Many MSMEs assume that cybersecurity compliance requirements apply mainly to large enterprises or government organizations. In reality, smaller businesses are equally exposed to cyber risks and are often targeted by attackers due to weaker security controls and limited monitoring.
This blog explains CERT-In compliance for MSMEs, what it means in practical terms, and how businesses can avoid penalties by following the right approach to security assessments, documentation, and ongoing monitoring.
Key CERT-In Requirements MSMEs Must Follow to Avoid Penalties
Based on recent Comprehensive Cyber Security Audit Policy Guidelines (July 2025) issued by CERT-In, MSMEs handling digital systems or data are expected to follow a structured set of cybersecurity practices. These requirements focus on monitoring, reporting, security controls, and regular assessments.
A. Annual Cybersecurity Audits
MSMEs are required to undergo regular security assessments, such as VAPT or security audits, conducted by CERT-In empanelled auditors. These audits help identify vulnerabilities and ensure systems meet baseline security expectations.
B. 6-Hour Incident Reporting
Any cybersecurity incident, such as data breaches, ransomware attacks, or unauthorized access, must be reported to CERT-In within 6 hours of detection. Delays in reporting can lead to compliance issues and penalties.
C. 180-Day Log Retention
Organizations must maintain system and network logs for at least 180 days within India. These logs should be easily accessible for investigation in case of a security incident.
D. Time Synchronization Across Systems
All systems should follow a consistent time source (such as NTP) to ensure accurate logging and event tracking. This helps in proper incident analysis and audit validation.
E. Monitoring and Detection Capabilities
MSMEs are expected to implement basic monitoring systems to detect unusual activity. This includes tracking login attempts, system changes, and network behavior to identify potential threats early. Apart from that regular data backups
and applying access control to restrict unauthorized users is also required.
F. Implementation of Cyber Defense Controls
CERT-In outlines a set of baseline cybersecurity controls that MSMEs should implement. These include:
Key 15 Elemental Cyber Defense Controls for MSMEs
To meet cybersecurity expectations, MSMEs are required to implement a set of basic security controls that cover systems, data, and user access. These controls help reduce risks and improve overall security posture.
1. Asset Management
Keep a complete and updated list of all IT assets, including computers, servers, software, and cloud resources.
2. Network and Email Security
Protect your network and email systems using tools like firewalls, secure configurations, and email filtering to prevent unauthorized access and attacks.
3. Endpoint and Mobile Security
Ensure that laptops, desktops, and mobile devices are secured with proper configurations, antivirus tools, and access controls.
4. Secure Configurations
Set up systems and software in a secure way by disabling unnecessary features and reducing exposure to potential threats.
5. Patch Management
Regularly update operating systems, applications, and devices to fix known vulnerabilities and reduce risk.
6. Incident Management
Have a clear process to identify, report, and respond to security incidents such as data breaches or unauthorized access.
7. Logging and Monitoring
Track system activities and review logs regularly to detect suspicious behavior or potential security issues.
8. Awareness and Training
Train employees to recognize common threats like phishing and follow safe practices while handling data and systems.
9. Third-Party Risk Management
Evaluate the security practices of vendors and partners to ensure they do not introduce risks to your systems.
10. Data Protection, Backup, and Recovery
Protect sensitive data through encryption and maintain regular backups that can be restored in case of data loss or attacks.
11. Governance and Compliance
Define internal policies and procedures to ensure your organization follows legal and cybersecurity requirements.
12. Strong Password Practices
Enforce the use of strong passwords and encourage regular password updates to prevent unauthorized access.
13. Access Control and Identity Management
Limit system access based on roles and responsibilities, and use methods like multi-factor authentication for added security.
14. Physical Security
Protect physical devices and infrastructure by restricting access to offices, server rooms, and critical equipment.
15. Cloud Security
Ensure that cloud environments are properly configured, with controlled access and secure data storage practices.
G. Regularly Review and Act on CERT-In Guidelines
Keep track of updates issued by CERT-In and ensure your systems and processes align with current requirements. Simply being aware is not enough, organizations must take action to implement the required changes.
H. Maintain Proper Documentation
Maintain clear records of all security activities, including audit reports, vulnerability fixes, and monitoring logs. Proper documentation helps demonstrate compliance during reviews and supports faster validation.
I. Stay Updated with Compliance Requirements
CERT-In requirements can change over time. Regularly review compliance expectations and ensure your systems, policies, and processes remain aligned with the latest guidelines.
J. Work with CERT-In Empanelled Auditors
Always engage with CERT-In empanelled auditors like Peneto Labs for security assessments. This ensures that your reports are accepted for compliance and meets expected standards.
By following these steps, MSMEs can reduce compliance risks, avoid penalties, and build a more secure and reliable operating environment.
Why CERT-In Compliance Matters for MSMEs?
For many MSMEs, cybersecurity is often treated as a secondary concern until a problem occurs. Ignoring CERT-In compliance can lead to serious consequences, including data breaches, operational disruptions, loss of customer trust, and potential legal or regulatory issues. For MSMEs working with enterprise clients or participating in government projects, non-compliance can also result in contract rejection or delays.
A. Increasing Cyber Threats
Small and mid-sized businesses are frequently targeted because they may not have strong security controls in place. Attackers often see MSMEs as easier entry points, especially when they are connected to larger enterprise systems or supply chains.
B. Legal and Regulatory Expectations
CERT-In has defined guidelines that apply to organizations handling digital systems and data. MSMEs are expected to follow these requirements, especially if they operate in sectors like fintech, SaaS, healthcare, or work with government entities.
C. Business Impact of Security Incidents
A security incident can affect an MSME in multiple ways:
- Data breaches can expose customer or business information
- System downtime can disrupt daily operations
- Financial losses can occur due to recovery costs or penalties
Even a single incident can have long-term effects on business continuity.
D. Importance for Partnerships and Clients
Many enterprises and government organizations require their vendors and partners to meet security and compliance standards. Without CERT-In aligned assessments:
- Vendor onboarding may get delayed or rejected
- Clients may not trust the security of your systems
- Opportunities for large projects can be missed
In simple terms, CERT-In compliance is not just about meeting requirements, it directly supports business stability, credibility, and growth for MSMEs.
- Increasing cyber threats targeting small and mid-sized businesses
- Legal and regulatory expectations
- Business impact: data breaches, downtime, financial loss
- Importance for partnerships, clients, and vendor onboarding
Penalties and Risks of CERT-In Non-Compliance
Failing to meet cybersecurity requirements defined by CERT-In can lead to both legal and business consequences. For MSMEs, the impact is not limited to penalties, it can also affect operations, client relationships, and future growth.
A. Legal Consequences Under the IT Act
Non-compliance with CERT-In directions can attract action under the IT Act, 2000. Penalties can include imprisonment of up to one year and financial fines, with fines potentially going up to ₹1 crore or more, along with serious damage to the organization’s reputation. Delays in incident reporting or failure to follow required practices can trigger these consequences.
B. Business Risks and Loss of Trust
A security incident or failed compliance review can reduce customer confidence. Clients may hesitate to share data or continue working with an organization that cannot demonstrate proper security practices. This can directly affect business continuity.
C. Impact on Government Tenders and Enterprise Contracts
Many government projects and enterprise clients require proof of security assessments conducted by CERT-In empanelled auditors. Non-compliance can lead to:
- Rejection from tenders
- Delays in project approvals
- Disqualification during vendor onboarding
D. Operational and Financial Impact
Cyber incidents resulting from weak security controls can disrupt daily operations. Systems may become unavailable, data may be lost, and recovery efforts can take time and resources. This often leads to:
- Unexpected financial costs
- Downtime and productivity loss
- Additional expenses for recovery and reassessment
Get CERT-In Compliance Support from Peneto Labs
Peneto Labs helps MSMEs plan and complete CERT-In compliance-ready security assessments with a structured and practical approach. Our focus is on making the process clear, efficient, and aligning with your business requirements.
Why Choose Peneto Labs?
- Experienced security team with strong technical background across industries
- Manual penetration testing along with automated tools for deeper assessment
- Clear and actionable reports that help teams fix issues quickly
- FREE retesting support to validate vulnerability closure
- End-to-end guidance, from scope definition to final report readiness
- Transparent communication throughout the engagement
If your organization is preparing for a security audit or compliance requirement, contact Peneto Labs to discuss your needs and plan your CERT-In assessment with confidence.
Conclusion
CERT-In compliance includes the following key requirements, such as regular security assessments, incident reporting, log retention, implementation of basic security controls, and maintaining proper documentation. These steps help ensure that systems are secure and aligned with expected cybersecurity practices.
The key takeaway is simple: cybersecurity compliance is not limited to large enterprises. MSMEs are equally responsible for protecting their systems, data, and users, especially when working with clients, partners, or government platforms.