CERT-In IoT Security Compliance Checklist for Indian Companies (2025-26) Updated

Direct Answer: What is CERT-In IoT Compliance India?

CERT-In IoT compliance India refers to the mandatory cybersecurity framework and directives issued by the Indian Computer Emergency Response Team (CERT-In) under the IT Act, 2000. For the 2025-26 period, Indian companies are legally required to align with CERT-In guidelines IoT, which mandate a 6-hour breach reporting window, annual cybersecurity audits by empanelled organisations, and the maintenance of a comprehensive Software and Hardware Bill of Materials (SBOM/HBOM). Failure to follow this IoT compliance checklist can lead to significant financial penalties and legal action under the Digital India 2.0 framework.

Also Read: MQTT Vs HTTP For IoT: Security Pros Cons Analysis – MQTT Vs HTTP IoT Pros Cons

TL; DR: CERT-In IoT compliance India 2025-26

• Mandatory Audits: Annual third-party audits by CERT-In empaneled firms are now a legal requirement. 

• 6-Hour Rule: Any IoT security breach must be reported to CERT-In within 6 hours of detection. 

• No Default Passwords: Universal default passwords are strictly prohibited (TEC 31318:2021). 

• Data Residency: Audit logs and sensitive IoT data must remain within Indian jurisdiction. 

• BOM Transparency: Companies must maintain real-time lists of all software (SBOM) and hardware (HBOM) components. 

CERT-In IoT Security Compliance India

With India’s digital economy projected to cross $1 trillion by 2030, the government has moved from “suggesting” security to “enforcing” it. For any company manufacturing, deploying, or managing connected devices, staying compliant with India IoT security regulations is no longer optional. 

Here is the comprehensive IoT compliance checklist for 2025-26.

1. Mandatory Annual Cybersecurity Audits

    

Under the latest CERT-In guidelines IoT, companies must undergo an annual audit. These are not surface-level checks; they require proof that security controls are active. 

• Action: Appoint a CERT-In empanelled auditor. 

• Focus: Verify technical competence in multi-cloud, AI/ML systems, and highly connected IoT/OT environments. 

2. The 6-Hour Incident Reporting Rule

    

In case of an unauthorized breach of your IoT infrastructure, denial of service attacks, and data exfiltration, the clock begins ticking straightaway.  

Requirement: The matter should be reported to CERT-In within six hours of discovery. 

Log Retention: It is mandatory that you retain the secure logs for 180 days. 

3. Hardware & Software Bill of Materials (HBOM/SBOM)

    

Static spreadsheets are out. CERT-In now requires “live” visibility into your stack. 

• SBOM: List every software library and version used. 

• HBOM: Document all hardware dependencies, including chipsets and firmware links. 

• CBOM: Identify all cryptographic components to ensure they meet modern encryption standards. 

4. EliminatingUniversal Default Passwords 

Aligned with the Code of Practice for Securing Consumer IoT (TEC 31318), devices must not ship with “admin/admin” style credentials. 

• Check: Every device must require a unique, strong password or certificate-based authentication upon first boot. 

5. Implementing Mutual TLS (mTLS) & Encryption

    

India IoT security regulations emphasize “Encryption in Transit.” 

• Requirement: Use TLS 1.2 or 1.3 for all handshakes. 

• mTLS: Ensure the server trusts the device AND the device trusts the server before data is exchanged. 

6. Secure Update Mechanisms (OTA)

    

While IoT devices tend to be “set and forget” solutions, the 2025-26 standards call for lifecycle governance.  

Requirement: The device should have the capability of receiving security patches using OTA updates.   

Verification: The OTA update should have an authentication mechanism to prevent malicious firmware installation. 

7. Data Localization and Residency

    

As per the Digital Personal Data Protection Act (DPDPA) 2023, IoT data processing has strict geographic rules. 

• Constraint: Sensitive personal data collected via IoT devices should be stored and processed within Indian jurisdiction unless specifically exempted. 

8. Vulnerability Disclosure Policy (VDP)

    

Companies must provide a clear path for security researchers to report flaws. 

• Requirement: Maintain a publicly accessible VDP and a defined timeline for remediating discovered vulnerabilities. 

9. Board-Level Accountability

    

Cybersecurity is no longer just an “IT problem.” CERT-In now mandates that: 

• Oversight: Board members must approve audit scopes and remediation budgets. 

• Reporting: Audit outcomes and open risks must be visible at the executive level. 

Need Help Navigating India’s IoT Regulations?

The shift from “Compliance” to “Threat Readiness” is a major transition. At HireDeveloper.dev, we provide the technical expertise to help you build CERT-In IoT compliance India into your architecture from day one. 

From implementing mTLS to generating real-time SBOMs, our developers ensure your IoT ecosystem is secure, scalable, and fully aligned with 2026 mandates.