Cybersecurity Companies in India: CERT-In Compliance, Data Protection & FDI

India's Cybersecurity Market: Scale, Growth, and Regulatory Drivers

India's cybersecurity market was valued at approximately USD 5.6 billion in 2025 and is projected to reach USD 12.9 billion by 2030 — a compounded annual growth rate of 18.3%. This growth is not driven by corporate discretion; it is driven by regulatory mandate. CERT-In's expanded audit requirements, the Digital Personal Data Protection Act (DPDP Act), and sector-specific data protection regulations are creating compliance-driven demand that did not exist five years ago.

For foreign investors and companies evaluating India as a cybersecurity business destination, the opportunity is clear: every company operating in India's digital ecosystem now needs third-party cybersecurity audits, incident response capabilities, and data protection compliance services. The regulatory framework is the market itself.

Major players include Quick Heal Technologies, Tata Communications, Wipro, HCLTech, Infosys, and Tech Mahindra on the domestic side, alongside global firms like Cisco Systems, Palo Alto Networks, Fortinet, CrowdStrike, and Darktrace operating through Indian subsidiaries. The market has room for specialists — particularly in CERT-In audit services, DPDP Act compliance consulting, and sector-specific security solutions for BFSI, healthcare, and government clients.

CERT-In Compliance: The Regulatory Foundation

The Indian Computer Emergency Response Team (CERT-In) is the nodal agency for cybersecurity incident response under the Ministry of Electronics and Information Technology (MeitY). Its April 2022 Directions, updated substantially in 2025, impose mandatory obligations on every business operating in India's digital ecosystem.

Six-Hour Incident Reporting

CERT-In mandates that all cybersecurity incidents must be reported within six hours of becoming aware of them. This is among the shortest incident reporting windows globally — the EU's GDPR allows 72 hours; the US has no single federal standard. The types of incidents that must be reported include:

• Targeted scanning or probing of critical networks
• Compromise of critical systems or information
• Unauthorised access to IT systems or data
• Defacement of websites or intrusion into websites
• Malicious code attacks (ransomware, cryptomining, botnet)
• Attacks on servers and network infrastructure
• Identity theft, spoofing, and phishing attacks
• Data breaches and data leaks

Reports must be filed through CERT-In's designated portal with specific technical details including affected systems, vulnerability exploited, and remediation steps taken.

180-Day Log Retention

All service providers, intermediaries, data centres, and body corporates must maintain logs of all their ICT systems for a rolling period of 180 days within Indian jurisdiction. These logs must be provided to CERT-In on demand during incident investigation. For cybersecurity companies offering managed security services, this creates both a compliance obligation and a business opportunity — clients need help implementing compliant log management systems.

Mandatory Third-Party Audits (2025 Update)

As of July 2025, every public and private enterprise operating in India's digital ecosystem must undergo annual third-party cybersecurity audits. Key requirements include:

• Audits must be conducted by CERT-In empanelled auditors — internal teams cannot self-certify
• Audit scope must align with ISO/IEC 27001 and reflect actual business risk
• Scope extends across IT, OT (operational technology), APIs, and supply chains
• Audit outcomes must be board-visible with dashboards and SLA tracking
• Final certification and compliance reports must be accompanied by traceable, verifiable artifacts

This mandate alone has created a multi-billion-rupee addressable market for CERT-In empanelled audit firms and cybersecurity service providers.

Penalties for Non-Compliance

Under Section 70B(7) of the Information Technology Act, failure to comply with CERT-In directions is punishable with imprisonment up to one year and/or a fine up to INR 1 lakh. For more serious violations, penalties can extend to INR 1 crore (approximately USD 120,000) or both imprisonment and fine. CERT-In also has the power to:

• Suspend service authorisations
• Restrict access to national infrastructure
• Blacklist service providers from handling sensitive or government data
• Bar repeat offenders from government contracts

The Digital Personal Data Protection Act (DPDP Act, 2023)

The DPDP Act is India's comprehensive data protection legislation, with the DPDP Rules 2025 notified on November 13, 2025. The implementation follows a phased approach that creates immediate compliance demand:

Implementation Timeline

Obligations for Data Fiduciaries

Every entity processing personal data of individuals in India (Data Fiduciaries) must:

• Provide itemised privacy notices specifying the purpose of data collection
• Implement purpose-based data retention timelines
• Maintain reasonable security safeguards proportionate to the data processed
• Report data breaches to the Data Protection Board within 72 hours
• Obtain verifiable parental consent before processing children's data
• Implement automated data deletion pipelines for erasure requests

Significant Data Fiduciaries: Enhanced Obligations

Entities designated as Significant Data Fiduciaries face additional requirements:

• Annual Data Protection Impact Assessments (DPIAs)
• Mandatory algorithmic fairness assessments
• Appointment of a Data Protection Officer (DPO) based in India
• Annual independent audits of data processing practices
• Stricter technical due diligence requirements

Penalties under the DPDP Act can reach up to INR 250 crore (approximately USD 30 million) for serious violations — making this one of the most consequential compliance frameworks for companies operating in India. For foreign companies specifically, our guide on DPDP Act Phase 1 compliance for foreign companies provides targeted implementation guidance.

FDI in Cybersecurity: 100% Under Automatic Route

India's IT sector — which encompasses cybersecurity services, software development, and information security consulting — permits 100% foreign direct investment under the automatic route. No prior government approval is required, making India one of the most accessible markets globally for foreign cybersecurity companies.

Entity Structure Options

Foreign companies entering India's cybersecurity market typically choose between:

• Wholly Owned Subsidiary (WOS): 100% foreign-owned private limited company. Best for companies planning long-term operations with full control. Most common structure for cybersecurity companies.
• Branch Office: Extension of the foreign parent company. Suitable for companies providing services to Indian clients without establishing a separate legal entity. Limited to specific permitted activities.
• Liaison Office: For market exploration and relationship building only. Cannot undertake commercial activities or generate revenue in India.

For a detailed comparison of these options, see our branch office vs subsidiary comparison and branch office vs liaison office comparison.

FEMA Compliance for Foreign-Owned Cybersecurity Companies

All foreign investment transactions must comply with FEMA regulations. Key filings include:

• FC-GPR within 30 days of share allotment to non-resident investors
• FLA Return by July 15 annually
• Form 15CA/15CB for every outward remittance (royalties, dividends, service fees)

For comprehensive FDI structuring guidance, explore our FDI advisory services.

Data Localisation and Cross-Border Data Flows

Data localisation is a critical consideration for cybersecurity companies, as security operations centres (SOCs), threat intelligence platforms, and incident response systems inherently involve cross-border data flows.

Current Data Localisation Requirements

• RBI mandate: All payment system data must be stored exclusively in India — this affects cybersecurity companies serving BFSI clients
• CERT-In logs: The 180-day log retention must be within Indian jurisdiction
• DPDP Act: The Act permits cross-border data transfers except to countries specifically restricted by the Central Government. No restricted country list has been published yet as of March 2026
• Sector-specific rules: Telecom, insurance, and healthcare sectors have additional data residency requirements

Practical Implications

Foreign cybersecurity companies operating managed SOCs or cloud-based security platforms must ensure that Indian client data processed in India complies with localisation requirements. This typically means establishing India-based data centres or using Indian cloud regions (AWS Mumbai, Azure Central India, GCP Mumbai).

Becoming a CERT-In Empanelled Auditor

CERT-In maintains a panel of authorised cybersecurity auditors who can conduct the mandatory annual audits. Becoming empanelled is a significant competitive advantage — it effectively licenses your company to serve the entire Indian enterprise market's mandatory audit requirements.

Empanelment Requirements

• The company must be registered in India (foreign companies need an Indian subsidiary)
• Certified professionals — CISA, CISSP, CEH, ISO 27001 Lead Auditor — on staff
• Demonstrated experience in conducting cybersecurity audits
• Infrastructure for secure handling of audit data and reports
• Compliance with CERT-In's Code of Practice for empanelled auditors

Business Opportunity

With the 2025 mandate extending annual audits to every enterprise in India's digital ecosystem, the demand for empanelled auditors far exceeds supply. Companies that achieve empanelment can build a recurring revenue model based on annual compliance audits — a predictable, regulation-driven revenue stream.

Tax Considerations for Cybersecurity Companies

Cybersecurity companies in India benefit from several tax advantages:

• Standard corporate tax rate: 25.17% (including surcharge and cess) for companies with turnover up to INR 400 crore
• Section 80-IAC startup exemption: DPIIT-recognised startups can claim 100% tax exemption on profits for any 3 consecutive years within 10 years of incorporation. Eligibility extended to startups incorporated before April 1, 2030
• R&D deductions under Section 35: 100% deduction on revenue and capital expenditure on in-house scientific research
• GST on services: Cybersecurity services attract 18% GST; exports of services are zero-rated
• Transfer pricing: Inter-company service fees between Indian subsidiary and foreign parent must be at arm's length

For companies exporting cybersecurity services (serving foreign clients from India), the zero-rated GST treatment and competitive labour costs make India an attractive delivery base. Many global cybersecurity companies operate India-based SOCs and threat research centres for this reason.

Sector-Specific Cybersecurity Compliance Requirements

Beyond the horizontal CERT-In and DPDP Act requirements, cybersecurity companies serving specific sectors must understand industry-specific compliance frameworks that drive demand for specialised services.

Banking, Financial Services, and Insurance (BFSI)

The RBI's cybersecurity framework for banks and financial institutions mandates a dedicated Cyber Security Operations Centre (C-SOC), periodic vulnerability assessment and penetration testing (VAPT), Board-approved cybersecurity policies, and incident reporting to RBI within 2-6 hours depending on severity. The Insurance Regulatory and Development Authority (IRDAI) has parallel requirements for insurance companies. BFSI clients represent the largest addressable segment for cybersecurity companies in India, with compliance-driven spending estimated at INR 8,000-12,000 crore annually.

Telecom Sector

The Department of Telecommunications (DoT) has issued security directives requiring telecom operators to maintain detailed call data records, implement lawful interception capabilities, and conduct annual security audits. The Telecom Act amendments have expanded cybersecurity obligations to include over-the-top (OTT) communication services and digital infrastructure providers.

Healthcare

While India does not yet have a dedicated healthcare data protection law, the DPDP Act's provisions for sensitive personal data — including health data — create compliance requirements for hospitals, diagnostic chains, healthtech platforms, and pharma companies. Cybersecurity companies offering healthcare-specific compliance services (HIPAA-aligned frameworks adapted for Indian regulations) are positioned to capture significant demand as the digital health ecosystem expands.

Government and Critical Infrastructure

Government departments and critical information infrastructure (CII) organisations have the most stringent cybersecurity requirements, including mandatory CERT-In empanelled audits, continuous monitoring obligations, and specific hardware and software sourcing restrictions. Companies seeking to serve government clients must typically meet additional security clearance requirements and may need to use India-manufactured or India-certified security products.

Building a Cybersecurity Company: Competitive Moats

The Indian cybersecurity market, while growing rapidly, is also increasingly competitive. Companies that build durable competitive advantages will outperform:

• CERT-In empanelment: The single most important competitive moat — it creates a regulatory barrier to entry and provides access to mandatory recurring revenue
• Sector specialisation: Deep expertise in BFSI, healthcare, or government cybersecurity creates switching costs and premium pricing power
• Proprietary threat intelligence: India-specific threat data, malware analysis, and attack pattern databases are extremely valuable and difficult to replicate
• Compliance-as-a-Service platforms: Automated CERT-In reporting, DPDP Act compliance dashboards, and continuous monitoring platforms create recurring SaaS revenue streams
• Talent pipeline: India produces over 1.5 million engineering graduates annually, but certified cybersecurity professionals (CISSP, CISA, CEH) remain scarce — companies that build training and certification programmes can create talent advantages

Practical Roadmap: Setting Up a Cybersecurity Company in India

Step 1: Choose Entity Structure and Incorporate

A private limited company (WOS) is the recommended structure. Incorporate through SPICe+ with cybersecurity and IT consulting as primary business objects. Timeline: 7-15 days. Cost: INR 15,000-25,000.

Step 2: Obtain Registrations

PAN, TAN (automatic with incorporation), GST registration, Professional Tax registration (state-level), and Shops and Establishment registration for your office.

Step 3: DPIIT Startup Recognition (if eligible)

Apply for DPIIT startup recognition to access Section 80-IAC tax benefits, patent fast-tracking, and easier public procurement access.

Step 4: Apply for CERT-In Empanelment (if applicable)

Build your team with certified professionals, accumulate audit experience, and apply for empanelment to access the mandatory audit market.

Step 5: Establish Compliance Framework

Implement your own CERT-In compliance (6-hour reporting, 180-day logs), DPDP Act readiness, and data localisation measures for client data.

Step 6: Ongoing Operations

Annual compliance includes ROC filings (MGT-7, AOC-4), statutory audit, income tax returns, GST returns, and FEMA filings if foreign-owned. Budget INR 3-8 lakh annually for compliance professional fees.

Insurance and Liability Considerations

Cybersecurity companies operating in India should secure professional indemnity insurance (also called errors and omissions insurance) to cover claims arising from security breaches, audit failures, or compliance gaps. Typical coverage ranges from INR 1 crore to INR 25 crore depending on client contract requirements and the scope of services offered.

Cyber insurance is a distinct product from professional indemnity — it covers the company's own exposure to cyberattacks, ransomware incidents, and data breaches. As a cybersecurity provider, your own security posture is both a business necessity and a client due diligence checkpoint. Enterprise clients, particularly in BFSI and government sectors, routinely require proof of both professional indemnity and cyber insurance as a condition of vendor empanelment.

Directors and officers liability (D&O) insurance is also recommended given the board-level accountability requirements under CERT-In's 2025 audit guidelines. The DPDP Act's personal liability provisions for compliance failures make D&O coverage particularly relevant for companies handling large volumes of personal data.

India's cyber insurance market is still maturing, with annual premiums typically ranging from INR 50,000 to INR 5 lakh for small to mid-sized cybersecurity firms. Coverage terms vary significantly between insurers, so comparing policy exclusions, sub-limits, and retroactive dates is essential before purchasing.

Key Takeaways

• India's cybersecurity market is compliance-driven — CERT-In's 2025 mandate for annual third-party audits across all enterprises creates a massive, regulation-guaranteed addressable market worth billions of rupees
• 100% FDI under automatic route makes India one of the most accessible markets for foreign cybersecurity companies, with no government approval required for IT sector investments
• CERT-In's 6-hour incident reporting is the strictest globally and creates demand for 24/7 managed detection and response services — both a compliance obligation and a business opportunity
• DPDP Act penalties of up to INR 250 crore are driving enterprise investment in data protection compliance, creating a parallel revenue stream for cybersecurity firms offering DPDP advisory services
• CERT-In empanelment is a high-value competitive moat — achieving it gives access to mandatory recurring audit engagements across India's entire enterprise ecosystem

For entity structure selection and FDI compliance support, explore our foreign subsidiary registration and FEMA/RBI compliance services.