The Growing Threat Landscape and MSME Vulnerabilities

Cybersecurity threats have evolved significantly in recent years, and they are no longer limited to large corporations or critical infrastructure. India’s MSMEs, which form the backbone of the country’s economy, are increasingly becoming targets for cybercriminals. The digital transformation accelerated by the COVID-19 pandemic has led many MSMEs to adopt cloud services, e-commerce platforms, and digital payment systems. While these technologies offer significant benefits, they also expose businesses to new vulnerabilities. MSMEs often lack the resources and expertise to implement robust cybersecurity measures, making them attractive targets for attackers seeking easy entry points into larger networks. Moreover, one might also think, I am too small of a target or why would someone hack me? A compromised MSME can serve as a gateway to more extensive breaches, affecting partners, vendors, and customers across the supply chain. A recent study conducted in 2024–2025 revealed that 74 percent of Indian SMEs experienced at least one cyberattack in the past year. Alarmingly, 60 percent of those affected were unable to recover fully, with many shutting down operations within six months. These attacks are becoming more sophisticated, leveraging technologies such as artificial intelligence for phishing and deepfake-enabled frauds, making MSMEs vulnerable to serious disruptions.Standardizing Cybersecurity Across the Economy

Historically, cybersecurity compliance in India was limited to sectors such as banking, telecom, and large enterprises. MSMEs, despite being integral to digital supply chains, often operate without any mandated security protocols. The new directive from CERT-In changes this by introducing uniform standards across the MSME landscape.

In order to achieve compliance, organisations must hire an external auditing firm empaneled with CERT-In to carry out a comprehensive cybersecurity audit every year. An internal system will be enabled in order to report any cybersecurity incident, such as a data breach or hacking attempt, to CERT-In within six hours of detection Additionally, companies are required to securely maintain detailed logs of all Information and Communication Technology (ICT) systems for a minimum of 180 days to ensure traceability and accountability.

This move reflects a broader recognition that cybersecurity is not just an IT concern but a shared responsibility across the entire business ecosystem. By mandating audits and controls, the government aims to instill cyber hygiene and accountability at every level of the economy.

While the directive introduces additional regulatory requirements, it should be viewed as a strategic investment rather than a burden. The financial and reputational costs of a cybersecurity breach can far exceed the cost of compliance. Businesses that demonstrate strong cybersecurity practices are more likely to earn the trust of clients, vendors, and investors. In today’s interconnected digital economy, cybersecurity readiness is emerging as a competitive differentiator. MSMEs that prioritize security are better positioned to attract partnerships and sustain long-term growth.

CERT-In’s Role in Cyber Governance

CERT-In plays a central role in India’s cybersecurity framework. As the national nodal agency, it is responsible for issuing advisories, coordinating responses to major incidents, and guiding organizations on best practices. The new directive represents one of CERT-In’s most comprehensive efforts to standardize cybersecurity across a diverse and decentralized sector. By extending its oversight to MSMEs, CERT-In is fostering a culture of proactive cyber governance and ensuring that even the smallest businesses are equipped to defend against digital threats.

Although specific penalties for non-compliance have not yet been detailed, previous CERT-In mandates have included substantial fines for violations. However, the greater risk lies in operational disruption, data loss, and erosion of customer trust. MSMEs that fail to comply may face exclusion from digital supply chains, legal consequences, and reputational damage. On the other hand, proactive compliance can enhance credibility, improve operational resilience, and open doors to new business opportunities. The directive is not merely about regulatory compliance; it is about embedding cybersecurity into the core operations of MSMEs. This includes training employees on cyber hygiene, investing in secure infrastructure, developing incident response plans, and engaging certified auditors to identify and address vulnerabilities. By adopting these practices, MSMEs can build long-term digital resilience and contribute to a safer national cyber environment.

A Strategic Cybersecurity Action Plan for MSMEs

To truly embrace India’s cybersecurity mandate, MSMEs must shift from a reactive mindset to a proactive, strategic approach. The first step is to allocate a dedicated budget for cybersecurity, treating it as a core business investment rather than a discretionary expense. Engaging with certified cybersecurity consultants or firms is essential to implement the 15 mandatory controls effectively and ensure systems are resilient against evolving threats. Cybersecurity should also be elevated to a board-level priority, with CERT-In compliance set as an annual business objective and tracked with the same seriousness as financial or operational goals. Most importantly, MSMEs must treat cybersecurity as a continuous process, not a one-time audit exercise. Progress should be monitored throughout the year to avoid last-minute rushes and ensure readiness at all times. This approach not only ensures compliance but also builds long-term digital resilience, enhances customer trust, and strengthens the organization’s position in the digital economy. In today’s interconnected world, one weak link can compromise an entire supply chain. MSMEs must take ownership of their cybersecurity journey. This commitment will safeguard operations, unlock new opportunities, and contribute to a more secure and resilient digital India.