? Book a walkthrough.