New CERT-In Rules Mandate Yearly Cybersecurity Audits for MSMEs

India’s micro, small, and medium enterprises (MSMEs) will now face compulsory yearly cybersecurity audits under new rules from the Indian Computer Emergency Response Team (CERT-In).

The guidelines, issued on September 1, 2025, establish a minimum cybersecurity baseline for MSMEs while extending July’s broader framework that already applied to public and private organizations.

This move underscores the growing recognition that MSMEs—contributing nearly one-third of India’s GDP—are no longer on the sidelines of cyber threats but prime targets for hackers.

---

Why MSMEs Need Cybersecurity Audits

MSMEs are at the core of India’s economy, but their growing digital footprint has also made them vulnerable. Key reasons include:

• Integration into supply chains – MSMEs work closely with large corporations, making them potential entry points for attackers.

• Expanding digital operations – Increased use of online platforms, tools, and cloud systems makes them attractive targets for phishing, ransomware, and supply-chain attacks.

• Ripple effects of breaches – A single cyber incident at a small firm can quickly impact larger enterprises and even critical infrastructure sectors.

The new framework is designed to close these security gaps and prevent MSMEs from being exploited as weak links in India’s digital economy.

---

Building on July’s Comprehensive Framework

The September mandate builds on CERT-In’s July 25, 2025 directive, which made annual cybersecurity audits compulsory for all organizations, from government agencies to private firms.

While July’s framework addressed advanced areas like:

• Artificial intelligence (AI) systems

• Quantum technology risks

• Information and communications technology (ICT) infrastructure

…the September guidelines focus specifically on MSMEs, serving as a structured entry point into cybersecurity compliance.

They outline 15 elemental cyber defense controls mapped into 45 practical recommendations, including:

• Maintaining asset inventories

• Regular software patching

• Strong password management

• Network security controls

• Retaining system logs for 180 days

---

Obligations Beyond the Annual Audit

For MSMEs, compliance goes far beyond a once-a-year inspection. Organizations must also:

• Report cyber incidents within six hours of detection

• Conduct annual vulnerability assessments

• Train employees on cybersecurity awareness and risks

• Use CERT-In empaneled firms for audits

Auditors won’t just check compliance—they will also guide MSMEs in strengthening defenses against industry-specific threats.

---

Balancing Cost with Protection

Understandably, MSMEs may worry about added compliance costs. However, regulators argue that the risk of cyberattacks outweighs the burden of audits.

With ransomware and phishing attacks on the rise, even one weak MSME can jeopardize entire supply chains.

By offering a scaled-down version of July’s mandate, CERT-In ensures that India’s most numerous enterprises are not its weakest cybersecurity link.

---

Final Thoughts

The new CERT-In rules mark a turning point for MSMEs in India. By mandating annual audits, vulnerability checks, and employee training, the government is sending a clear message: cybersecurity is no longer optional.

For MSMEs, this presents:

• A challenge – meeting compliance requirements while managing costs.

• An opportunity – building resilience, protecting customers, and earning trust in a digital-first marketplace.

👉 MSMEs that invest in cybersecurity today will be better positioned to compete—and thrive—in tomorrow’s economy.