Skip to main content
Tech News

CERT-In Audit Rules 2026: What Indian Businesses Must Do

CERT-In requires Indian organizations to report cyber incidents within 6 hours of detection, maintain ICT system logs for 180 days, and undergo annual audits by CERT-In empanelled auditors only.
By Founder & Tech Writer, GetInfoToYou Updated 8 min read Fact-checked: Sudarshan Babar Reviewed 15 May 2026
CERT-In cybersecurity audit rules 2026 mandatory compliance for Indian businesses including 6-hour breach reporting and log retention

Key Takeaways

  • CERT-In requires cyber incidents to be reported within 6 hours of detection under India's mandatory cybersecurity rules.
  • Organizations must maintain logs of all ICT systems for a rolling 180 days, up from the 30-60 days most companies currently keep.
  • Annual security audits must be conducted by CERT-In empanelled auditors only, not regular IT vendors or consultants.
  • GCCs, space startups, fintech firms, and IFSC entities are all in scope for CERT-In compliance in 2026.
  • CISO appointment is mandatory for organizations handling critical data or digital infrastructure.
  • A CERT-In empanelled audit costs Rs 2-8 lakh annually; virtual CISO services run Rs 5-15 lakh per year as a managed service.

India just got a serious cybersecurity framework upgrade. At SAMVAAD 2026, held in Goa in May, CERT-In unveiled its next-generation mandatory cybersecurity audit rules. If your business touches digital infrastructure in India, whether you're a startup, a Global Capability Centre (GCC), a fintech, or even a space tech company, this affects you directly.

The headline rule everyone's talking about: a 6-hour breach reporting window. You have six hours from the time you detect a cyber incident to report it to CERT-In. Not 72 hours like GDPR. Not "when you're ready." Six hours. And honestly, most Indian businesses aren't ready for that yet.

What CERT-In's new audit framework actually requires

The framework isn't entirely new. CERT-In has been building toward this for a few years, but SAMVAAD 2026 formalized several requirements that are now mandatory rather than advisory.

The 6-hour reporting rule is the one making headlines. Under the updated framework, any service provider, data centre, body corporate, or government organization that experiences a cyber incident must report it to CERT-In within six hours of detecting it. This was first introduced in CERT-In's 2022 directions, but enforcement and compliance monitoring got significantly tighter in 2026.

180-day log retention is the second big requirement. Organizations must maintain logs of all ICT systems for a rolling 180 days. For a mid-sized company running 50 servers plus cloud infrastructure, that's not a trivial storage cost. Nasscom's analysis of compliance costs for Bengaluru GCCs puts log storage among the top three operational expense increases companies are facing this year.

Annual audits by CERT-In empanelled auditors are now mandatory for organizations in critical sectors. Not just any cybersecurity firm can do these audits. You need someone from CERT-In's official empanelled auditors list, which was updated in 2026. Security Boulevard's guide lists 10 empanelled auditors currently active in India.

CISO appointment is required for organizations above a certain size threshold. The exact threshold varies by sector, but broadly, companies handling significant volumes of personal data or operating critical digital infrastructure need a designated Chief Information Security Officer.

Who actually gets caught by these rules

This is where it gets interesting. The framework casts a wider net than most people expect.

The obvious targets are large enterprises, banks, and government bodies. But CERT-In's scope now explicitly includes:

  • Global Capability Centres operating in India, including the hundreds based in Bengaluru and Hyderabad
  • Space sector companies, after CERT-In issued specific space cybersecurity guidelines on February 26, 2026
  • IFSC entities under IFSCA's Cyber Security Guidelines 2026
  • Telecom companies, healthcare providers, and energy sector operators
  • Any organization designated as part of critical information infrastructure

For space startups specifically, this is a genuine pain point. Moneycontrol reported that the 6-hour breach reporting requirement and CISO mandate are expected to raise costs for space startups significantly. Think about it: a small satellite startup with 30 employees suddenly needs to hire a full-time CISO and maintain security infrastructure that costs real money to run. That's a real problem for India's growing deep tech ecosystem (annoying, I know).

The empanelled auditor requirement: what it means in practice

This part trips up a lot of businesses. You can't just call your regular IT vendor and ask them to sign off on a compliance audit.

CERT-In maintains an official list of empanelled auditors, and only these firms are authorized to conduct the mandatory security audits. As of 2026, the list has expanded, but demand significantly outpaces supply in certain regions. If you're in a tier-2 city, finding a CERT-In empanelled auditor who can physically visit your premises is harder than it sounds. Some audits require on-site assessment, and the wait times are, honestly, a mess. I'd strongly recommend starting this process at least three to four months before your audit deadline, not three weeks before.

The audit itself typically covers:

  • Network security architecture and segmentation
  • Access control and identity management
  • Incident response procedures, including testing the 6-hour reporting workflow
  • Vulnerability assessment and patch management practices
  • Log management and 180-day retention compliance
  • Third-party and vendor risk management

Failing the audit doesn't immediately mean legal trouble, but it starts a clock. CERT-In can issue directions, and non-compliance with those directions has legal consequences under the IT Act.

The 6-hour rule: harder than it sounds

Six hours sounds like enough time. It isn't, for most organizations.

When a breach happens, the first few hours are chaos. Your IT team is trying to contain the damage, figure out what was accessed, preserve evidence, and stop the bleeding. Simultaneously filing a structured incident report with CERT-In requires a pre-built process, a designated person who knows the reporting portal, and pre-prepared templates ready to go. So if none of that exists, you're in trouble before you've even started.

CERT-In's reporting portal requires specific information: nature of the incident, systems affected, approximate time of detection, initial impact assessment, and actions taken. If you're discovering your process for the first time at 2 AM when your database starts exfiltrating data, you will miss the window. Full stop.

The practical fix is an incident response plan that includes a CERT-In reporting workflow as a specific, documented step. That plan needs to be tested at least once a year. Not just written down. Actually tested, with someone role-playing the breach scenario.

Organizations must report cybersecurity incidents to CERT-In within six hours of detection. Logs of all ICT systems must be maintained for a minimum of 180 days. These requirements apply to service providers, data centres, body corporates, and government organizations operating in India.

What this actually costs Indian businesses

Let's be honest about the money side, because that's what most business owners actually want to know.

For a small to mid-sized company (50-200 employees) that's not yet CERT-In compliant, getting there involves real numbers. A CERT-In empanelled security audit typically costs between Rs 2 lakh and Rs 8 lakh depending on organization size, complexity, and the auditor. That's annually, not one-time.

Log retention infrastructure for 180 days across multiple systems can add Rs 1-3 lakh per year in cloud storage costs, depending on your data volume. Some companies already have this covered within existing contracts. Many don't.

If you need to hire a CISO, expect Rs 30-60 lakh per year for a qualified one in a major metro. Mid-sized companies often go for a virtual CISO (vCISO) service instead, which runs Rs 5-15 lakh annually and has become a popular compliance workaround (which makes sense, actually). Several Indian cybersecurity firms now offer this as a packaged service.

For GCCs, the compliance costs are higher but manageable given parent company resources. For homegrown Indian startups, especially in deep tech and space, this is a real burden that will squeeze margins and hiring budgets.

Why CERT-In is pushing this hard now

India's digital infrastructure has grown enormously, and so has the attack surface.

Storyboard18 reported in 2026 that Middle East conflict-linked cyber attacks are generating brand impersonation, phishing, and deepfake risks for Indian companies. That's not theoretical. It's happening now, and Indian businesses are being targeted because they're increasingly valuable and often under-defended. In my experience, a lot of mid-sized Indian companies still treat security as something to sort out "later."

CERT-In's SAMVAAD event in Goa brought together empanelled auditors, government stakeholders, and industry for exactly this conversation. The message was clear: the advisory era is over. Compliance is now an expectation with teeth.

This also connects to the broader regulatory push happening across Indian digital policy. The DPDP Act, AI governance guidelines from MeitY, RBI's data localization rules, and sectoral requirements from SEBI are all tightening at the same time. If you haven't read about India's evolving digital compliance landscape, now is a good time to get up to speed on how these rules interact.

For businesses that handle personal data, the overlap between CERT-In's incident reporting rules and DPDP Act breach notification requirements is worth sorting out carefully with a lawyer. A single breach event can trigger both timelines at once. That's a conversation to have before the breach, not during it.

What to do right now

If this is the first time you're hearing about mandatory CERT-In audits, start here:

  1. Check whether your organization falls under a sector with specific CERT-In requirements: banking, telecom, health, space, IFSC. CERT-In's website has sector-specific guidance.
  2. Build an incident response plan that includes a CERT-In reporting step with the correct portal details and a named responsible person.
  3. Verify your log retention setup. Many companies keep 30 or 60 days of logs. You need 180.
  4. Contact two or three CERT-In empanelled auditors to understand timelines and costs for your organization size. Do this well in advance.
  5. If you handle significant volumes of data and don't have a CISO, explore virtual CISO options. Several Indian firms offer this as a managed service now.

You can find more practical compliance guidance in our digital security tools section and read up on related policy changes in our tech policy news archive.

The framework isn't designed to punish businesses. But it is designed to make sure that when something goes wrong, and things do go wrong, there's a reporting trail, a responsible party, and an audited security posture that someone can examine. That's not unreasonable. The challenge is that "not unreasonable" and "easy to implement by next quarter" are two very different things.

Start early. Get the auditor. Build the process. Don't let the 6-hour clock catch you mid-panic with no plan.

Frequently Asked Questions

Any service provider, data centre, or organization in India must report cyber incidents to CERT-In within 6 hours of detecting them. This requires a pre-built incident response process with designated personnel and pre-prepared report templates. Missing the window can trigger enforcement action under the IT Act.
Organizations in critical sectors including banking, telecom, healthcare, space, and IFSC entities are required to undergo annual CERT-In audits by empanelled firms. GCCs operating in India and any organization designated as critical information infrastructure are also covered. CERT-In's website has sector-specific guidance to help you check.
A CERT-In empanelled security audit typically costs between Rs 2 lakh and Rs 8 lakh annually, depending on organization size and complexity. Additional costs include log retention infrastructure at Rs 1-3 lakh per year and CISO or virtual CISO services ranging from Rs 5-60 lakh annually depending on the engagement model.
CERT-In mandates that organizations maintain logs of all ICT systems, including servers, network devices, and cloud infrastructure, for a minimum of 180 days on a rolling basis. Many companies currently keep only 30-60 days of logs and will need to upgrade their storage infrastructure and cloud contracts to comply.

Sources & References

  1. India's Space Sector Cybersecurity Guidelines: CERT-In Brings 6-Hour Reporting and Audit Mandates for Satellite Operators
#breach reporting #CERT-In #CERT-In empanelled auditors #cybersecurity audit #India cyber compliance #SAMVAAD 2026
S
Sudarshan Babar
Founder & Tech Writer, GetInfoToYou
Sudarshan Babar is a technology writer focused on making AI, cybersecurity, and digital government services accessible to Indian readers. He covers UPI scams, Aadhaar security, and emerging tech tools…

Related Articles

WhatsApp UPI Autopay: Set Up Recurring Payments in 2026

WhatsApp Payments supports UPI Autopay so your subscriptions, SIPs, and bills pay themselves on schedule. Here's how to set it up in 2026, manage your mandates, and use NPCI's new e-mandate portal to stay in control.

Sudarshan Babar 8 min read