New CERT-In Guidelines 2025: What Has Changed?

The cybersecurity landscape in India has witnessed its most significant evolution with the rollout of the CERT-In Guidelines 2025. Moving beyond historical "checkbox compliance," the new framework mandates deep resilience and proactive threat hunting for almost every digital operator in the country.

1. Mandatory Annual Audits for All

Previously, mandatory audits were primarily the concern of government agencies and highly regulated sectors like banking. Under the 2025 update, all public and private enterprises operating within India's digital ecosystem are now required to undergo an annual cybersecurity audit by a CERT-In empanelled organization.

2. Inclusion of Emerging Tech (AI, IoT, ICS)

The audit scope has been dramatically expanded. Auditors must now evaluate:

• AI Systems and Model Security: Guarding against prompt injection and model poisoning.
• IoT & Industrial Control Systems (ICS): Securing the hardware-software bridge.
• Advanced API Security: Mandatory testing for all external-facing endpoints.
• Supply Chain Security: Evaluating the risk of third-party dependencies.

3. The 6-Hour Reporting Rule & Penalties

The non-negotiable 6-hour window for reporting cybersecurity incidents remains a cornerstone. However, the 2025 guidelines introduce stricter legal penalties and automatic regulatory scrutiny for organizations that fail to maintain incident logs for at least 180 days within India's jurisdiction.

Conclusion

Wait-and-watch is no longer a viable strategy. With the 2025 guidelines, India is positioning itself as a global leader in digital defense. ARM Innovations, alongside our network of empanelled partners, is here to ensure your organization not only meets but exceeds these national benchmarks.