India just redrew the cybersecurity line in the sand.
Until now, CERT-In’s mandates were mostly confined to government and critical infrastructure. That era is over. With the 2025 updates, these guidelines now apply to every business operating in India’s digital ecosystem. Whether you build software, host data, manage infrastructure, or offer online services.
Audits are now mandatory. Bill of materials goes beyond software. Breach disclosures must happen in hours, not weeks.
Let’s break down exactly what changed, and why security teams must rethink how they measure, report, and act on risk.
What’s Changed: An Overview
| Regulation | Applies To | Key Requirement | Effective |
| CISG-2025-02 | All public & private entities | Annual third-party audits with remediation tracking | July 25, 2025 |
| CISG-2024-02 v2.0 | Government, essential services, vendors | SBOM + CBOM + HBOM + AIBOM + QBOM | July 2025 |
| Incident Reporting | All service providers & large businesses | Report specified incidents within 6 hours | Ongoing (enforced since 2022) |
| SEBI-CSCRF | Regulated Entities (RIs, MIIs, etc.) | SBOM, asset-level patch tracking, and defined VAPT timelines | April 30, 2025 |
1. Annual Cybersecurity Audits Are Now Mandatory
Guideline: CISG-2025-02
Effective Date: July 25, 2025
Every public and private enterprise must now undergo annual third-party cybersecurity audits. These are not surface-level compliance checks. The scope must align with ISO/IEC 27001 and reflect the actual business risk.
The full audit lifecycle is now required:
- Risk-based planning and scoping
- Control and exposure validation
- Audit execution and evidence collection
- Remediation tracking with closure verification
Sector regulators may impose even stricter timelines depending on exposure. This is no longer about documentation. The audit is expected to drive visibility at the board level and enforce operational accountability.
2. BOM Isn’t Just About Software Anymore
The new CERT-In BOM policy expands well beyond traditional SBOMs.
Here’s what’s now expected:
- SBOM: Software Bill of Materials
- CBOM: Cryptographic components
- QBOM: Quantum readiness indicators
- HBOM: Hardware dependencies and firmware links
- AIBOM: AI models, training data, and behavior logs
These mandates apply to:
- Government systems
- Essential service providers
- Software/cloud vendors
- Any third-party touching regulated networks
More than compliance artifacts, BOMs are now first-line IR tools. When a breach hits, you’ll be asked:
- What version of what library was used?
- What chipsets were exposed?
- Which model was embedded, and what data was it trained on?
Security teams should aim to automate BOM generation, map them to runtime assets, and connect them to incident playbooks.
3. The 6-Hour Breach Reporting Rule Is Actively Enforced
This rule remains unchanged, but enforcement is getting stricter.
If your environment experiences any of the following, you must report within 6 hours of detection:
- Unauthorized access
- Ransomware or malware infections
- DDoS or disruption to availability
- Data exfiltration
- Compromised third-party services
You must also:
- Share system logs, attack vectors, and malware samples
- Submit reports in the required format
- Retain logs securely for at least 180 days
- Cooperate with CERT-In during investigations
- Follow coordinated disclosure protocols for any new vulnerabilities
CERT-In is looking for preparedness. Your breach response must be fast, evidence-driven, and aligned with the 6-hour window. Delay or ambiguity can lead to deeper regulatory scrutiny.
4. New Strategic Gaps CERT-In Wants Closed
Board-Level Oversight
Cybersecurity audit outcomes now need to be board-visible. That means:
- Planning and scoping are approved at the top
- Remediation progress is tracked over time
- Security risk is treated as business risk
Dashboards, SLA tracking, and stakeholder-aligned reporting aren’t just best practices, they’re expected.
SEBI’s Tightened SBOM Requirements
For regulated financial entities, SBOMs now must include:
- Component hash, license type, encryption metadata
- Update schedules and tamper tracking
- Audit timelines tied to financial years
Legacy systems? They must be documented with formal risk exceptions. No more “out of scope” disclaimers.
Audit Data Handling Now Has Rules
Audit firms and service providers must:
- Keep data within Indian jurisdiction
- Encrypt audit outputs at rest and in transit
- Certify data deletion post-engagement
This demands auditor alignment, data pipeline hardening, and retention governance across the board.
5. Vendor and Supply Chain Risk Is Now Your Problem Too
CERT-In mandates extend to your third parties.
You are now expected to:
- Enforce BOM generation and retention from vendors
- Include audit-readiness and 6-hour reporting obligations in contracts
- Track vendor findings, patch timelines, and non-compliance
This moves vendor security from “trust” to “verify and enforce.”
Multi-tenant risk visibility and external asset tracking are now part of any audit readiness program.
6. CERT-In Is Not Waiting for You to Catch Up
The national enforcement engine is already in motion:
- Over 9,700 audits completed in FY 2024–25
- 200+ CERT-In empanelled auditors
- Sectoral CSIRTs operational across finance, power, telecom, and healthcare
- National Cyber Crisis Management Plan (CCMP) in effect
- 200+ cyber drills conducted with public and private participants
CERT-In is enforcing. Reporting is happening. Drills are running. The infrastructure is live.
7. What Security Teams in India Must Do Right Now
Prepare for Audit
- Appoint a CERT-In empanelled auditor
- Scope your risk coverage across infrastructure, applications, and third parties
- Automate remediation tracking
- Build evidence trails that meet ISO/IEC 27001 expectations
Make BOMs Real-Time and Layered
- Generate and maintain SBOMs, CBOMs, AIBOMs, and HBOMs
- Ensure BOMs are not static files but reflect your live infrastructure
- Link BOM data to remediation and incident workflows
Fix Your Breach Response Playbook
- Automate detection and alerting
- Pre-fill CERT-In reporting templates
- Store logs securely for quick access
- Run breach drills that simulate a 6-hour reporting window
Bring Cybersecurity to the Boardroom
- Deliver executive dashboards with open risk, remediation progress, and exposure trends
- Align audit and vulnerability remediation with business KPIs
- Recast cyber risk as business risk
Update Your Vendor Contracts
- Require BOMs and audit participation
- Define breach reporting SLAs
- Classify critical vendors and set escalation paths
This Is Not Just Compliance, It’s Maturity
The CERT-In 2025 guidelines are not just about rules. They represent a shift toward operational maturity, visibility, and real-world responsiveness. You can no longer treat cybersecurity as a side function or a last-mile checkbox.
You need:
- Continuous audit readiness
- Stack-wide BOM visibility
- SLA-driven remediation
- Board-level accountability
- Supply chain enforcement
The faster your systems align to this new bar, the more resilient you become, not just to audits, but to threats themselves.
References:
