- Join Our Company
- Email: sanjay@pjnetworks.com
- Phone: +91-9818361787
If you’re an Indian enterprise handling digital data, 2026 is the year compliance stops being optional. The DPDP Act is in full effect, and CERT-In directions remain actively enforced. Non-compliance isn’t just a regulatory risk — it’s a business risk with significant penalties and loss of customer trust.
Here’s your practical compliance checklist — what you need to do, by when, and how to verify you’re compliant. This is what we implement for clients at P J Networks every day.
The CERT-In directions issued in 2022 remain in full force. Non-compliance can result in penalties and regulatory scrutiny. Every Indian enterprise with ICT infrastructure is subject to these requirements.
All ICT systems must retain logs for a minimum of 180 days — firewall logs, server logs, application logs, authentication logs, and network device logs. Retention must be tamper-proof.
✅ Action: Audit your log retention policies. Ensure no critical log source rotates before 180 days. Verify your SIEM has adequate storage for the full period. Implement WORM storage for audit logs where possible.
⚠️ Common gap: Network device logs (switches, routers, access points) are often excluded from retention policies despite being explicitly required. Cloud infrastructure logs are also frequently overlooked.
Any cybersecurity incident must be reported to CERT-In within 6 hours of detection or reasonable suspicion. The clock starts when you have reason to believe an incident has occurred — not when you’ve confirmed the details.
✅ Action: Establish an incident reporting SOP with escalation contacts and a pre-filled template. Run tabletop exercises quarterly to ensure your team can execute the report within the 6-hour window.
⚠️ Common gap: Many organisations delay reporting while conducting internal investigation. The 6-hour clock starts at detection, not confirmation. We’ve seen clients miss the deadline because they tried to fully scope the incident before reporting.
All ICT systems must have synchronised time stamps using NTP servers traceable to the National Physical Laboratory (NPL) or equivalent. Consistent timestamps are critical for correlating events across systems during incident investigation.
✅ Action: Verify NTP points to a reliable stratum-1 source. Document the hierarchy. Audit quarterly to ensure no device has drifted outside acceptable tolerance.
Virtual Private Server (VPS) providers, VPN services, data centres, and similar entities must maintain subscriber KYC for at least 5 years. This includes identity verification and address proof for all customers.
✅ Action: If you provide any of these services, verify your KYC collection and retention process. If you’re a customer of such services, ensure your provider is compliant — their compliance gaps can become your liability.
The DPDP Act applies to any entity processing personal data of Indian residents — whether based in India or abroad. Here’s what you need:
Appoint a DPO who will be the point of contact for data principals and the Data Protection Board. The DPO is responsible for overseeing data protection strategy and ensuring compliance with the Act.
✅ Action: Designate a DPO and publish contact details. This can be an existing senior employee (CISO, IT Head) for most organisations — but make sure they have the authority and resources to fulfil the role.
Implement a consent management mechanism that allows data principals to give, manage, and withdraw consent. Consent must be free, specific, informed, and unambiguous — withdrawal must be as easy as giving it.
✅ Action: Review all data collection points. Ensure clear consent language in English and applicable regional languages. Implement one-click withdrawal. Document consent records for audit.
Conduct DPIAs for any processing that poses significant risk to data principals — including large-scale profiling, sensitive data processing, new technology deployment, or processing of children’s data.
✅ Action: Create a DPIA framework. Conduct assessments for each major data processing activity. Document findings, risks, and mitigation measures for audit purposes.
Notify the Data Protection Board and affected data principals in case of a personal data breach. The DPDP Act breach notification framework works alongside CERT-In’s incident reporting requirements — you need to satisfy both.
✅ Action: Extend your CERT-In incident response plan to include DPDP breach notification requirements. Prepare notification templates for both the Board and data principals. Align your CERT-In reporting with the DPDP notification timeline.
Personal data must be retained only as long as necessary for the purpose for which it was collected. After that, it must be erased or anonymised. This is a fundamental principle of the DPDP Act and one of the most operationally challenging requirements to implement.
✅ Action: Review data retention schedules. Implement automated purging for data beyond its lawful purpose. Pay special attention to backups — purging from production but keeping personal data in backups still counts as non-compliance.
The DPDP Act restricts transfer of personal data outside India, subject to certain exceptions and notified across India. Monitor for the government’s list of approved jurisdictions and ensure your data flows comply.
✅ Action: Map all cross-border data flows. Review contracts with foreign data processors. Ensure adequacy of protection measures. Document transfer impact assessments.
Meeting both CERT-In and DPDP Act requirements requires more than policy documents. You need technical infrastructure that operationalises compliance:
DPDP and CERT-In compliance doesn’t have to be overwhelming. P J Networks helps Indian enterprises build the technical infrastructure for both frameworks — from SIEM deployment to log retention to incident response automation. Our PrahiX Ora platform includes built-in CERT-In and DPDP compliance modules that automate reporting, log retention, and audit trail generation.
Get in touch for a compliance readiness assessment. We’ll map your current posture against both frameworks, identify gaps, and deliver a remediation roadmap with clear timelines and costs.
P J Networks. 24/7 NOC/SOC operations. Helping Indian enterprises stay compliant since 1996.