Who Needs a CERT-In Empanelled Vendor in India

If you operate in or contract with a regulated sector in India (banks, NBFCs, payment system operators under specific RBI directives, SEBI-regulated market intermediaries, IRDAI insurers, telecom under DoT/TRAI, power under CEA guidelines, government departments, PSUs), or you have been designated a Critical Information Infrastructure operator by NCIIPC under Section 70 of the IT Act, you need a CERT-In empanelled pentest vendor. For most B2B SaaS startups, private software companies, e-commerce platforms, EdTech, and HealthTech apps not serving hospitals at clinical-grade, empanelment is not required and the companion post on when you do not need CERT-In empanelled vendor is the right read. This article is the affirmative path for the buyers who genuinely fall into the regulated bucket.

The scenario that brings most readers here is specific. A compliance officer, CTO, or security lead receives a regulator notice, audit directive, or tender clause that says the engagement must be conducted by a CERT-In empanelled auditor. They have a 30 or 60 day window, no existing relationship with an empanelled firm, and a vendor sales call already pitching them. Before signing anything, the right questions are: is the requirement real for your case, what does empanelled vs non-empanelled actually mean, and how do you find the right firm.

We are not CERT-In empanelled, and we say so openly. Cybersecify serves the segment where empanelment is not required (private SaaS, B2B software, fintech-adjacent apps that are not themselves RBI-regulated). For genuinely regulated buyers, the right path is one of the approximately 237 currently empanelled firms on the CERT-In list. We help prospects narrow the search and verify scope, free, before they procure.

What CERT-In Empanelment Actually Is

CERT-In is the Indian Computer Emergency Response Team, the national nodal agency under the Ministry of Electronics and Information Technology (MeitY). It handles cybersecurity incident response, publishes advisories, enforces the 6-hour incident reporting rule under Direction 70/B/2022, and maintains the formal panel of empanelled information security auditing organisations.

Empanelment is a formal credentialing programme. Firms apply to CERT-In, submit evidence of past audit engagements, team certifications, methodology documentation, firm-level ISO 27001 certification, financial thresholds, and audited references. Approved firms are added to the official empanelled auditor list for a fixed validity period (typically 2 to 3 years), then re-apply.

Approximately 237 firms are currently CERT-In empanelled, up from 150 in 2022 (a 58% increase). The pool includes Big 4 global consulting, large Indian IT services, specialised cybersecurity firms, and boutique founder-led shops. Empanelment is not reserved for large firms.

What empanelment confers: formal authority to conduct security audits for central and state government departments, PSUs, designated CII operators, and any client where a sectoral regulator (RBI, SEBI, IRDAI, TRAI, CEA) explicitly mandates a CERT-In empanelled auditor for the specific assessment.

What empanelment does not do: it does not certify any specific report is high quality. It does not stop non-empanelled firms from delivering qualified work for private companies and segments where empanelment is not required. It is a market-access credential for a specific regulated segment, not a competence floor.

When CERT-In Empanelment IS Required

This is the affirmative list. If any of the following applies to your company, your buyer, your sectoral regulator, or a specific audit directive you have received, empanelment is required. The decision tree is binary per scenario. Read each item against your actual context, in writing, against the actual regulator language.

1. You are a designated Critical Information Infrastructure operator

Critical Information Infrastructure (CII) is defined under Section 70 of the IT Act 2000 as computer resources whose incapacitation would have a debilitating impact on national security, economy, public health, or public safety. The National Critical Information Infrastructure Protection Centre (NCIIPC), under NTRO, identifies and notifies CII entities by formal MeitY notification. Sectors typically covered: power grid and transmission, telecom backbone, large banking infrastructure, transport (rail and aviation backbone), defence and strategic systems, government services of national importance.

If you have received an NCIIPC designation letter, empanelled auditors are mandatory for your assessments. If you have not received a designation letter, you are not CII regardless of self-assessment.

2. You are a bank, NBFC, payment system operator, or specific category of fintech subject to RBI directives

The Reserve Bank of India issues sector-specific master directions on cyber security. Several reference CERT-In empanelled auditors:

• RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (banks and certain NBFCs)
• RBI Cyber Security Framework for Banks and subsequent updates
• RBI Cyber Resilience and Digital Payment Security Controls for Payment System Operators (PA, PG, PPI issuers)
• RBI directives on cyber security for Urban Cooperative Banks at Level 2 and above (name empanelment explicitly)
• RBI Master Direction on IT Framework for the NBFC sector (above specific asset thresholds)

Requirement varies by entity type, size, and assessment (annual VAPT, IS audit, cyber resilience review). Where the master direction names “CERT-In empanelled auditor”, empanelment is required.

3. You are a SEBI-regulated market intermediary under the cyber resilience framework

The SEBI Cyber Security and Cyber Resilience Framework applies to stock exchanges, clearing corporations, depositories, brokers, depository participants, AMCs, and certain other intermediaries. Periodic third-party audits are required and the framework references CERT-In empanelled auditors. Obligation varies by intermediary category and asset class. Verify against the most recent SEBI circular.

4. You are an insurer or insurance intermediary subject to IRDAI cyber guidelines

The IRDAI Information and Cyber Security Guidelines reference third-party audit obligations and, in specific contexts, CERT-In empanelled auditors. Verify against the circular for your entity category.

5. You are a telecom service provider under DoT and TRAI requirements

Licensed telecom service providers are subject to DoT and TRAI cybersecurity audit obligations. CERT-In empanelment is referenced in audit pathways for certain assessments. UL, UASL, ISP licence conditions and DoT circulars define the obligation.

6. You are a power sector regulated entity under CEA cyber security guidelines

The Central Electricity Authority (CEA) cyber security in power sector guidelines cover generation, transmission, distribution, and load despatch, and reference CERT-In empanelled auditors for certain compliance audits. State DISCOMs, transmission utilities, and large generation companies typically need empanelled vendors.

7. You are bidding for, or procuring on behalf of, government, PSU, or quasi-government tenders

Government IT security tenders (central ministries, state governments, PSUs, security-sensitive GeM procurement) routinely specify CERT-In empanelment as a qualification criterion. As a vendor, you need to be empanelled. As a government procurer, your rules likely require you to procure only from empanelled firms. Clauses to look for: “the bidder shall be a CERT-In empanelled information security auditing organisation as on the date of bid submission”.

8. You have received a CERT-In Direction or formal audit notice that names empanelment

Under the CERT-In Directions of 28 April 2022 (No 20(3)/2022-CERT-In), reported incidents may require formal post-incident audits. CERT-In may direct the affected entity to engage an empanelled auditor. The notice itself is the binding instruction.

How to Verify Whether YOUR Situation Requires Empanelment

Do not take a vendor or sales call at face value. The right verification sequence:

1. Read the specific notice, directive, or tender wording. Find the exact text. The phrase you want is “CERT-In empanelled auditor” or “CERT-In empanelled information security auditing organisation”. If the text says this explicitly, empanelment is required. If the text says “third-party penetration testing” or “qualified independent auditor” without naming empanelment, it is likely not required.
2. Read the master direction or circular from your regulator. If RBI, SEBI, IRDAI, TRAI, or CEA is invoked, find the master direction that applies to your entity category and the specific assessment. Sectoral regulators enumerate audit requirements precisely. Obligation depends on entity type, asset class, and assessment cycle.
3. If CII is the question, verify NCIIPC designation status. CII is by formal notification. If you have not received an NCIIPC designation letter, you are not CII.
4. If a government tender is involved, read the cybersecurity clauses of the RFP. Search the RFP for “CERT-In” and read every clause.
5. Consult your compliance counsel. Where the regulatory position is ambiguous (most often in payment-adjacent fintech, hybrid SaaS-plus-regulated structures, or international subsidiaries serving Indian regulated entities), get legal opinion in writing. Do not rely on vendor sales statements for compliance decisions.

After these five checks, you will have a clear answer. If yes, proceed to vendor selection below. If no, read the companion article on when you do not need CERT-In empanelled vendor and save the premium.

What to Look for in an Empanelled Vendor (Beyond the Badge)

Empanelment is the floor for regulated work, not the ceiling for quality. Within the pool of ~237 empanelled firms, methodology depth, sector experience, and report rigor vary widely. Evaluate on:

1. Verify current empanelment status on the CERT-In list directly. “Applying” or “in renewal” is not empanelled.
2. Check empanelment category coverage. Empanelment is granular (web application, mobile, network, cloud, source code review). A firm empanelled for network is not automatically qualified for a web app audit under regulator scrutiny.
3. Methodology rigor. The firm should cite OWASP WSTG v5.0, OWASP API Security Top 10, PTES, NIST SP 800-115, MITRE ATT&CK where applicable, plus CERT-In audit guidelines for regulated work.
4. Pentester credentials. Ask for the named lead pentester and verify on the issuing body’s registry (OSCP via OffSec, CREST, CompTIA PenTest+, GIAC GPEN or GWAPT). Get in writing whose name appears on the final report.
5. Sector experience. BFSI vs telecom vs power OT/ICS are materially different. Ask for anonymised case studies in your sector.
6. Sample report quality. Request a redacted sample. Look for reproduction steps (actual request/URL/payload), business impact, CVSS severity, specific remediation guidance, regulator-framework compliance mapping, and an executive summary a non-technical board member can act on.
7. Retest practice. Engagement should include a defined retest cycle. Regulators expect evidence that findings are treated and verified.
8. Local presence and on-site capability. BFSI and CII contexts often expect auditor presence on-site.
9. Regulator familiarity. Ask how many engagements the firm has delivered for entities under your same regulator. A firm fluent in RBI master direction nuances produces a report your auditor accepts the first time, not after three rewrites.

Cost and Timeline Expectations

Empanelled vendor pricing for regulated-sector assessments is typically 2 to 3 times higher than non-empanelled boutique pricing for comparable scope, often more depending on the firm and regulator depth. The premium reflects real cost structure: larger team overhead, audit-grade documentation tailored to regulator expectations, firm-level ISO 27001 certification, regulated-sector BD overhead, and the operational discipline empanelment demands.

Timelines vary. A simple SaaS web pentest may take 7 to 10 calendar days. A full bank cyber security audit covering web, mobile, infrastructure, source code, and compliance mapping may take 8 to 16 weeks or longer.

Get written quotes from 3 to 5 empanelled firms covering your specific scope. Variation across firms is wide. Evaluate on the criteria above, not on price alone.

What to Do If You Are BORDERLINE (Partly Regulated, Partly Not)

Common scenario: a payment-adjacent fintech where the company is not itself the regulated payment system operator (it routes through a regulated PA/PG) but processes financial data. Or a B2B SaaS serving regulated buyers and the buyer is invoking their own audit requirements on the vendor. Or a hybrid product where the consumer-facing app is unregulated but a backend admin tool integrates with a regulated entity’s system.

Decision framework:

1. Identify the regulated entity. Which specific legal entity carries the audit obligation? Regulator obligations run on a specific entity, not abstractly across the product.
2. Identify the obligation. Annual VAPT, quarterly cyber resilience review, post-incident audit? Each has its own scope.
3. Identify the scope in question. Often it is a specific integration point or data flow, not the entire product.
4. Scope-split where possible. Procure an empanelled vendor for the regulated piece and a non-empanelled qualified vendor for the rest. Document the split in the engagement letter and verify with compliance counsel that the split is acceptable to the regulator.
5. Get written legal confirmation where scope is genuinely ambiguous. A compliance opinion costs far less than a failed audit.

Scope-splitting is correct procurement when the regulated scope is narrower than the full product surface, not avoidance.

Cybersecify Position: Transparent About Where We Fit

We are not CERT-In empanelled, and we say so openly. Empanelment is an 18 to 30 month commitment of capital and headcount (firm-level ISO 27001, full-time certified auditor hiring, formal methodology documentation, audit SOPs, financial threshold growth). We chose to invest that capital in serving AI-first and API-first SaaS startups (Seed to Series B primarily) where empanelment is not required and where founder-led delivery, methodology depth, and tester credentialing are the criteria that matter.

What we offer. Founder-led penetration testing from Bengaluru. Rathnakara (OSCP, CompTIA PenTest+, M.Sc Cyber Security) personally runs every pentest engagement. Methodology follows OWASP WSTG v5.0, OWASP API Security Top 10 where applicable, and PTES. Reports are audit-grade with SOC 2 and ISO 27001 mapping. Startup Pentest at INR 74,999 (single scope, 7 calendar days). Growth Pentest at INR 1,79,999 (two scopes, 10 calendar days, includes SOC 2 and ISO 27001 audit prep evidence and Brand Protection Snapshot). Both plans include free retest within 30 days. See a redacted sample report before deciding.

For genuinely regulated buyers who need empanelment. The right path is one of the approximately 237 currently empanelled firms on the CERT-In published list. We do not name specific competitors on the public site. We do help prospects free of charge during a Security on Demand session (INR 9,999, 4 hours, fully refundable if you do not continue) to narrow the search, evaluate empanelment status, draft vendor questions, and confirm scope. If your situation requires empanelment, we will tell you directly.

A buyer who needs empanelment and gets sold a non-empanelled engagement will fail their regulator audit. A buyer who does not need empanelment and gets sold an empanelled engagement overpays by 2 to 3 times for a credential they do not need. The honest answer in each direction earns trust both ways.

Decision Framework: One Page

If you got this far, you should be able to answer the question for your own organisation. As a one-page check:

Your situation	Empanelled vendor required?	Action
NCIIPC-designated CII operator	Yes	Proceed with empanelled firm. Verify CII protection programme alignment.
Bank, NBFC, payment aggregator, PPI issuer subject to specific RBI master direction	Yes (verify by exact master direction)	Read the master direction, procure empanelled.
SEBI-regulated MII, broker, depository participant, AMC under cyber resilience framework	Yes (verify by exact circular)	Read the specific SEBI circular, procure empanelled.
IRDAI-regulated insurer or intermediary under cyber guidelines	Often yes	Read the IRDAI circular.
Telecom service provider (UL, UASL, ISP licensee, TSP)	Yes for sectoral audits	Procure empanelled per DoT/TRAI obligation.
Power sector entity under CEA cyber security guidelines	Yes	Procure empanelled per CEA obligation.
Central or state government, PSU, government tender bid	Yes	Procure empanelled per procurement rule.
Received a CERT-In Direction or formal audit notice naming empanelment	Yes	Comply with the notice.
Private SaaS startup, B2B software, fintech app not itself RBI-regulated	No	Read the companion article.
E-commerce, EdTech, HealthTech not hospital-grade	No	Methodology and credentials are the criteria.
Pursuing SOC 2 or ISO 27001 certification without sectoral regulator obligation	No	Methodology, tester credentials, audit-grade report are the criteria.
Responding to enterprise customer questionnaire	No, unless questionnaire specifically requires empanelment	Read the exact questionnaire field.

If the answer is yes, proceed via the verification and selection steps above. If the answer is no, you are free to choose on methodology, credentials, founder involvement, and price, and the companion post covers that path.

Related Reading

• Pillar: What Is Penetration Testing? 2026 Startup Guide
• Sister: When You DON’T Need CERT-In Empanelled Vendor for the non-regulated path (most SaaS startups)
• CERT-In 6-Hour Incident Reporting Rule for the Direction 70/B/2022 obligation that applies regardless of empanelment
• RBI Cybersecurity Framework for Fintech Startups for the RBI regulatory layer
• DPDP Act Compliance Checklist for SaaS Startups for the India data protection layer
• SOC 2, ISO 27001, DPDP: Which Compliance First? for compliance sequencing
• Our methodology, sample report, pricing, and book a 30-minute call

---

Built for AI-first and API-first SaaS startups. Founder-led from Bengaluru. If you have received a regulator notice, audit directive, or tender clause naming CERT-In empanelment and are not sure whether your scope genuinely requires it, book a 30-minute call or start with Security on Demand. We will tell you honestly whether you need an empanelled vendor, and if you do, help you narrow the search across the CERT-In list without recommending ourselves where we are not the right fit.