Indian CERT-In + Critical Information Infrastructure (CII) for MEP — IT Act + DPDP + CERT-In 2022
Indian CERT-In + CII compliance for 50,000 m² Tier IV DC demands ₹209 Cr capex + ₹40 Cr/yr OPEX with CII registration + SOC + 24×7 SIEM + 6-hr incident reporting + 180-day log retention + DPDP data localisation + DR backup + ISO 27001 audit. IT Act + DPDP + CERT-In Directions April 2022 govern. Penalty ₹5-85 Cr + criminal liability. Three failures: 6-hr incident reporting missed, log retention < 180 days, non-empanelled audit firm used.
Indian CERT-In + CII framework for MEP
India CERT-In (Indian Computer Emergency Response Team) + MeitY designate Critical Information Infrastructure (CII) under IT Act 2000 + DPDP Act 2023. CII includes power + petchem + water + telecom + DC + transport + healthcare + banking. CII operators must register + report incidents + 6-hr breach notification per CERT-In Directions 2022. Standards stack — IT Act 2000 + DPDP Act 2023 + CERT-In Directions April 2022 + CISA NIST SP 800-53 + Indian Computer Emergency Response Team Framework 2024.
CII compliance MEP scope — 50,000 m² Tier IV DC
| Requirement | Detail | Capex (₹ Cr) | Standard |
|---|---|---|---|
| CII registration | online via CERT-In portal | 0 | IT Act 2000 |
| Identification + classification of CII assets | BMS + SCADA + DDC + IT | 12 | CERT-In 2022 |
| Risk assessment + audit (annual) | 3rd-party audit firm | 15/yr | CERT-In 2022 |
| SOC + 24×7 monitoring | 3rd-party managed or in-house | 35 | 0 |
| Incident reporting (6-hr breach notification) | SIEM + auto-alert | 5 | CERT-In 2022 |
| Vulnerability scanning + pen-testing | quarterly + annual | 12/yr | CERT-In 2022 |
| Log retention (180 days minimum) | SIEM + cold-storage | 8 | CERT-In 2022 |
| Data localisation (DPDP) | India-side data | 25 | DPDP 2023 |
| Cyber-security training (annual) | staff awareness | 5/yr | CERT-In + DPDP |
| Insurance + 3rd-party liability | 0 | 3/yr | — |
| DR + backup + business continuity | RPO 4hr / RTO 24hr | 22 | 0 |
| Cyber-security operations centre (CSOC) | staff + tools | 55 | 0 |
| Compliance audit + certification | ISO 27001 + IEC 62443 | 15 | ISO 27001 |
| Total CII compliance capex | 0 | 209 | — |
| Annual OPEX | 0 | 40 | — |
Three Indian CERT-In CII failures
- 6-hour incident reporting missed — CERT-In Directions 2022 mandate 6-hr breach notification. Indian operators often delay by days/weeks. Penalty ₹5-25 Cr + criminal liability. Specify automated SIEM-to-CERT-In notification pipeline.
- Log retention 180 days incomplete — CERT-In + DPDP mandate 180-day log retention. Many Indian SOCs keep 30-90 days for cost. Penalty + criminal liability on forensic shortfall. Specify cold-storage backup + compliance audit.
- 3rd-party audit firm not CERT-In-empanelled — only CERT-In-empanelled audit firms can sign off CII compliance. Indian operators sometimes use cheap non-empanelled firms — face audit-rejection + delay.
- IT Act 2000 + Amendments + Rules 2024 (India).
- DPDP Digital Personal Data Protection Act 2023 + Rules 2024 (India).
- CERT-In Directions April 2022 — Reporting + Compliance + 6-hr Notification.
- National Critical Information Infrastructure Protection Centre NCIIPC 2024.
- NIST SP 800-53 Rev 5 + Cybersecurity Framework 2.0.
- ISO 27001:2022 + ISO 27017 + ISO 27018 + ISO 27701.
- EU NIS2 + DORA (referenced for international comparison).
- RBI Cyber Security Framework for Banks 2024 + IRDAI Cyber 2024.