Why Every Business in India Needs Managed IT Services
Indian law increasingly places the burden of IT security and data governance directly on businesses — regardless of size. The compliance landscape has changed dramatically since 2023.
Legal & Regulatory IT Obligations Across India
These laws apply to every organisation operating in India — manufacturing, pharma, services, or otherwise.
Digital Personal Data Protection Act, 2023
India's landmark data protection law requires all organisations that collect or process personal data to implement appropriate technical and organisational security measures. Data fiduciaries must appoint a Data Protection Officer, maintain processing records, and report breaches to the Data Protection Board within prescribed timelines. Non-compliance carries penalties of up to ₹250 crore per violation. Managed IT ensures encryption, access controls, and audit trails required under the Act.
Information Technology Act, 2000 (as amended)
Section 43A mandates that any body corporate handling sensitive personal data must maintain reasonable security practices. Failure to do so resulting in wrongful loss or gain makes the organisation liable for compensation. Section 66 criminalises unauthorised access to computer systems. The 2008 amendment expanded liability to include intermediaries. Managed IT services provide the documented security policies, controls, and incident response procedures required to demonstrate compliance.
CERT-In Mandatory Cybersecurity Directions
The Computer Emergency Response Team of India (CERT-In) issued binding directions in April 2022 requiring all organisations — including MSMEs — to report cybersecurity incidents within 6 hours, maintain ICT system logs for 180 days, synchronise system clocks with NTP servers, and maintain a designated point of contact. Non-compliance is punishable under Section 70B of the IT Act. Managed IT services continuously maintain these log archives and incident response workflows.
Board Responsibility for Internal Financial Controls
Section 134(5)(e) of the Companies Act requires the Board of Directors to state that the company has laid down internal financial controls and that such controls are adequate and operating effectively. The ICAI and MCA guidance notes clarify this includes IT General Controls (ITGCs) over financial reporting systems — access management, change management, backup and recovery, and IT security. Managed IT services provide the documented, auditable IT controls that satisfy this board responsibility.
Sector Regulators' IT Governance Frameworks
The Reserve Bank of India, SEBI, and IRDAI each issue binding IT governance frameworks for their regulated entities. RBI's IT Framework for NBFCs and Co-operative Banks mandates IS Audit, Cyber Security Policy, and DR/BCP. SEBI's Cybersecurity Framework for Market Intermediaries requires quarterly vulnerability assessments and annual penetration testing. Even companies that supply or partner with these regulated entities increasingly face supply-chain IT security requirements.
Industry Standard: ISO/IEC 27001 Information Security
While not mandated by law for all businesses, ISO 27001 certification is increasingly required by enterprise customers, government tenders (GFR 2017), and export markets as a condition of doing business. The Bureau of Indian Standards (BIS) publishes IS/ISO 27001 as the national standard. Implementing Managed IT is the most practical route for SMEs and mid-sized manufacturers to achieve and maintain this certification without building an in-house security team.
IT Compliance Obligations Specific to Pharma Manufacturing
Pharmaceutical manufacturers in India face the most stringent IT compliance requirements of any sector — driven by both Indian regulations and the export markets they serve.
⚠️ The Baddi Reality: Most Factories Are Not Compliant
With 3,120+ pharmaceutical factories in Baddi alone, the vast majority are SMEs running production on legacy Windows systems with no formal IT controls, no documented procedures, and no incident response plan. A single USFDA inspection failure or ransomware event can result in production shutdown, import alerts, and multi-crore losses. The regulations below are not aspirational — they are enforced, with consequences.
21 CFR Part 11 — US FDA
All Indian pharmaceutical companies exporting to the USA must comply with 21 CFR Part 11, which governs electronic records and electronic signatures. Requirements include audit trails, system validation, access controls, and regular backup. Non-compliance is grounds for an FDA Warning Letter and import alert. Over 40% of FDA Warning Letters to Indian pharma cite data integrity failures linked to poor IT controls.
Schedule M — Drugs & Cosmetics Act
The revised Schedule M (2023) to the Drugs and Cosmetics Act mandates Good Manufacturing Practice (GMP) compliance for all Indian pharmaceutical manufacturers, including documented procedures for computer systems used in manufacturing and quality control. Computerised systems must be validated, access-controlled, and backed up. CDSCO inspectors specifically check for IT controls as part of GMP audits.
WHO GMP Guidelines — TRS 986
WHO Technical Report Series 986 (2014) contains Annex 5 on GMP for pharmaceutical products and Annex 7 specifically on computerised systems. Requirements include computerised system validation, change control, audit trails, backup procedures, and periodic reviews. These guidelines are adopted by CDSCO and form the basis of inspections for WHO Prequalification, which is required for supplying UN agencies and many developing countries.
EU GMP Annex 11 — European Market
Indian pharma companies exporting to Europe must comply with EU GMP Annex 11 on computerised systems. It requires system validation, data integrity (ALCOA+ principles), business continuity planning, and regular security reviews. The European Medicines Agency and national competent authorities inspect for Annex 11 compliance during GMP audits of Indian suppliers. Failures result in EU import restrictions.
CDSCO Data Integrity Guidance
CDSCO issued its own Data Integrity Guidance in 2018 aligned with WHO and FDA expectations. It requires that all data — including electronic records from HPLC, balance systems, batch management software — be attributable, legible, contemporaneous, original, and accurate (ALCOA). IT systems must have audit trails enabled, access restricted by role, and backup procedures tested. Managed IT provides the infrastructure to enforce these controls.
Pharmacovigilance & ADR Reporting — PvPI
The Pharmacovigilance Programme of India (PvPI) requires marketing authorisation holders to maintain IT systems capable of storing, processing, and reporting Adverse Drug Reaction data to the National Coordination Centre. System availability, data integrity, and audit capabilities are mandatory. The Indian Pharmacopoeia Commission conducts periodic assessments of reporting systems. Downtime or data loss in these systems constitutes a regulatory violation.
Consequence of Non-Compliance
| Regulation | ❌ Without Managed IT | ✅ With AstraCMITS |
|---|---|---|
| DPDPA 2023 | Penalties up to ₹250 Cr; operational shutdown orders | Encryption, access controls, breach response — all documented |
| CERT-In 2022 | Criminal liability; mandatory public disclosure of breach | 6-hour reporting capability; 180-day log retention maintained |
| 21 CFR Part 11 | FDA Warning Letter; US import alert; export ban | Validated systems, audit trails, role-based access enforced |
| Schedule M (2023) | Manufacturing licence suspension; CDSCO action | GMP-ready IT procedures, documented and audit-ready |
| EU GMP Annex 11 | EU import restriction; loss of European customers | ALCOA+ data integrity, backup and BCP documentation |
| Companies Act S.134 | Board personal liability; qualified auditor report | IT General Controls documented, tested, and evidenced |
Ready to understand your current compliance gaps?
Book Your Free IT Audit →