Indian CERT-In + Critical Information Infrastructure (CII) for MEP — IT Act + DPDP + CERT-In 2022

Indian CERT-In + CII compliance for 50,000 m² Tier IV DC demands ₹209 Cr capex + ₹40 Cr/yr OPEX with CII registration + SOC + 24×7 SIEM + 6-hr incident reporting + 180-day log retention + DPDP data localisation + DR backup + ISO 27001 audit. IT Act + DPDP + CERT-In Directions April 2022 govern. Penalty ₹5-85 Cr + criminal liability. Three failures: 6-hr incident reporting missed, log retention < 180 days, non-empanelled audit firm used.

Indian CERT-In + CII framework for MEP

India CERT-In (Indian Computer Emergency Response Team) + MeitY designate Critical Information Infrastructure (CII) under IT Act 2000 + DPDP Act 2023. CII includes power + petchem + water + telecom + DC + transport + healthcare + banking. CII operators must register + report incidents + 6-hr breach notification per CERT-In Directions 2022. Standards stack — IT Act 2000 + DPDP Act 2023 + CERT-In Directions April 2022 + CISA NIST SP 800-53 + Indian Computer Emergency Response Team Framework 2024.

CII compliance MEP scope — 50,000 m² Tier IV DC

Three Indian CERT-In CII failures

1. 6-hour incident reporting missed — CERT-In Directions 2022 mandate 6-hr breach notification. Indian operators often delay by days/weeks. Penalty ₹5-25 Cr + criminal liability. Specify automated SIEM-to-CERT-In notification pipeline.
2. Log retention 180 days incomplete — CERT-In + DPDP mandate 180-day log retention. Many Indian SOCs keep 30-90 days for cost. Penalty + criminal liability on forensic shortfall. Specify cold-storage backup + compliance audit.
3. 3rd-party audit firm not CERT-In-empanelled — only CERT-In-empanelled audit firms can sign off CII compliance. Indian operators sometimes use cheap non-empanelled firms — face audit-rejection + delay.