CERT‑In’s new AI cybersecurity guidelines mandate 12‑hour patch windows for critical flaws

CERT‑In announced a set of AI‑specific cybersecurity guidelines that obligate entities handling critical infrastructure to apply patches for high‑severity flaws within twelve hours. The move, unveiled in early May 2024, reflects growing alarm over AI‑driven attack vectors and aims to tighten response times that have traditionally stretched over days. By codifying a strict twelve‑hour window, the agency signals that rapid remediation is now a regulatory expectation, not a best‑practice suggestion.

What happened

The Indian Computer Emergency Response Team (CERT‑In) released a detailed advisory that outlines procedural and technical steps for defending against AI‑enabled threats. Central to the document is a requirement that any identified critical flaw—defined as a vulnerability that could be weaponised by AI tools to compromise confidentiality, integrity or availability—must be patched within twelve hours of discovery. The guidelines also call for continuous monitoring of AI model outputs, mandatory reporting of AI‑related incidents to the agency within 24 hours, and a risk‑assessment framework that aligns AI development cycles with security checkpoints. Organisations are instructed to maintain an up‑to‑date inventory of AI assets, conduct periodic penetration testing that includes adversarial‑AI scenarios, and document remediation actions in a central log accessible to CERT‑In auditors. Non‑compliance could trigger penalties under existing Indian cyber‑law provisions.

Why it matters

Speed matters in cyber defence because attackers exploit the window between vulnerability disclosure and patch deployment. AI tools can automate exploit generation, dramatically shrinking the time needed to weaponise a flaw. By enforcing a twelve‑hour patch window, CERT‑In seeks to neutralise that advantage. The directive also raises the security bar for AI development, forcing firms to embed defensive checks early in the model‑training pipeline rather than treating security as an afterthought. For critical sectors such as banking, energy and telecommunications, a delayed fix could cascade into service disruptions or data breaches that affect millions. Moreover, the mandatory incident‑reporting clause gives the agency real‑time visibility into emerging AI threats, enabling coordinated national‑level responses.

The bigger picture

India’s cyber‑security landscape has been evolving rapidly, with the government rolling out multiple initiatives—from the National Cyber Security Strategy to the establishment of a dedicated AI‑security task force. The new CERT‑In guidelines dovetail with global trends, where regulators in the United States, Europe and Singapore are also tightening timelines for patching critical vulnerabilities. In India, the rise of AI startups and the integration of generative models into public‑sector services have amplified the attack surface. Recent reports of AI‑generated phishing and deep‑fake scams have underscored the need for a proactive stance. By formalising a twelve‑hour remediation rule, India joins a handful of jurisdictions that are moving from voluntary best practices to enforceable standards, potentially influencing regional peers.

What’s next

The guidelines are effective immediately, but CERT‑In has indicated a six‑month grace period for organisations to align internal processes with the new requirements. During this window, the agency will conduct outreach workshops, publish templates for incident reports and provide a sandbox environment for testing AI‑focused security controls. Industry bodies such as NASSCOM are expected to issue complementary best‑practice documents to help members achieve compliance. Observers will watch for the first set of enforcement actions, which could include fines or mandatory remediation plans for entities that miss the twelve‑hour deadline. In parallel, the government is likely to draft amendments to the Information Technology Act to embed the twelve‑hour rule into law, giving it stronger legal teeth.

Key takeaways

• CERT‑In’s AI guidelines require critical flaws to be patched within twelve hours of discovery.
• Mandatory reporting of AI‑related incidents must occur within 24 hours to the agency.
• The rules push organisations to embed security checks throughout the AI development lifecycle.
• Non‑compliance may attract penalties under existing cyber‑law frameworks.
• A six‑month transition period will be followed by stricter enforcement and possible legislative amendments.