The Indian Computer Emergency Response Team, CERT-In, has been one of the more active national CERTs in shaping the cybersecurity expectations of organizations operating in India. The 2022 directive that introduced six-hour incident reporting and detailed log retention obligations was an early signal that the regulatory environment was tightening, and the supplementary guidance issued through 2024, 2025, and into 2026 has expanded the scope to include software supply chain visibility and control. For engineering teams building or operating systems used in India, the expectations now extend well past perimeter defense into deep visibility of dependencies, build pipelines, and vendor relationships.
How does CERT-In treat software supply chain in current guidance?
CERT-In's guidance on software supply chain has evolved through a series of advisories and sectoral directives rather than a single regulation. The cumulative position by 2026 is that organizations handling personal data, operating critical information infrastructure, or providing essential services should maintain inventories of the software running on their systems, should monitor those inventories against known vulnerabilities, and should have processes for responding to supply chain incidents.
The Reserve Bank of India and the Securities and Exchange Board of India have layered additional sectoral expectations on top of the CERT-In baseline, which means financial sector organizations face stricter supply chain controls than the general population. SEBI's cybersecurity framework requires comprehensive third-party risk management, and RBI's IT framework expects banks to maintain visibility into software running on systems that handle financial data. Both regulators have been increasingly explicit that visibility means component-level, not application-level.
The Digital Personal Data Protection Act, which came into force in 2025, adds a privacy-driven dimension. Data fiduciaries must implement reasonable security safeguards, which the CERT-In and sectoral advisories interpret to include vendor and supply chain controls when third parties are processors of personal data. Most organizations that fall under DPDP also fall under CERT-In's broader expectations, and the practical compliance picture has become unified.
What did the six-hour reporting directive change in practice?
The 2022 six-hour incident reporting requirement attracted significant attention internationally, and 2025 and 2026 have provided enough operational experience to assess what changed. Most regulated organizations have built reporting workflows that can meet the timeline for clear-cut incidents, but the harder cases involve supply chain attacks where the initial detection is ambiguous and the scope of impact takes longer to establish.
CERT-In has been pragmatic in practice. Reports filed within six hours that describe an incident in active investigation, with subsequent updates as scope is established, have generally been accepted. Organizations that delayed reporting until full scope was understood have been treated less favorably. The lesson for supply chain incidents is to file early with what is known and update as more becomes clear, rather than to wait for a complete picture.
The log retention requirement under the same directive, which expects 180 days of logs maintained within India, has been more consequential operationally. Organizations relying on cloud-based logging from non-Indian regions have had to redesign their telemetry pipelines, and the vendor selection landscape for security tooling has shifted toward providers with Indian regions or compliant data residency options. Supply chain incident investigation depends on log availability, and the residency requirement is now a real procurement criterion.
How are critical information infrastructure designations affecting supply chain expectations?
The National Critical Information Infrastructure Protection Centre, NCIIPC, designates protected systems in sectors including power, banking, telecom, transport, government, and strategic public enterprises. Designated entities operate under stricter supply chain expectations than the general population, including more detailed inventory requirements, stricter vendor controls, and tighter incident response timelines.
The 2025 and 2026 NCIIPC guidance tightened software supply chain expectations significantly. Designated entities are expected to maintain detailed software inventories, to evaluate suppliers for security posture before procurement, to monitor inventoried components for vulnerability and threat intelligence, and to have tested incident response capabilities for supply chain compromise. Several designated entities have been audited against these expectations through 2025 and 2026, and the findings have driven internal investment programs.
The downstream effect on suppliers has been substantial. Vendors selling into NCIIPC-designated organizations are increasingly asked for SBOMs, signed attestations, and supply chain security certifications. The Indian market is mirroring the federal procurement dynamics seen in the US and EU, where supply chain transparency is becoming a procurement gate rather than a nice-to-have.
What does the Indian SBOM landscape look like?
SBOM generation has been advisory in CERT-In guidance for several years, and the practical adoption among Indian organizations has accelerated through 2025 and 2026. Larger enterprises and regulated entities now generate SBOMs as part of their standard build and release pipelines, increasingly using CycloneDX as the dominant format because of broader tooling support.
Domestic tooling has matured. Several Indian security vendors and open-source projects have published SBOM generators, vulnerability scanners, and compliance reporting tools tuned for the Indian regulatory landscape. The market for international platforms remains substantial, but the domestic alternatives are now credible options for organizations with data residency concerns or budget constraints.
Cross-border SBOM exchange is also a growing topic. Indian vendors selling into the US and EU are producing SBOMs to satisfy international procurement requirements, and Indian buyers are receiving SBOMs from international suppliers. The interoperability between formats is generally good, but the operational workflow for ingesting external SBOMs, mapping them to internal inventory, and tracking vulnerability state requires platform capability beyond simple file storage.
What are the common gaps in Indian supply chain compliance?
Three gaps appear consistently across pre-audit reviews. First, asset inventories often stop at the application level. Indian organizations have generally good visibility of the applications they run, but the underlying open-source components, container layers, and runtime dependencies are less consistently captured. CERT-In and sectoral auditors increasingly expect component-level visibility, and the gap is most visible at the audit layer.
Second, vendor management is paper-based. Many organizations have vendor security questionnaires, signed contracts, and periodic reviews, but the operational telemetry that would let them detect a vendor incident in real time is missing. The CERT-In reporting timeline assumes the organization can detect supply chain compromises quickly, and questionnaire-based vendor management does not support that.
Third, log residency creates fragmentation. Organizations using cloud security tooling without Indian region support have logs in compliant systems and supplementary logs elsewhere, which creates investigation overhead during incidents. The right architectural answer is to consolidate on tooling that supports Indian residency, and several organizations are mid-migration through 2026.
What changes through 2026 and beyond?
CERT-In and sector regulators are likely to continue tightening supply chain expectations through 2026. The trajectory is toward sharper, more measurable obligations that map onto international SBOM and provenance standards. Indian organizations operating across jurisdictions are well-served by aligning to the EU Cyber Resilience Act and US executive order baselines, because the Indian expectations are converging in the same direction.
Sectoral guidance from RBI, SEBI, and IRDAI is also expected to deepen. The financial sector's appetite for supply chain transparency mirrors what is happening in the US and EU, and Indian financial institutions are publishing increasingly detailed expectations of their software vendors. The convergence is creating a consistent baseline that reduces the cost of compliance for vendors selling across regulated sectors.
A subtler change is in domestic security tooling adoption. As Indian regulatory expectations mature, the demand for tooling tuned to Indian operational realities, including data residency, language support, and integration with Indian compliance frameworks, is growing. The market opportunity is driving investment in domestic and India-localized international platforms, and the next two years will likely see substantial maturation in this space.
How Safeguard Helps
Safeguard meets Indian regulatory expectations across CERT-In, NCIIPC, RBI, SEBI, and DPDP requirements. Continuous component-level software inventory generation covers every system in scope, with SBOMs produced from real build artifacts rather than declared inventories. Lino compliance maps your inventory and supporting telemetry to Indian regulatory controls and produces audit-ready evidence packs that align with the questions CERT-In and sectoral auditors actually ask. Griffin reachability analysis surfaces the exploitable subset of vulnerabilities so prioritization is risk-aware, and the platform's incident response workflows support six-hour reporting timelines with audit trails that hold up under regulator review. Indian region support and data residency options keep your telemetry compliant with log retention requirements while still giving you the global supply chain visibility you need for international operations.