IT Act 2000AMENDED 2008

Section 70B

Indian Computer Emergency Response Team to Serve as National Agency for Incident Response

THE STATUTE

Original Text

(1) The Central Government shall, by notification in the Official Gazette, appoint an agency of the Government to be called the Indian Computer Emergency Response Team. (2) The Central Government shall, by notification in the Official Gazette, appoint a Director General of the Indian Computer Emergency Response Team. (2A) The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of cyber security — (a) collection, analysis and dissemination of information on cyber incidents; (b) forecast and alerts of cyber security incidents; (c) emergency measures for handling cyber security incidents; (d) coordination of cyber incident response activities; (e) issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; (f) such other functions relating to cyber security as may be prescribed. (3) The manner of performing functions and duties of the Indian Computer Emergency Response Team shall be such as may be prescribed. (4) For carrying out the functions under sub-section (2A), the Indian Computer Emergency Response Team may call for information and give directions to the service providers, intermediaries, data centres, body corporate and any other person. (5) Any service provider, intermediary, data centre, body corporate or person who fails to provide the information called for or comply with the directions issued under sub-section (4) shall be punished with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both. (6) For the removal of doubts, it is hereby declared that no court shall take cognizance of any offence under this section except on a complaint made by the Director General of the Indian Computer Emergency Response Team or any officer authorised by him.

Simplified

Section 70B is the statutory foundation of CERT-In (Indian Computer Emergency Response Team) — India's apex cyber incident response authority operating under the Ministry of Electronics and Information Technology (MeitY). CERT-In was operationally established in 2004, but the IT (Amendment) Act 2008 gave it statutory recognition and expanded powers through Section 70B. CERT-In's mandate under Section 70B(2A) covers six functions: collecting and sharing threat intelligence; issuing cyber security forecasts and alerts; leading emergency incident response; coordinating across organisations; publishing guidelines, advisories, and vulnerability notes; and any additional functions prescribed by rules. The compliance framework in Section 70B(4)-(5): CERT-In may demand information from any service provider, intermediary, data centre, body corporate, or individual — and non-compliance is a criminal offence punishable with up to 1 year imprisonment. CERT-In's April 2022 Directions significantly expanded these obligations: organisations must report cyber incidents within 6 hours of detection (previously 72 hours); maintain logs for 180 days; synchronise ICT systems with NTP servers; and share detailed incident information in prescribed formats. These Directions generated significant industry pushback on the 6-hour reporting window and log retention mandates. Section 70B(6) contains an important limitation: no court can take cognizance of a Section 70B offence except on a complaint by the Director General of CERT-In — preventing private parties from filing criminal complaints directly.

Common Queries

Under the CERT-In Directions issued in April 2022 under Section 70B, all entities must report cyber incidents to CERT-In within 6 hours of detection — one of the shortest mandatory reporting windows globally. This applies to data breaches, ransomware, malicious code attacks, and other specified incidents.

Yes. The CERT-In Directions 2022 require VPN service providers, virtual private server providers, and cloud service providers to retain subscriber information and logs for 5 years — even after subscription cancellation. Several VPN providers removed their India servers in response.

Section 70B(6) prescribes imprisonment up to 1 year and/or fine up to ₹1 lakh for failure to comply with CERT-In directions. The offence is bailable and non-cognizable.

Legal Evolution

CERT-In was functionally established in 2004 under MeitY before receiving statutory recognition. The 2008 Amendment created Section 70B to give CERT-In explicit statutory authority alongside Sections 70 (protected systems) and 70A (NCIIPC). The CERT-In Directions 2022 issued under Section 70B significantly increased compliance obligations.

Key Amendments

Inserted by IT (Amendment) Act 2008 — gave statutory recognition to CERT-In established in 2004.

CERT-In Directions 2022 mandated 6-hour incident reporting and 180-day log retention — the most significant expansion of Section 70B obligations.

Section 70B(6) limits criminal complaints to CERT-In Director General — no private complainant standing.

Cyber Protocol Info

Section Type: AMENDED

OffenceNon-compliance with CERT-In directions is punishable with imprisonment up to 1 year and/or fine up to ₹1 lakh

CognizableNon-Cognizable

Trial AuthorityAny Magistrate

Cross-References

70 : Protected System 70A : National Nodal Agency 69B : Power to Monitor Traffic Data for Cyber Security