DPDP Act & CERT-In Compliance Checklist for Indian Enterprises (2026) –>

• 13 June, 2026
• No Comments

If you’re an Indian enterprise handling digital data, 2026 is the year compliance stops being optional. The Digital Personal Data Protection (DPDP) Act is in effect, and CERT-In directions remain active and enforced.

Here’s your practical compliance checklist — what you need to do, by when, and how to verify you’re compliant.

CERT-In Compliance (Effective Now)

The Computer Emergency Response Team (CERT-In) directions issued in 2022 remain in full force. Non-compliance can result in penalties and increased regulatory scrutiny.

1. Log Retention: 180 Days Minimum

All ICT systems must retain logs for a minimum of 180 days. This includes firewall logs, server logs, application logs, authentication logs, and network device logs.

✅ Action: Audit your log retention policies. Ensure no critical log source rotates before 180 days. Verify your SIEM or log management platform has adequate storage for the full retention period.

⚠️ Common gap: Network device logs (switches, routers, access points) are often excluded from retention policies despite being explicitly required.

2. Incident Reporting: 6 Hours

Any cybersecurity incident must be reported to CERT-In within 6 hours of detection or reasonable suspicion.

✅ Action: Establish an incident reporting SOP that includes the CERT-In portal, escalation contacts, and a template for the required information (type of incident, systems affected, impact assessment, mitigation status).

⚠️ Common gap: Many organisations detect incidents but delay reporting while conducting internal investigation. The 6-hour clock starts at detection, not confirmation.

3. Synchronised Time Stamps

All ICT systems must have synchronised time stamps using NTP servers traceable to the National Physical Laboratory (NPL) or equivalent.

✅ Action: Verify your NTP configuration points to a reliable stratum-1 source. Document the NTP server hierarchy and verification method.

4. KYC of Subscribers/Customers

Virtual Private Server (VPS) providers, VPN services, data centres, and similar entities must maintain subscriber KYC for at least 5 years.

✅ Action: If you provide any of these services, verify your KYC collection and retention process. If you’re a customer of such services, ensure your provider is compliant.

DPDP Act Compliance (2026)

The DPDP Act applies to any entity processing personal data of Indian residents — whether based in India or abroad. Here’s what you need:

1. Data Protection Officer (DPO)

Appoint a DPO who will be the point of contact for data principals and the Data Protection Board.

✅ Action: Designate a DPO and publish contact details. This can be an existing senior employee (CISO, IT Head) for most organisations.

2. Consent Manager

Implement a consent management mechanism that allows data principals to give, manage, and withdraw consent for data processing.

✅ Action: Review all data collection points (website forms, app registrations, employee onboarding). Ensure clear consent language and an easy withdrawal mechanism.

3. Data Protection Impact Assessment (DPIA)

Conduct DPIAs for any processing that poses significant risk to data principals — including large-scale profiling, sensitive data processing, or new technology deployment.

✅ Action: Create a DPIA framework. Conduct assessments for each major data processing activity. Document and retain for audit.

4. Breach Notification

Notify the Data Protection Board and affected data principals in case of a personal data breach. The timeline and format are still being finalised, but early preparation is essential.

✅ Action: Extend your CERT-In incident response plan to include DPDP breach notification requirements. Prepare notification templates for both the Board and data principals.

5. Data Retention Limitation

Personal data must be retained only as long as necessary for the purpose for which it was collected. After that, it must be erased or anonymised.

✅ Action: Review data retention schedules. Implement automated purging for data beyond its lawful purpose. Document retention justifications.

6. Cross-Border Data Transfer Restrictions

The DPDP Act restricts transfer of personal data outside India, subject to certain exceptions and notified countries. Monitor for the government’s list of approved jurisdictions.

✅ Action: Map all cross-border data flows involving Indian personal data. Review contracts with foreign data processors. Ensure adequacy of protection measures.

The Compliance Tech Stack You Need

Meeting both CERT-In and DPDP Act requirements requires more than policy documents. You need:

• A SIEM or log management platform with 180-day retention and tamper-proof audit trails
• Automated incident reporting that can generate CERT-In-format reports within 6 hours
• Consent management infrastructure for DPDP compliance
• Unified audit trails that span both frameworks — one report, both satisfied
• Access controls and MFA on all critical systems

Ready for Your Audit?

DPDP and CERT-In compliance doesn’t have to be overwhelming. P J Networks helps Indian enterprises build the technical infrastructure for both frameworks — from SIEM deployment to log retention to incident response automation.

Get in touch for a compliance readiness assessment. PrahiX Ora includes built-in CERT-In and DPDP compliance modules.

P J Networks. 24/7 NOC/SOC operations. Helping Indian enterprises stay compliant since 1996.