The Indian Computer Emergency Response Team (‘CERT-In’) issued directions on April 28, 2022 (‘Directions’) for strengthening cyber security in India, followed by clarifications to the Directions by way of frequently asked questions on May 18, 2022. The Directions apply to service providers, intermediaries, data centres, body corporate, virtual private server (VPS) providers, cloud service providers, virtual private network service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organizations (‘Entities’). Some of the key compliance requirements for the Entities under these Directions include – (a) reporting of specified cyber incidents to the CERT-In within six hours of noticing / being notified of such incidents; (b) appointment of a point of contact (‘POC’) to engage with the CERT-In and providing the details of such POC to the CERT-In; (c)  maintain logs of Information and Communication Technology (‘ICT’) systems for a rolling period of 180 days and providing relevant logs to CERT-In; (d) retention and maintenance of certain data such as names, email address and internet protocol address, address and contact numbers of users / subscribers of data centres, cloud service providers, virtual network service providers etc. for a period of five years from the date of termination of the underlying arrangement / subscription. While the Directions came into effect on June 27, 2022, the timeline for compliance for Micro, Small & Medium Enterprises has been extended until September 25, 2022.