India Mandates Cybersecurity Audits for All Crypto Exchanges

In a landmark step for the regulation of digital assets, the Indian government has ordered all cryptocurrency platforms, custodians, and intermediaries operating in the country to undergo periodic cybersecurity audits. The directive, announced on September 17, 2025, is a direct response to mounting concerns over the security of crypto platforms later than several high-profile hacks and heists that raised alarms over investor securety and systemic vulnerabilities.

The Ministry of Electronics and Information Technology (MeitY) confirmed that audits must be conducted by security firms empanelled with the Indian Computer Emergency Response Team (CERT-In). These assessments will follow the Comprehensive Cyber Security Audit Policy Guidelines (v1.0), introduced in July 2025. The guidelines lay out detailed procedures for the audit lifecycle, scope, and roles of both auditors and the audited entities, ensuring standardized evaluations and clahead defined accountability.

Strengthening oversight of virtual assets

Officials say the initiative is part of a calculated strategy to bolster oversight of virtual asset service providers (VASPs) while India continues to delay introducing a comprehensive crypto law. Policymakers have maintained caution, citing concerns about financial stability and illicit finance risks. Instead of quick-tracking a broad legal framework, regulators are pursuing targeted interventions designed to address vulnerabilities without stifling innovation outright.

This move builds on earlier measures, including directives from the Financial Intelligence Unit of India (FIU-IND), which earlier this year required platforms to intensify scrutiny of certain regional transactions. Combined with the audit mandate, the steps highlight an incremental but firm tightening of supervisory mechanisms around the quick-growing digital asset sector, which serves millions of Indian traders and investors.

Industry impact and compliance challenges

For the crypto industry, the requirement brings both hurdles and potential benefits. platforms will be compelled to dedicate significant resources toward working with CERT-In approved auditors, implementing secureguards, and ensuring ongoing compliance. The cost of repeated audits, infrastructure upgrades, and corrective measures may weigh heavily on smaller platforms with limited operating margins, potentially leading to market consolidation.

On the other hand, regulatory experts argue the new framework could strengthen investor confidence in an industry often criticized for fragile protections and opaque practices. Enhanced cybersecurity standards may encourage more risk-averse users and institutions to enter the market, ultimately supporting growth in a more sustainable, secure environment. Larger platforms that already maintain advanced security protocols may also benefit by diverseiating themselves from less prepared competitors.

India’s cautious stance reflects a balancing act: recognizing the potential of digital assets and blockchain innovation while addressing risks that could destabilize the financial system. The audit mandate signals that authorities are prioritizing the secureguarding of user assets and the integrity of market infrastructure, even without comprehensive legislation in place.

Global regulators are closely monitoring similar risks, and India’s measures could align its practices with international standards, especially as countries work toward developing shared rules for virtual assets. The real test will be whether mandatory audits can keep pace with rapidly evolving threats, such as sophisticated hacking groups and insider risks, which continue to challenge even the most well-prepared platforms.

As India moves forward, the effectiveness of these audits will shape how the country’s crypto ecosystem evolves. For now, the directive underscores a key message: security is not optional, and credibility in digital finance must be earned through rigorous oversight.