Cyber Security Clauses in Indian Contracts: CERT-In Compliance Guide

India's cybersecurity regulatory landscape shifted dramatically in April 2022 when CERT-In released its landmark directions under Section 70B of the Information Technology Act, 2000. For IT companies, CISOs, and in-house counsel, these directions did not just create new compliance obligations — they fundamentally changed what every technology contract, SaaS agreement, and vendor engagement must contain.

If your contracts still rely on generic "reasonable security measures" language, you are exposed. This guide breaks down every cybersecurity clause your Indian contracts need, with practical templates you can adapt today.

Understanding CERT-In's April 2022 Directions

On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued directions that became effective on 25 September 2022. These directions apply to all service providers, intermediaries, data centres, body corporates, and government organizations.

The directions introduced several obligations that directly impact contract drafting:

1. 6-hour incident reporting: Any entity must report specified cyber incidents to CERT-In within 6 hours of noticing or being brought to notice of such incidents.
2. 180-day log retention: All service providers must maintain logs of ICT systems for a rolling period of 180 days, within Indian jurisdiction.
3. Time synchronization: All ICT systems must connect to NTP servers of NIC or IDRBT, or to NTP servers traceable to these.
4. KYC and data retention by VPN/cloud/VPS providers: Must maintain subscriber/customer registration data for 5 years after cancellation or withdrawal.

Reportable Cyber Incidents Under CERT-In Directions

The directions list 20 categories of reportable incidents. Key ones affecting contract obligations include:

• Targeted scanning or probing of critical networks/systems
• Compromise of critical systems or information
• Unauthorised access to IT systems or data
• Defacement of websites or intrusion into applications
• Malicious code attacks (ransomware, cryptominers, etc.)
• Attacks on servers, databases, or infrastructure
• Data breaches or data leaks
• Attacks on IoT devices and associated systems
• Attacks or incidents affecting digital payment systems
• Fake mobile apps
• Unauthorized access to social media accounts

Any contract where one party processes, stores, or has access to the other party's systems or data must address these incident categories explicitly.

Mandatory Cyber Security Clauses for IT/SaaS Contracts

Below are the essential cybersecurity clauses every Indian IT and SaaS contract must include post the CERT-In directions.

1. Incident Notification and Reporting Clause

This is the most critical clause. It must operationalize the 6-hour window across your vendor and partner chain.

Template Clause:

Cyber Incident Notification. The Service Provider shall notify the Client of any Cyber Security Incident (as defined in the CERT-In Directions dated 28.04.2022) affecting the Client's data, systems, or services within two (2) hours of becoming aware of such incident, to enable the Client to comply with CERT-In's mandatory 6-hour reporting requirement. Such notification shall include: (a) nature and category of the incident; (b) systems and data affected; (c) preliminary impact assessment; (d) immediate containment measures undertaken; and (e) a designated point of contact for ongoing coordination. The Service Provider shall provide a detailed incident report within twenty-four (24) hours and cooperate fully with the Client and CERT-In in any subsequent investigation.

2. Log Retention and Access Clause

CERT-In requires 180-day log retention within Indian jurisdiction. Your contracts must ensure vendors comply.

Template Clause:

Log Maintenance and Retention. The Service Provider shall maintain and securely store all logs of ICT systems relevant to the Services, including but not limited to firewall logs, IDS/IPS logs, web server logs, database access logs, VPN logs, and application logs, for a minimum rolling period of one hundred and eighty (180) days within Indian jurisdiction. Logs shall be maintained in a format that allows for meaningful reconstruction of events. The Service Provider shall provide access to such logs to the Client and/or CERT-In within twenty-four (24) hours of a written request. Logs shall be time-stamped using NTP servers synchronized with NIC or IDRBT time sources.

3. NTP Synchronization Clause

This is often overlooked but is explicitly mandated by the CERT-In directions.

Template Clause:

Time Synchronization. The Service Provider shall synchronize all ICT system clocks used in connection with the Services to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the Indian Computer Emergency Response Team (CERT-In) or National Physical Laboratory (NPL), or to NTP servers traceable to these sources, in accordance with CERT-In Directions dated 28.04.2022.

Scan Your Contract for CERT-In Gaps — Free

4. Vendor Security Assessment Clause

Beyond CERT-In compliance, contracts must establish baseline security expectations and ongoing verification mechanisms.

Template Clause:

Security Standards and Assessment. The Service Provider represents and warrants that it maintains information security practices that comply with, at a minimum: (a) CERT-In Directions dated 28.04.2022; (b) ISO/IEC 27001:2022 or equivalent; (c) applicable provisions of the Information Technology Act, 2000 and rules thereunder; and (d) the Digital Personal Data Protection Act, 2023 and rules thereunder as applicable. The Service Provider shall, upon reasonable notice and not more than once per calendar year (and additionally following any Cyber Security Incident), submit to a security assessment or audit conducted by the Client or its designated third-party auditor, at the Client's cost. The Service Provider shall remediate any material findings within thirty (30) days.

5. Security Audit Rights Clause

Audit rights are essential, particularly given the sectoral requirements from RBI and SEBI that mandate vendor audits.

Template Clause:

Audit Rights. The Client, its designated auditors, and applicable regulatory authorities (including CERT-In, RBI, SEBI, and IRDAI as applicable) shall have the right to conduct security audits, vulnerability assessments, and penetration testing of the Service Provider's systems, infrastructure, and processes relevant to the Services. The Service Provider shall cooperate fully with such audits and provide all reasonably requested information, access, and assistance. Where audit findings reveal non-compliance with applicable law or this Agreement, the Service Provider shall prepare and execute a remediation plan within the timelines agreed by the Parties, which shall not exceed thirty (30) days for critical findings and sixty (60) days for non-critical findings.

6. Data Localization and Residency Clause

Data localization is mandated by multiple Indian regulatory frameworks. While the DPDP Act permits cross-border transfer with conditions, sector-specific rules are stricter.

Template Clause:

Data Localization. All Client Data classified as Sensitive Personal Data, Critical Personal Data (as defined under applicable law), or data subject to sectoral localization requirements (including RBI's Storage of Payment System Data directions and IRDAI's outsourcing guidelines) shall be stored and processed exclusively within the territory of India. The Service Provider shall not transfer, mirror, or replicate such data outside India without the prior written consent of the Client and in compliance with applicable law. The Service Provider shall maintain and provide documentation of its data centre locations, data flow maps, and any sub-processors involved in data handling.

7. Cyber Insurance and Indemnity Clause

Given the scale of potential breaches and the penalties under DPDP Act (up to Rs. 250 crore), contractual risk allocation through insurance and indemnity is essential.

Template Clause:

Cyber Insurance. The Service Provider shall maintain, at its own cost, a cyber liability insurance policy with coverage of not less than [Rs. _____ crore] per occurrence and in aggregate, covering: (a) data breach response costs including forensic investigation, notification expenses, and credit monitoring; (b) business interruption losses; (c) cyber extortion and ransomware payments; (d) regulatory fines and penalties to the extent insurable under applicable law; and (e) third-party claims arising from data breaches or cyber incidents. The Service Provider shall provide a copy of the insurance certificate and policy summary to the Client upon request.

Indemnification. The Service Provider shall indemnify, defend, and hold harmless the Client from and against any losses, damages, penalties, fines, costs, and expenses (including reasonable legal fees) arising from: (a) the Service Provider's breach of its cybersecurity obligations under this Agreement; (b) any Cyber Security Incident attributable to the Service Provider's systems, personnel, or sub-processors; (c) the Service Provider's non-compliance with CERT-In Directions, the IT Act, the DPDP Act, or applicable sectoral regulations; and (d) any regulatory action against the Client resulting from the Service Provider's acts or omissions.

The DPDP Act Intersection: Dual Compliance Obligations

The Digital Personal Data Protection Act, 2023 (DPDP Act) creates a parallel set of obligations that overlap with and reinforce CERT-In requirements. Contracts must address both frameworks simultaneously.

Key DPDP Act Obligations Affecting Contracts

| Obligation | CERT-In Directions | DPDP Act 2023 | |---|---|---| | Breach notification recipient | CERT-In | Data Protection Board + affected Data Principals | | Notification timeline | 6 hours | "Without delay" (rules will specify exact timeline) | | Log retention | 180 days minimum | As prescribed by rules | | Data processor obligations | General compliance | Specific contractual mandate under Section 8(2) | | Penalties for non-compliance | IT Act penalties (up to Rs. 1 crore) | Up to Rs. 250 crore per instance | | Cross-border transfer | Log storage in India | Permitted except to notified restricted countries |

Data Processing Agreement Clause Under DPDP Act

Section 8(2) of the DPDP Act requires Data Fiduciaries to engage Data Processors only under a valid contract. Here is a template that bridges both frameworks:

Template Clause:

Data Processing Obligations. The Service Provider, acting as a Data Processor under the Digital Personal Data Protection Act, 2023, shall: (a) process personal data only on documented instructions from the Client (Data Fiduciary) and solely for the purposes specified in this Agreement; (b) implement appropriate technical and organizational security measures, including encryption (AES-256 or equivalent at rest, TLS 1.2+ in transit), access controls, and regular vulnerability assessments; (c) not engage sub-processors without the prior written consent of the Client and shall ensure equivalent contractual obligations flow down to any approved sub-processors; (d) notify the Client of any personal data breach in accordance with the Cyber Incident Notification clause of this Agreement; (e) assist the Client in responding to data principal rights requests within the timelines prescribed by law; (f) upon termination, securely delete or return all personal data within thirty (30) days, and certify such deletion in writing; and (g) maintain records of all processing activities carried out on behalf of the Client.

Automate DPDP + CERT-In Clause Review

Sector-Specific Cyber Security Contract Requirements

BFSI Sector (Banks, NBFCs, Insurance)

The financial sector faces the most stringent cybersecurity contract requirements, layered across multiple regulators.

RBI Requirements:

• RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (2023) mandates that outsourcing agreements include specific cybersecurity provisions
• Payment data must be stored only in India (RBI circular on Storage of Payment System Data, 2018)
• Mandatory Cyber Security Framework compliance for banks and UCBs
• Annual IT audit by CERT-In empanelled auditors

IRDAI Requirements:

• IRDAI Information and Cyber Security Guidelines, 2023 require insurers to include cybersecurity clauses in all outsourcing and vendor agreements
• Mandatory incident reporting to IRDAI within specified timelines, in addition to CERT-In reporting

SEBI Requirements:

• SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities, effective from January 2025
• Mandatory inclusion of cybersecurity audit rights and incident response obligations in all critical vendor contracts
• SOC (Security Operations Centre) requirements flow down to service providers

Additional BFSI Template Clause:

Regulatory Compliance (Financial Sector). In addition to general cybersecurity obligations, the Service Provider shall comply with: (a) RBI Master Direction on IT Governance and applicable circulars on outsourcing and data localization; (b) SEBI Cybersecurity and Cyber Resilience Framework as applicable; (c) IRDAI Information and Cyber Security Guidelines as applicable. The Service Provider shall submit to audits by RBI, SEBI, IRDAI, or their designated agencies and shall ensure that CERT-In empanelled auditors may conduct annual security assessments. Payment system data and customer financial data shall be stored exclusively within India.

Healthcare Sector

While India does not yet have a dedicated healthcare data protection law (comparable to HIPAA), the following requirements apply:

• DPDP Act classifies health data as personal data requiring protection
• National Digital Health Mission (NDHM) Health Data Management Policy mandates security standards for health data
• Telemedicine Practice Guidelines require data security provisions in all technology contracts
• CERT-In directions apply fully to health-tech platforms

Healthcare Template Clause:

Health Data Security. The Service Provider shall treat all health data processed under this Agreement as sensitive information requiring enhanced protection. The Service Provider shall comply with the National Digital Health Mission's Health Data Management Policy, applicable Telemedicine Practice Guidelines, and the DPDP Act. Health data shall be encrypted at rest and in transit, access shall be restricted on a need-to-know basis with role-based access controls, and audit logs of all access to health records shall be maintained for a minimum of three (3) years.

Government and PSU Sector

Government contracts carry additional cybersecurity requirements driven by national security considerations.

• MeitY Guidelines on Information Security Practices for Government Entities
• NIC Security Guidelines for government websites and applications
• CVC guidelines requiring security clauses in IT procurement contracts
• GeM (Government e-Marketplace) standard terms include basic cybersecurity requirements, but custom provisions are needed

Government Contract Template Clause:

Government Security Standards. The Service Provider shall comply with: (a) MeitY Guidelines on Information Security Practices for Government Entities; (b) NIC security standards for government applications; (c) Indian Standards IS 16700:2018 and ISO 27001 as baseline security frameworks; and (d) any classification-specific security requirements notified for the data or systems covered under this Agreement. The Service Provider shall ensure that all personnel with access to government data have undergone background verification and shall not engage foreign nationals or entities in data processing without prior written approval from the Client.

Building a Complete Cyber Security Schedule

Best practice for Indian IT contracts is to include cybersecurity provisions as a dedicated schedule or annexure. Here is a recommended structure:

Schedule Structure

Schedule [X]: Cyber Security Requirements

1. Definitions — Define Cyber Security Incident, CERT-In Directions, Applicable Security Standards, Protected Data categories
2. Security Standards — Minimum certifications (ISO 27001, SOC 2 Type II), security frameworks, and baselines
3. Access Controls — Multi-factor authentication, role-based access, privileged access management, periodic access reviews
4. Encryption Requirements — Encryption standards at rest (AES-256), in transit (TLS 1.2+), and key management procedures
5. Incident Response — Notification timelines (2-hour internal, 6-hour CERT-In), response procedures, forensic investigation, post-incident review
6. Log Management — 180-day retention, log formats, NTP synchronization, access provisions for audits
7. Vulnerability Management — Patch management timelines (critical: 24 hours, high: 72 hours, medium: 30 days), penetration testing frequency
8. Data Localization — Data residency requirements, approved data centre locations, cross-border transfer restrictions
9. Sub-Processor Management — Approval process, flow-down obligations, register of sub-processors
10. Business Continuity and Disaster Recovery — RPO and RTO commitments, DR site requirements, testing frequency
11. Audit and Assessment — Annual audit rights, regulatory audit cooperation, remediation timelines
12. Insurance — Minimum coverage, policy requirements, renewal evidence
13. Personnel Security — Background checks, security awareness training, acceptable use policies
14. Termination and Data Return — Data deletion/return procedures, certification, survival of obligations

Common Pitfalls in Cyber Security Contract Drafting

1. Relying on "Industry Standard" Security Language

Clauses that require "commercially reasonable" or "industry standard" security measures are unenforceable in the CERT-In compliance context. The directions prescribe specific obligations — 6-hour reporting, 180-day logs, NTP synchronization — that generic language does not address.

2. Ignoring Sub-Processor Chains

Your vendor's sub-processor is your compliance risk. If your SaaS vendor uses AWS India but its analytics sub-processor routes data through Singapore, you may have a data localization violation. Contracts must mandate sub-processor transparency and flow-down of all security obligations.

3. Missing the "Notice" Trigger

The 6-hour clock starts when the entity "notices or is brought to notice" of an incident. If your vendor's SOC detects anomalous activity at 2 AM but the vendor's contract manager emails you at 10 AM, you have already lost 8 hours. Contracts must specify automated, immediate notification mechanisms — not email-based escalation alone.

4. No Survival Clause for Security Obligations

Cybersecurity obligations must survive contract termination. Data retained in backups, logs maintained during the contract period, and incident cooperation obligations all extend beyond the contract term. A specific survival clause for the cybersecurity schedule is essential.

5. Inadequate Breach Remedies

Standard contractual remedies (damages, termination rights) may be insufficient for cybersecurity breaches. Consider including: mandatory forensic investigation at the breaching party's cost, interim injunctive relief provisions, and regulatory cooperation obligations.

Get AI-Powered Cyber Clause Analysis

Practical Implementation Roadmap

For organizations looking to update their contract templates to comply with CERT-In directions and the DPDP Act, here is a phased approach:

Phase 1 (Immediate — 0-30 days):

• Audit all existing IT/SaaS vendor contracts for CERT-In compliance gaps
• Add incident notification clauses (2-hour contractual, 6-hour statutory) to all new contracts
• Implement log retention requirements in all hosting and infrastructure contracts

Phase 2 (Short-term — 30-90 days):

• Develop a standard Cyber Security Schedule template for all IT procurement
• Update vendor onboarding process to include security assessment questionnaire aligned with CERT-In requirements
• Review and update data localization provisions across all vendor contracts

Phase 3 (Medium-term — 90-180 days):

• Conduct a comprehensive review and amendment of all existing critical vendor contracts
• Implement automated contract monitoring for security clause compliance
• Establish a vendor security rating framework linked to contractual obligations

Phase 4 (Ongoing):

• Annual review of cybersecurity clauses against evolving CERT-In directions, DPDP Act rules, and sectoral regulations
• Periodic vendor security assessments using contractual audit rights
• Continuous monitoring of regulatory updates through LexiBrain or equivalent tools

Frequently Asked Questions

What is the penalty for not reporting a cyber incident to CERT-In within 6 hours?▾

Non-compliance with CERT-In directions can attract penalties under Section 70B(7) of the Information Technology Act, 2000, which provides for imprisonment of up to one year, or a fine of up to Rs. 1 lakh, or both. Additionally, the government can issue blocking orders or direct service suspension for non-compliant entities. For regulated entities (banks, insurers, listed companies), additional penalties from RBI, IRDAI, or SEBI may apply. The DPDP Act adds further penalties of up to Rs. 250 crore for data breach-related non-compliance.

Do CERT-In directions apply to startups and small companies?▾

Yes. The CERT-In directions apply to all "service providers, intermediaries, data centres, body corporate and Government organisations" without any threshold exemption based on size, revenue, or employee count. If your startup operates a website, app, SaaS product, or handles any user data digitally, you are covered. The only limited exemption is for individual users and MSME enterprises regarding certain VPN-related KYC requirements, but the incident reporting and log retention requirements apply universally.

How do CERT-In directions interact with the DPDP Act for contract drafting?▾

They create complementary but distinct obligations. CERT-In directions focus on cybersecurity incident reporting (6 hours to CERT-In), log retention (180 days), and technical standards (NTP sync). The DPDP Act focuses on personal data protection, requiring breach notification to the Data Protection Board and affected individuals, and mandating Data Fiduciary-Data Processor contracts under Section 8(2). A well-drafted contract must address both: the technical cybersecurity requirements from CERT-In and the data protection obligations from the DPDP Act. They often get triggered by the same event (e.g., a data breach is both a cyber incident under CERT-In and a personal data breach under DPDP).

Can we use foreign cloud providers and still comply with Indian data localization requirements?▾

Yes, but with conditions. Foreign cloud providers (AWS, Azure, GCP) that operate data centre regions in India can host data locally. Your contract must explicitly specify that data shall be stored and processed in Indian data centre regions only, restrict any cross-border replication or mirroring, and include audit rights to verify data residency. For payment system data (per RBI directions), storage must be exclusively in India with no exceptions. For general personal data under the DPDP Act, cross-border transfer is permitted except to countries specifically restricted by the Central Government through notification.

What should a CISO prioritize when reviewing vendor contracts for CERT-In compliance?▾

Prioritize in this order: (1) Incident notification clause with a contractual timeline shorter than 6 hours (ideally 2 hours) and automated notification mechanisms; (2) Log retention clause mandating 180-day retention within Indian jurisdiction; (3) Audit rights clause permitting security assessments and regulatory audits; (4) Data localization clause aligned with sectoral requirements; (5) Sub-processor transparency and flow-down obligations; (6) Cyber insurance requirements with adequate coverage; and (7) Survival clause ensuring security obligations continue post-termination. Use AI-powered contract review tools like LexiReview to scan contracts against these requirements in seconds rather than hours.

Are there any specific CERT-In compliance requirements for VPN and cloud service providers?▾

Yes. CERT-In directions impose enhanced obligations on VPN providers, cloud service providers, and virtual private server (VPS) providers. They must: (a) register and maintain KYC details of subscribers/customers including validated names, email addresses, contact numbers, IP addresses, and purpose of use — for a period of 5 years even after cancellation; (b) maintain all logs as specified for 180 days within Indian jurisdiction; and (c) designate a Point of Contact for interfacing with CERT-In. These requirements must be reflected in your service agreements with such providers and in the terms you offer to your own customers if you provide these services.

---

Conclusion

Cybersecurity clauses in Indian contracts are no longer a "nice to have" addendum — they are a regulatory imperative. The combination of CERT-In's April 2022 directions, the DPDP Act 2023, and sector-specific regulations from RBI, SEBI, and IRDAI has created a multi-layered compliance framework that must be reflected in every IT, SaaS, and outsourcing contract.

The 6-hour incident reporting requirement alone makes it impossible to rely on informal arrangements or generic security language. Every contract in your vendor ecosystem must create a clear, enforceable chain of notification and cooperation obligations that flow from the service provider through to CERT-In.

For CISOs, in-house counsel, and IT procurement teams, the practical takeaway is clear: audit your existing contracts, adopt the clause templates and schedule structure outlined in this guide, and implement a systematic approach to vendor security governance.

LexiReview's AI flags missing cybersecurity clauses and CERT-In compliance gaps in any contract — in 45 seconds. Upload your vendor agreements and get an instant compliance gap analysis, so you can focus on negotiating better protections rather than searching for what is missing.