India’s micro, small, and medium enterprises (MSMEs) will now fall under the country’s evolving cybersecurity compliance regime, following a mandate by the Indian Computer Emergency Response Team (CERT-In) that makes annual cybersecurity audits compulsory for all such businesses.
Effective from September 1, 2025, the move aims to create a minimum cybersecurity baseline for smaller organisations, protecting them from growing cyber threats as they increasingly digitise operations, adopt SaaS platforms, and plug into national and global supply chains.
Background: A tailored framework for smaller businesses
The guidelines build on CERT-In’s broader July 2025 directive, which applied mandatory audits to all public and private organisations. While that framework was geared towards conglomerates and government systems, the September guidelines specifically address the needs and capacities of MSMEs.
The new MSME audit framework includes:
-
15 basic cyber hygiene controls across 45 recommendations
-
Requirements for system log retention (180 days)
-
Mandatory practices like asset inventory, password hygiene, and patch management
The audits must be conducted by CERT-In–empaneled firms, and are designed not just for compliance but to help MSMEs strengthen sector-specific digital defenses.
Additional compliance requirements for MSMEs
Beyond the annual audit, MSMEs are now obligated to:
-
Report any cyber incident within 6 hours of detection
-
Conduct vulnerability assessments annually
-
Deliver employee training on cybersecurity awareness and response
-
Maintain digital records of system performance and anomalies
The rules are structured to balance cost and necessity, giving small businesses a framework that is both implementable and scalable.
Why MSMEs are being prioritised
CERT-In’s move is rooted in growing cybersecurity risks for MSMEs, which now account for over 30% of India’s GDP and are deeply embedded in supply chains across manufacturing, logistics, retail, healthcare, and IT.
However, most MSMEs lack:
-
Dedicated IT security teams
-
Regular vulnerability monitoring
-
Awareness of ransomware and phishing tactics
This makes them prime targets for cyberattacks, and potential weak points in larger digital ecosystems. With India pushing toward Digital Bharat, unsecured endpoints among small enterprises pose risks to the broader economic fabric.
Implications and support for the sector
While this adds a new layer of compliance, cybersecurity experts see the move as timely. The structured guidelines and empanelled audit network provide MSMEs a chance to raise their digital defense posture without large upfront costs.
Policy experts suggest that government support through subsidies, training schemes, or audit fee waivers could make compliance easier for smaller businesses.
As cyber threats evolve, this mandate is a preventive step to ensure that India’s 70 million+ MSMEs are not the weakest link in its digital economy.