The Reserve Bank of India has significantly tightened its cybersecurity expectations for banks, NBFCs, and payment companies in 2025–26. With the RBI’s Master Directions on IT Governance (2024), the DPDP Act enforcement timeline crystallising, and growing frequency of payment fraud, regulated entities face a compliance and risk landscape that has meaningfully changed. This guide covers what the current RBI cybersecurity requirements actually mandate — and what you need to do to comply.
⚠️ Applicability: This guide covers requirements for Scheduled Commercial Banks, Urban Cooperative Banks, NBFCs, Payment Aggregators, Payment Gateways, and entities regulated under RBI’s IT Governance Master Directions 2024. Check the specific circular applicable to your entity type.
RBI IT Governance Master Directions 2024: What Changed
The RBI released updated Master Directions on Information Technology Governance, Risk, Controls and Assurance Practices in April 2024, consolidating and updating earlier circulars. Key changes from previous frameworks:
- Board-level IT governance is now mandatory, with a dedicated IT Strategy Committee at Board level
- IT Risk Framework must be approved by the Board, not just senior management
- Cyber Crisis Management Plan (CCMP) is now mandatory for all covered entities, not just large banks
- Third-party risk management has been significantly tightened — exit clauses, concentration risk monitoring, and annual audits of critical vendors
- Data localisation requirements for payment data remain, with stricter monitoring expectations
- Incident reporting timelines have been tightened — significant incidents must be reported within 6 hours
Core Cybersecurity Requirements by Category
| Requirement Area | What’s Required | Timeline/Frequency |
|---|---|---|
| Vulnerability Assessment & Penetration Testing (VAPT) | Mandatory VAPT of internet-facing and critical internal systems by CERT-IN empanelled firm | Half-yearly minimum; annual for internal systems |
| Security Operations Centre (SOC) | 24×7 SOC mandatory for Tier I and Tier II banks; SOC functions required for all regulated entities | Continuous; quarterly reporting to Board |
| Cyber Crisis Management Plan (CCMP) | Documented CCMP aligned with CERT-In guidelines; tabletop exercises and drills | Annual plan review; half-yearly drill |
| IT Audit | Independent IT audit by CISA-certified or equivalent professional; includes IS audit of critical systems | Annual; report to Board Audit Committee |
| Patch Management | Formal patching policy; critical vulnerabilities patched within defined SLA (typically 30 days) | Ongoing; monthly reporting |
| Business Continuity & DR | BCP/DRP with defined RTO/RPO; DR site mandatory for Tier I banks and systemically important NBFCs | Annual drill; report to Board |
| Incident Reporting to RBI | Report cyber incidents via CIMS portal; initial report within 6 hours for significant incidents | As required; post-incident root cause within 21 days |
| Third-Party Risk Management | Risk assessment of critical vendors; contractual security clauses; annual vendor audits | Annual formal review; continuous monitoring |
DPDP Act Intersection: What RBI-Regulated Entities Must Also Address
For banks and NBFCs, the DPDP Act (2023) adds a parallel data protection compliance layer. The obligations aren’t identical to RBI requirements — here’s where they converge and where they diverge:
| Obligation | RBI Framework | DPDP Act | Action Required |
|---|---|---|---|
| Data breach notification | 6 hours to RBI (CIMS) | To DPBI (timeline TBD in rules) | Dual reporting process; single incident response plan covering both |
| Consent management | Not explicit | Mandatory for personal data processing | Build consent layer into customer onboarding and app flows |
| Data localisation | Payment data must stay in India | Cross-border transfer restrictions | Align data residency architecture with both frameworks |
| Third-party data sharing | Vendor risk management | Data Processor contracts + obligations | Update all vendor contracts with DPDP data processor clauses |
| Data erasure | Not specified | Right to erasure on request | Build data deletion workflows into customer data systems |
Practical Compliance Roadmap: 12-Month Plan
Months 1–2: Assessment & Gap Analysis
Conduct IT governance maturity assessment against RBI Master Directions. Identify gaps in policies, procedures, controls, and documentation. Map existing controls to DPDP Act obligations simultaneously.
Months 2–4: Policy & Framework Documentation
Draft or update IT Security Policy, Cyber Crisis Management Plan, Incident Response Plan, BCP/DRP, Patch Management Policy, Third-Party Risk Management Framework. Board approval for critical documents.
Months 3–5: Technical Controls Implementation
Implement or upgrade SIEM, EDR, DLP, and vulnerability management tools. Set up SOC function (in-house or managed). Configure CIMS portal access for incident reporting. Establish patch management workflow.
Month 5–6: VAPT & IT Audit
Engage CERT-IN empanelled firm for VAPT of internet-facing systems. Conduct independent IT audit. Remediate findings and document closure. These feed directly into your Board report.
Month 6–8: Third-Party & Vendor Risk
Identify critical vendors. Conduct security risk assessments. Update contracts with required security clauses and exit provisions. Update data processor agreements for DPDP Act compliance.
Month 8–10: Drills & Testing
Conduct BCP/DR drill. Run tabletop CCMP exercise. Test incident reporting workflow end-to-end including CIMS submission. Document results and lessons learned.
Month 10–12: Board Reporting & Continuous Monitoring
Present comprehensive IT governance report to Board. Establish quarterly Board IT Committee meeting cadence. Set up continuous monitoring dashboards. Schedule next half-yearly VAPT cycle.
📘 Related Guide
VAPT Services in India — Types, Pricing & Compliance Requirements
If you need VAPT as part of RBI compliance — including CERT-IN empanelled partners for regulated sector requirements.
Frequently Asked Questions
RBI compliance gap assessment for your entity?
We work with banks, NBFCs, and payment companies on RBI IT governance compliance — from gap analysis to Board-ready reporting. Book a 30-minute call to discuss your current posture.
