For compliance officers, CTOs, legal teams, and technology leads at Indian organisations navigating the intersection of cloud infrastructure decisions and Indian regulatory requirements.
Three Frameworks, One Infrastructure Decision
Indian cloud compliance in 2025 is not a single framework. It is three overlapping sets of requirements — each with different origins, different enforcement mechanisms, and different specific obligations — that Indian organisations must satisfy simultaneously.
CERT-In Mandatory Directions (April 2022) — Operational security requirements focused on incident reporting, log retention, and system security practices. Applies to all service providers, intermediaries, data centres, and government organisations operating in India.
Digital Personal Data Protection Act 2023 (DPDP Act) — India's comprehensive data protection legislation. Establishes data fiduciary obligations for organisations processing personal data of Indian citizens. Imposes consent requirements, purpose limitation, data minimisation, and accountability obligations.
MeitY Cloud Empanelment Framework — The Ministry of Electronics and IT's framework for evaluating and empanelling cloud providers for government use. Increasingly referenced by regulated sectors and state government procurement as a baseline standard.
The challenge for compliance teams is that these three frameworks ask related but different questions about the same infrastructure. CERT-In asks where your logs are and how quickly you can access them. The DPDP Act asks where your personal data is and under whose legal jurisdiction it falls. MeitY asks whether your cloud provider has been evaluated against government security standards. A cloud infrastructure decision that satisfies one framework may not satisfy the others.
CERT-In Mandatory Directions: What They Require
CERT-In's April 2022 directions established mandatory requirements for all entities covered under the Information Technology Act 2000. For cloud infrastructure, the key obligations are:
180-day log retention — All IT system logs — access logs, event logs, authentication logs, network logs — must be retained for 180 days. Critically, these logs must be maintained within Indian jurisdiction. An organisation cannot satisfy this requirement by keeping logs on AWS or GCP with the argument that the data is physically in a Mumbai data centre, if the cloud provider is a US entity subject to US federal law.
Six-hour incident reporting — Cybersecurity incidents must be reported to CERT-In within six hours of detection. This requires that you actually have the access logs and system visibility to detect and characterise an incident quickly, which in turn requires that logging is configured, monitored, and accessible.
System time synchronisation — All ICT infrastructure must be synchronised to the NTP server of NIC or NPL. Audit logs with inconsistent timestamps are a compliance problem in practice, not just in theory.
Data localisation for log storage — The direction explicitly requires that logs be stored in India. This rules out log archival to non-Indian cloud storage, even as a secondary copy.
Practical implication: If you're using a foreign-operated cloud platform for primary infrastructure and storing logs there, you need to verify whether the log storage meets the jurisdictional requirement, or you need a separate India-sovereign log storage layer.
IBEE includes audit logging with 180-day retention within Indian jurisdiction as a standard feature. No additional configuration, no extra cost.
DPDP Act: What It Requires of Cloud Infrastructure
The Digital Personal Data Protection Act 2023 is India's framework for governing the processing of personal data. For organisations using cloud storage, the key obligations relate to:
Data fiduciary accountability — Any organisation that collects and uses personal data of Indian citizens is a data fiduciary. As a data fiduciary, you are accountable for how that data is stored, processed, and protected — including how your cloud infrastructure handles it.
Purpose limitation — Personal data may only be processed for the specific purpose for which it was collected. This has infrastructure implications: data stored in general-purpose storage must be segregated or governed in ways that prevent it from being used for purposes beyond the original consent.
Data localisation — While the DPDP Act's final rules on cross-border data transfers are still being elaborated in the implementing rules, the direction of the legislation strongly favours India-resident storage for sensitive personal data. For financial data (RBI's existing localisation requirements), health data (ABDM framework), and government citizen data (NIC guidelines), localisation requirements are already explicit.
Security safeguards — Data fiduciaries must implement "reasonable security safeguards" to prevent personal data breaches. This is not a defined standard in the Act itself, but the combination of encryption at rest, access controls, audit logging, and incident response capability represents the baseline that any reasonable interpretation would require.
Breach notification — Personal data breaches must be reported to the Data Protection Board and to affected individuals. Detecting and reporting a breach requires the same audit logging and monitoring infrastructure that CERT-In requires.
Practical implication: The DPDP Act makes the case for India-sovereign storage for any personal data of Indian citizens — not as a technical preference but as a legal accountability question. If your personal data is stored on a foreign-operated platform, your data fiduciary accountability may be complicated by the foreign operator's own legal obligations to non-Indian authorities.
MeitY Empanelment: What It Signals
MeitY's cloud empanelment framework is not a requirement for private sector organisations. It is, however, increasingly used as a procurement reference by government-adjacent organisations, PSUs, and regulated entities whose government clients or auditors want to see a baseline standard applied to cloud providers.
The empanelment framework evaluates cloud providers against security, reliability, and data governance standards. IBEE's Indian-entity structure, Tier 4 infrastructure, and India-sovereign data governance position it favourably within the framework's direction — particularly the preference for Indian-entity cloud providers for sensitive government workloads.
For govtech companies, IT system integrators working with government clients, and regulated entities in sectors where government-aligned standards are referenced in procurement requirements, MeitY alignment is a practical procurement consideration.
The Intersection: Where the Three Frameworks Meet
The practical point where all three frameworks converge is data residency under Indian jurisdiction.
CERT-In requires logs to be within Indian jurisdiction. The DPDP Act creates accountability for personal data under Indian law. MeitY's direction of travel favours Indian-entity cloud providers for government and regulated workloads.
A single infrastructure decision — choosing India-sovereign cloud storage — satisfies the data residency requirement across all three frameworks simultaneously. Physical location in India is not sufficient. The cloud provider must be an Indian entity, governed by Indian law, so that the jurisdictional chain runs entirely through Indian legal institutions.
AWS and GCP maintain data centres in India. They do not provide India-sovereign storage, because their legal entity is American, their data governance is ultimately subject to US federal law, and US authorities can compel access to data stored anywhere in the world under the CLOUD Act.
IBEE is an Indian entity. Data stored on IBEE is governed by Indian law, stored within India, and accessible to Indian authorities through Indian legal processes. The jurisdictional chain is complete and clean.
The 2025 Compliance Checklist
For engineering and compliance teams reviewing cloud infrastructure against India's current regulatory landscape:
CERT-In
- Audit logging enabled on all cloud storage buckets
- 180-day log retention configured
- Logs stored within Indian jurisdiction (Indian-entity cloud provider)
- NTP synchronisation configured on all systems
- Incident response plan documented with six-hour reporting capability
- Log access tested — can you retrieve a complete access log within six hours of a request?
DPDP Act
- Personal data of Indian citizens stored within India
- Data fiduciary documentation — who is accountable for what data, under what authority
- Security safeguards documented — encryption at rest and in transit, access controls, audit logging
- Breach detection and notification process defined
- Purpose limitation controls — is personal data in storage accessible only for its original purpose?
MeitY Alignment
- Cloud provider empanelment status reviewed
- Indian-entity provider preference satisfied for sensitive workloads
- Security documentation available for procurement review
General
- Cloud provider's legal entity confirmed (Indian or foreign)
- Data sovereignty position documented and reviewed with legal team
- Sector-specific obligations reviewed (RBI, SEBI, IRDAI, NIC as applicable)
IBEE's infrastructure is designed to satisfy this checklist at the infrastructure level — providing the India-sovereign, Tier 4, audit-logging-by-default storage foundation that Indian compliance requirements point toward.
