India’s micro, small, and medium enterprises (MSMEs) will soon join the country’s sprawling compliance regime, after the Indian Computer Emergency Response Team (CERT-In) announced that all such firms must undergo annual cybersecurity audits. The new mandate, issued on September 1, establishes a minimum cybersecurity baseline tailored to smaller organizations while aligning with July’s broader audit policy that applied to both public and private entities.
The framework, officials say, is meant to close a widening security gap. MSMEs—estimated to contribute nearly one-third of India’s GDP—have become attractive targets for cybercriminals because of their expanding digital footprint and frequent role in larger supply chains.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Building on July’s Comprehensive Framework
The guidelines arrive just weeks after CERT-In’s July 25 directive, which for the first time made annual cybersecurity audits compulsory across all organizations, from private conglomerates to government agencies. That framework introduced stringent requirements around artificial intelligence systems, quantum technology, and information and communications technology (ICT) infrastructure.
The September 1 guidelines, by contrast, serve as a structured entry point for smaller firms. CERT-In outlined 15 “elemental” cyber defense controls mapped to 45 recommendations—covering asset inventories, software patching, network security, password management, and the mandatory retention of system logs for 180 days.
Obligations Beyond the Annual Audit
Compliance does not stop at a yearly inspection. MSMEs are now required to report cyber incidents within six hours of detection, conduct annual vulnerability assessments, and provide ongoing employee training on cyber risks.
Audits must be conducted by CERT-In–empaneled firms, and auditors are tasked with verifying not just compliance with the minimum baseline but also advising organizations to strengthen defenses against evolving sector-specific threats. The guidelines encourage firms to exceed minimum benchmarks rather than treat compliance as a ceiling.
Striking a Balance Between Burden and Protection
While the new requirements impose fresh costs on smaller businesses, regulators argue the move is unavoidable. With ransomware, phishing campaigns, and supply-chain compromises on the rise, CERT-In has underlined that MSMEs are no longer peripheral actors in India’s digital economy but central nodes that could expose vulnerabilities across sectors.
By offering a scaled version of the July mandate, the government hopes to balance regulatory burden with necessity, ensuring that India’s most numerous enterprises are not its weakest cybersecurity link.