CERT‑In introduces rigorous compliance for AI, quantum and software systems in sweeping new guidelines
India’s national cybersecurity agency, the Indian Computer Emergency Response Team (CERT‑In), has issued groundbreaking guidelines that require all public and private organisations to undergo annual third-party cybersecurity audits. This marks the first time mandatory audits have been extended beyond the government sector. Sectoral regulators now have the authority to demand more frequent audits depending on risk exposure.
These guidelines also elevate scrutiny of advanced technologies. System-wide compliance now covers artificial intelligence, quantum computing, blockchain and software ecosystems by requiring comprehensive Bills of Materials—such as SBOM (software), QBOM (quantum), CBOM (cryptography) and AIBOM (AI) inventories detailing models, datasets, dependencies and firmware components.
Broader mandate and risk-oriented approach
CERT-In mandates that audits follow risk-based, domain-specific methodologies aligned with international standards like ISO/IEC, OWASP, OSSTMM and CSA CCM. The guidelines emphasise independence, transparency and accountability in audit procedures. Auditors are required to use both CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) frameworks to classify and prioritise vulnerabilities.
Organisations must remediate all flagged vulnerabilities and conduct follow-up reviews. Non-compliance or substandard audits can lead CERT‑In to delist auditors or initiate legal action.
Expanded scope to emerging technologies
The guidelines significantly broaden the scope of cybersecurity assessments. In addition to traditional IT systems, audits now cover cloud and industrial control systems (ICS/OT), Internet of Things (IoT), AI-driven systems, blockchain infrastructure and supply-chain dependencies. This expansion reflects a shift towards comprehensive digital risk management, not just IT hygiene.
CERT‑In has emphasised that audits must be triggered not only annually, but also in response to significant system changes—though what constitutes a “significant change” is assessed on a case-by-case basis by auditors and entities themselves.
Sampling audit expectations and governance
Organisations are expected to obtain audit clearance from CERT‑In‑empanelled firms. Auditors must operate independently—no outcome‑based remuneration is permitted—and all audit metadata must be submitted to CERT‑In within five days of audit completion. Strict data-handling protocols include encryption, secure storage, and mandated data destruction after the audit, all within Indian jurisdiction.
Top-level oversight is required. Boards are expected to review and approve audit scope and remedial plans, while audit outcomes must be visible at senior management level—even if the detailed results remain confidential.
Compliance burdens and regulatory overlap
The timing of the CERT‑In guidelines coincides with the rollout of India’s Digital Personal Data Protection (DPDP) Act, 2023. While the DPDP Act mandates reasonable security safeguards for data fiduciaries, significant data handlers must also conduct independent audits. However, the relationship between DPDP’s requirements and CERT‑In’s framework remains unclear, potentially creating compliance challenges for organisations.
Critics warn that smaller firms or businesses without robust compliance teams may struggle under the expanded audit burden, with no exemption framework provided for smaller organisations.
Cyber resilience over mere compliance
CERT‑In’s new policy signals a paradigm shift—from periodic, checkbox compliance to continuous, risk-driven resilience. By extending audit obligations to emerging domains like AI and quantum technologies and embedding accountability at the board level, the guidelines aim to institutionalise cyber preparedness across India’s digital ecosystem.
Organisations that adapt quickly—automating audit readiness, integrating BOM generation, and aligning audit cycles with business strategy—stand to gain not just compliance, but competitive advantage in digital trust and resilience.
