India Cybersecurity & Data-Protection Compliance: DPDP, CERT-In, RBI, SEBI and IRDAI Explained

Why India needs its own compliance playbook

India does not have one single cybersecurity regulation. It has a cross-sector data-protection law sitting on top of a set of sector-specific cyber rules, and a buyer must work out which combination applies to them. A fintech in Mumbai faces a very different stack from a hospital group or a listed manufacturer.

Two things make the Indian stack distinctive. First, the obligations are unusually operational: a six-hour incident-reporting window, in-country log retention, and prescriptive audit expectations rather than principles alone. Second, the regulators reinforce one another, so a single empanelled audit or a well-run incident-response capability can satisfy several filings at once.

This guide walks through the five regimes most buyers ask us about, what each is, who it applies to, and the headline obligations. Where a specific commencement or deadline date matters to your planning, treat the dates here as a starting point and verify them against the primary source or official gazette notification before you rely on them, because phased commencement and amendments are common in India.

DPDP Act 2023: India's cross-sector data-protection law

The Digital Personal Data Protection Act 2023 is India's first comprehensive data-protection statute. It governs the processing of digital personal data of individuals (Data Principals) in India, and reaches certain offshore processing that involves offering goods or services to people in India. It is sector-agnostic, so it overlays whatever financial, health or other rules already apply to you.

The Act is built around consent and accountability. Every Data Fiduciary must give a clear notice, obtain valid consent (or rely on certain limited legitimate uses), implement reasonable security safeguards, notify the Data Protection Board and affected principals of a personal data breach, and honour data-principal rights such as access, correction and erasure. Organisations the government designates as Significant Data Fiduciaries carry extra duties, including Data Protection Impact Assessments, periodic audits, and appointing a Data Protection Officer and an independent data auditor.

The Act was passed in 2023, and the DPDP Rules that operationalise it have a phased commencement, with several substantive obligations landing on a later date than the foundational provisions. The exact phase dates have moved through the rule-making process, so confirm the current commencement schedule against the latest gazette notification rather than assuming a fixed go-live. Penalties are set as rupee caps per instance, with the highest tier (up to INR 250 crore) attached to a failure to take reasonable security safeguards.

• Applies to: any organisation processing digital personal data of people in India, including qualifying offshore processing
• Core duties: notice, valid consent, security safeguards, breach notification, data-principal rights, purpose limitation and retention
• Significant Data Fiduciaries: add DPIAs, periodic audit, DPO and independent data auditor
• Penalties: rupee caps per violation, up to INR 250 crore for inadequate security safeguards (verify current penalty schedule against the Act)

CERT-In: 6-hour incident reporting and the 2025 audit policy

The Indian Computer Emergency Response Team (CERT-In) is the national agency for cyber incidents under Section 70B of the Information Technology Act. Its 2022 Directions are among the most operationally demanding rules in the world: specified cyber incidents must be reported to CERT-In within six hours of becoming aware of them, in the prescribed format.

The same Directions add technical obligations that auditors routinely check: retaining ICT system logs securely within Indian jurisdiction for a rolling 180-day period, synchronising all system clocks to NIC or NPL NTP servers, and keeping accurate organisational contact details registered with CERT-In. Meeting the six-hour window is not a paperwork exercise, it presumes you can detect incidents quickly and have an agreed reporting playbook, which in practice means continuous monitoring and a pre-agreed escalation path.

CERT-In has also moved its audit expectations from checkbox testing towards resilience, with comprehensive ICT audit guidance that emphasises independent review, signed audit outputs, and coverage of cloud, AI, blockchain and third-party risk. Treat the exact issue date and effective date of the current audit policy as something to confirm against CERT-In's published guidelines. Importantly, the financial regulators below generally expect CERT-In empanelled auditors, so one empanelled audit can support several regulator filings.

• Applies to: service providers, intermediaries, data centres, body corporates and government organisations operating in India
• Headline rule: report specified incidents within 6 hours of awareness
• Plus: 180-day in-India log retention, NIC/NPL NTP time sync, registered contact details
• Audits: comprehensive ICT audits with independent review (confirm current policy dates against CERT-In)

RBI: IS audit and cyber resilience for the financial sector

The Reserve Bank of India sets cybersecurity and resilience expectations for the entities it supervises, banks, NBFCs, payment system operators, and related financial-sector players. Rather than a single rule, RBI's expectations are spread across master directions and circulars covering IT governance, information security, and cyber resilience, and they are reinforced through supervisory review.

A central, recurring requirement is the Information Systems (IS) audit: a structured, periodic audit of IT controls, change management, access management, and security posture, typically performed by qualified, often CERT-In empanelled, auditors and reported to the board or its IT/risk committee. Regulated entities are also expected to maintain incident reporting to RBI, a board-approved cybersecurity policy, and increasingly to demonstrate operational and cyber resilience rather than point-in-time control checks.

The precise audit cadence, applicability thresholds, and resilience expectations differ by entity type and have been tightened over successive RBI circulars and master directions. Because these are updated frequently, confirm the current master direction and its applicability to your specific licence category against RBI's own publications before scoping work.

• Applies to: RBI-regulated entities, banks, NBFCs, payment system operators, and similar
• Core expectation: periodic IS audit reported to the board, plus a board-approved security policy
• Plus: incident reporting to RBI and demonstrable cyber resilience
• Cadence and thresholds vary by entity type, verify against the applicable RBI master direction

SEBI CSCRF: cybersecurity and cyber resilience for capital-market entities

The Securities and Exchange Board of India introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) to consolidate cyber requirements across the entities it regulates, stock exchanges, depositories, brokers, mutual funds, registrars and other intermediaries, into a single graded framework. It replaces a patchwork of earlier circulars with a structured set of controls built around identify, protect, detect, respond and recover style outcomes.

CSCRF is notable for being graded: entities are classified into categories based on size and criticality, and the depth of obligations, audits, VAPT, SOC arrangements, and reporting, scales with that classification. Common threads include periodic VAPT and cyber audits, security operations and monitoring, incident reporting to SEBI, and governance at the board level.

CSCRF has a phased applicability across regulated-entity categories, with different compliance dates for different cohorts, and SEBI has issued clarifications and timeline extensions since publication. The category that applies to you, and the date by which it applies, should be checked against SEBI's current CSCRF circular and any subsequent amendments rather than assumed.

• Applies to: SEBI-regulated entities, exchanges, depositories, brokers, mutual funds, registrars, intermediaries
• Structure: a graded framework, obligations scale with the entity's classification
• Core duties: periodic VAPT and cyber audit, monitoring/SOC, incident reporting, board governance
• Phased applicability by cohort, confirm your category and date against the current SEBI circular

IRDAI: information and cybersecurity for insurers

The Insurance Regulatory and Development Authority of India sets information and cybersecurity expectations for insurers, reinsurers and insurance intermediaries through its information and cyber security guidelines. The framework requires a governance structure, a board-approved cybersecurity policy, and a designated Chief Information Security Officer accountable for the programme.

Operationally, regulated insurers are expected to run periodic information security audits and VAPT, maintain incident detection and reporting, manage third-party and outsourcing risk, and report cyber incidents in line with both IRDAI and CERT-In requirements. As with the other financial regulators, audits are commonly expected to be performed by qualified, CERT-In empanelled assessors.

IRDAI's guidelines have been revised over time, including consolidation and updates to align with broader national cyber expectations. Confirm the current version of the IRDAI information and cybersecurity guidelines, and the specific obligations for your entity type, against IRDAI's published guidelines before relying on a particular requirement or date.

• Applies to: insurers, reinsurers and insurance intermediaries regulated by IRDAI
• Governance: board-approved cyber policy and a designated CISO
• Operational: periodic IS audit and VAPT, incident reporting, third-party/outsourcing risk
• Guidelines are revised periodically, verify the current version against IRDAI

How the pieces fit together

For most Indian buyers the stack is layered, not either-or. The DPDP Act applies horizontally to your personal data wherever you sit. CERT-In's incident, logging and time-sync obligations apply to virtually anyone operating ICT systems in India. On top of that, your sector regulator, RBI, SEBI or IRDAI, adds audit, resilience and reporting duties calibrated to your licence.

The good news is that the controls overlap heavily. A strong incident-response capability satisfies CERT-In's six-hour rule and feeds your RBI, SEBI and IRDAI incident reporting. A single comprehensive, CERT-In aligned audit can underpin several financial-regulator filings. Building consent, breach and audit machinery once, then mapping it across regimes, is far more efficient than treating each rule as a separate project.

• Horizontal: DPDP Act for personal data; CERT-In for incident reporting, logging and time sync
• Vertical: RBI, SEBI or IRDAI sector obligations on top, depending on your licence
• Efficiency: build once, map across regimes, reuse incident response and audit evidence
• Always verify phase dates and applicability thresholds against the primary source

How IntelligenceX helps

IntelligenceX advises, assesses and prepares organisations for India's regulatory stack, we do not issue the certificates or sign the regulator audits ourselves, and we are not yet CERT-In empanelled. Where an empanelled auditor or accredited body is required, we prepare you for that engagement and work alongside it so the formal sign-off goes smoothly.

Our compliance services map directly to the regimes above. DPDP Act readiness covers gap assessment, consent-architecture review, DPIAs and the independent-audit preparation expected of Significant Data Fiduciaries. CERT-In Audit support builds your six-hour reporting playbook, validates 180-day in-India log retention and NTP configuration, and prepares you for comprehensive ICT audits. RBI IS Audit support readies your IT and security controls for the periodic IS audit and board reporting. SEBI CSCRF support helps you place your entity in the right category and meet its graded VAPT, monitoring and reporting duties. IRDAI Audit support prepares insurers for their information-security audit, VAPT and incident-reporting obligations.

Across all five, the pattern is the same: we assess the gap, build the controls and evidence, and support you through the formal audit or filing, mapping shared controls so you do the work once. Talk to our team to scope the regimes that apply to you.