TLDR: The Indian Computer Emergency Response Team (CERT-In) has made annual third-party cybersecurity audits compulsory for both public and private sector entities managing digital infrastructure. This directive aims to bolster cyber hygiene and includes the scrutiny of Artificial Intelligence (AI) systems, reflecting a proactive approach to evolving digital threats.
The Indian Computer Emergency Response Team (CERT-In) has issued a significant directive, making annual third-party cybersecurity audits mandatory for all organizations, encompassing both the public and private sectors, that operate digital infrastructure. This move is a strategic step to fortify India’s cybersecurity posture against an escalating landscape of digital threats and infrastructure breaches. The mandate, effective from August 4, 2025, underscores the nation’s commitment to enhancing cyber resilience.
Under the new guidelines, these audits are required to be risk-based and domain-specific, ensuring they are meticulously aligned with the business context and the prevailing threat landscape. While an annual audit is the baseline, sectoral regulators retain the authority to necessitate more frequent checks based on specific risk assessments. This flexibility allows for tailored oversight in critical sectors.
Crucially, the scope of these mandatory audits extends to Artificial Intelligence (AI) systems. As AI integration becomes more pervasive across various digital infrastructures, CERT-In’s inclusion of AI under scrutiny highlights a forward-thinking approach to address potential vulnerabilities and ensure the secure deployment and operation of AI technologies. This ensures that the rapidly evolving AI domain does not become a blind spot in the national cybersecurity framework.
Also Read:
- AI Therapy Gains Traction Among Indian Youth Amidst Data Confidentiality Concerns
- AI and New Technologies Threaten 1.8 Crore Jobs Across Key Sectors by 2030
In the fiscal year 2024-25, CERT-In oversaw the completion of 9,708 cybersecurity audits, demonstrating the existing capacity and ongoing efforts in this domain. The agency has also empanelled 200 companies specifically to conduct these rigorous audits, ensuring a robust pool of qualified third-party assessors. This initiative is part of CERT-In’s broader responsibilities, which include collecting and analyzing cybersecurity incident data, forecasting and alerting about emerging cyber threats, providing emergency response support, and issuing security guidelines and best practices.
