« Back to moneycontrol
India’s micro, small and medium enterprises (MSMEs) will now need to comply with a minimum set of cybersecurity controls and undergo annual audits, under fresh guidelines issued by the Indian Computer Emergency Response Team (CERT-In).
The move comes just weeks after CERT-In’s Comprehensive Cyber Security Audit Policy Guidelines of July 25, 2025, which made annual cybersecurity audits compulsory for the first time across both public and private organisations, and brought artificial intelligence (AI) and quantum systems in government operations under formal compliance scrutiny.
While the July framework requires organisations to conduct comprehensive audits of their Information and Communications Technology (ICT) systems and, in some cases, maintain detailed documentation such as AI Bills of Materials (AIBOMs), the latest MSME-specific guidelines, published on September 1, provide a practical entry point.
CERT-In has laid out 15 “elemental” cyber defense controls mapped to 45 security recommendations, intended to help smaller firms benchmark their practices against a minimum baseline.
These measures cover areas such as maintaining an up-to-date inventory of IT assets, applying timely patches, securing networks and email, enforcing strong password and access-control policies and retaining system logs for 180 days within Indian jurisdiction.
MSMEs are also required to report cyber incidents within six hours, conduct annual vulnerability assessments, and provide regular employee training on cyber risks.
Audits under the MSME framework must be conducted by CERT-In empanelled auditing organisations at least once a year, the guidelines say.
Auditors are required to clearly state that the evaluation is against minimum requirements, and organisations are encouraged to go further to address sector-specific risks and evolving cyber threats.
In effect, the September 1 guidelines does not dilute the July audit mandate but offers a scaled and structured baseline for MSMEs.
CERT-In has underlined that MSMEs, given their growing digital footprint and role in supply chains, remain critical targets for cyberattacks, making foundational safeguards essential.Stay ahead. Stay profitable. Track the Key Performance Indicators of your business through various Utility Tools here. Get smart analysis on the go!!!
