Indian suppliers: BRSR, SEBI, and what EU and UK buyers are asking for.
India's Business Responsibility and Sustainability Reporting (BRSR) framework is now mandatory for the top 1,000 listed companies. Indian SMEs supplying to EU and UK buyers face additional obligations under CSRD and LkSG. DharmaCompliance is our dedicated India platform.
Key regulations in India
BRSR โ Business Responsibility and Sustainability Reporting
SEBI's BRSR framework requires India's largest listed companies to disclose ESG performance across environmental, social, and governance topics. The BRSR Core subset requires third-party assurance. Companies in the top 1,000 will increasingly request BRSR-aligned data from their suppliers.
SEBI ESG Disclosures
SEBI has introduced several ESG-related disclosure requirements for listed companies, including ESG ratings, green bonds, and stewardship codes. These requirements are driving increased demand for supply chain ESG data.
EU CSRD โ Obligations for Indian Suppliers
Indian companies supplying to EU buyers are not directly subject to CSRD, but their EU customers are. EU buyers will use the VSME standard to request sustainability data from their Indian suppliers. This creates a de facto compliance requirement for Indian SMEs in EU supply chains.
LkSG โ German Supply Chain Due Diligence
German companies with โฅ1,000 employees must conduct annual due diligence on their entire supply chain โ including Indian suppliers. Indian manufacturers and service providers supplying to German buyers will receive LkSG questionnaires covering human rights, labour standards, and environmental practices.
CERT-In Directions โ Mandatory 6-Hour Cyber Incident Reporting
India's Computer Emergency Response Team (CERT-In) mandates that all organisations โ including intermediaries, data centres, and body corporates โ report specified cyber incidents to CERT-In within 6 hours of detection or being brought to notice. This is one of the strictest reporting windows globally, significantly tighter than GDPR's 72-hour rule. Covered incidents include: data breaches, ransomware attacks, unauthorised access, identity theft, DDoS attacks, and compromise of critical systems. Organisations must also maintain logs for 180 days and retain them in India. Non-compliance is a criminal offence under the IT Act.
What this means for you as a supplier
Indian SMEs face compliance pressure from multiple directions: BRSR requirements from domestic listed customers, CSRD data requests from EU buyers, LkSG questionnaires from German buyers, and CERT-In's 6-hour cyber incident reporting obligation โ one of the strictest in the world. Preparing a single, comprehensive ESG and cyber compliance data set will allow you to respond to all of these frameworks efficiently.
Key dates
June 2022
CERT-In Directions in force โ 6-hour mandatory cyber incident reporting for all organisations
FY 2022-23
BRSR mandatory for top 1,000 listed Indian companies
FY 2023-24
BRSR Core with third-party assurance required
2025
EU CSRD Phase 1 reports published โ Indian suppliers start receiving data requests
2026
EU CSRD Phase 2 โ significantly more EU buyers requesting Indian supplier data
India-specific compliance? Visit DharmaCompliance
DharmaCompliance is our dedicated platform for Indian organisations โ covering CERT-In 6-hour reporting, BRSR, SEBI ESG, and the IT Act 2000 in depth, with India-specific templates and guidance.
Last reviewed: April 2026. This guide is for general information only and does not constitute legal advice. Regulations change โ verify current requirements with a qualified adviser.
Received a BRSR or ESG questionnaire?
ESG Stress Free guides Indian suppliers through BRSR, CERT-In, and international buyer ESG requirements.