The Indian Computer Emergency Response Team (CERT-In) has issued new directions mandating cybersecurity audits for micro, small, and medium enterprises (MSMEs) involved in processing personal or financial data. The move aims to strengthen cyber hygiene among smaller firms that form the backbone of India’s digital economy.
With MSMEs increasingly digitising operations, CERT-In’s new advisory requires enterprises handling critical information to undergo annual security audits and vulnerability assessments.
New compliance obligations for digital-first MSMEs
The notification, released on September 11, specifies that any MSME collecting, storing, or managing personal or financial data must submit audit reports annually. The requirement also extends to businesses relying on cloud platforms, third-party APIs, and payment gateways for operations.
Firms must engage CERT-In empanelled auditors to assess security configurations, check for data leakage risks, and review access controls. The directive highlights that cyberattacks on unprotected endpoints within MSMEs could have cascading effects across supply chains.
Experts say the move is a long overdue step toward building a more secure business ecosystem. While larger firms typically invest in cybersecurity infrastructure, smaller companies often lack awareness or budgets for proactive risk mitigation.
Push for resilience amid rising attacks on small firms
CERT-In’s decision comes amid rising cases of ransomware and phishing targeting MSMEs, especially those operating in e-commerce, finance, and logistics. The audit mandate signals a shift from reactive to preventive cybersecurity enforcement.
By formalising audit obligations, the government seeks to protect not only consumer data but also national digital infrastructure. MSMEs account for over 30% of India’s GDP and are increasingly integrated with public platforms like GeM and UPI.
The advisory notes that non-compliance could result in penalties under the IT Act. However, officials emphasised that the intent is more about capacity building than punishment. Support resources, including guidelines and auditor listings, have been shared via CERT-In’s portal to ease implementation.
