Policy Watch
Regulatory Intelligence for Indian Critical Infrastructure
CERT-In Information Security Audit Policy 2025
Applies to: Government organisations and critical sector entities required to undergo empanelled auditor assessments
Governs the empanelment and conduct of information security auditing organisations authorised to audit government and critical infrastructure entities. Defines audit scope, methodology, and reporting requirements. Empanelled auditors must follow CERT-In prescribed standards and submit findings directly to CERT-In.
SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) 2024
Applies to: All SEBI-regulated entities including stock exchanges, depositories, brokers, asset management companies, and investment advisers
Comprehensive update to SEBI's cybersecurity framework consolidating multiple earlier circulars. Introduces a risk-based tiering of regulated entities into 5 categories with proportionate controls. Mandates Security Operations Centres, vulnerability assessments, and cyber audits. Replaces the 2019 framework and several standalone circulars.
IRDAI Guidelines on Information and Cyber Security for Insurers 2023
Applies to: All insurers and insurance intermediaries regulated by IRDAI operating in India
Updated guidelines consolidating IRDAI's cybersecurity requirements for the insurance sector. Mandates a board-approved information and cyber security policy, CISO appointment, security operations monitoring, and annual cyber audits. Requires insurers to report cyber incidents to IRDAI within 6 hours consistent with CERT-In directions.
Digital Personal Data Protection Act 2023 (DPDP)
Applies to: All entities processing digital personal data of Indian citizens including foreign entities offering goods or services in India
India's first comprehensive data protection law establishing rights for data principals and obligations for data fiduciaries. Requires consent-based processing, data minimisation, and purpose limitation. Establishes the Data Protection Board of India. Implementation rules pending notification by MeitY — enforcement date not yet set.
Deadline: Upcoming
CERT-In Directions on Information Security Practices 2022
Applies to: All organisations, government bodies, and service providers operating in India including intermediaries, data centres, and VPN providers
Mandates reporting of 20 categories of cyber incidents to CERT-In within 6 hours of detection. Requires VPN providers and data centres to maintain customer logs for 5 years. Mandates synchronisation of ICT system clocks with NTP servers. Prohibits use of VPNs that do not comply with data retention requirements.
RBI Directions on Cyber Incident Reporting for Payment System Operators
Applies to: All Payment System Operators authorised by RBI including payment aggregators, wallets, and card networks
Mandates reporting of all cyber incidents to RBI within 2 to 6 hours depending on severity. Requires root cause analysis and closure reports within defined timelines. Covers unauthorised transactions, system outages, data breaches, and ransomware. Applies to banks and non-bank payment system operators equally.
RBI Master Direction on IT Framework for NBFCs
Applies to: Non-Banking Financial Companies with asset size of Rs 500 crore and above
Mandates IT governance, IT infrastructure, IT and IS audit, and business continuity planning for large NBFCs. Requires a board-approved IT policy and information security policy. Covers cybersecurity controls, data backup, and recovery requirements proportionate to the size and complexity of the NBFC.
RBI Cybersecurity Framework for Banks 2016
Applies to: All Scheduled Commercial Banks operating in India
Establishes a comprehensive cybersecurity framework for Indian banks covering board-level governance, cyber risk appetite, security operations centre requirements, and incident response. Requires banks to put in place a board-approved cybersecurity policy distinct from their IT policy. Mandates continuous surveillance and reporting of incidents to RBI.
NCIIPC Guidelines for Critical Information Infrastructure Protection
Applies to: Organisations designated as Critical Information Infrastructure by NCIIPC across energy, transport, banking, telecom, and government sectors
Establishes the national framework for protection of Critical Information Infrastructure under Section 70A of the IT Act. Defines CII designation process, mandates security audits, vulnerability reporting, and incident response for designated entities. NCIIPC serves as the nodal agency for all CII protection matters.
IT Act Section 43A — Reasonable Security Practices
Applies to: All body corporates in India that possess, deal with, or handle sensitive personal data or information
Imposes civil liability on body corporates that fail to implement and maintain reasonable security practices resulting in wrongful loss or gain to any person. The SPDI Rules 2011 notified under this section define sensitive personal data and specify ISO 27001 as an acceptable security standard. Basis for most data breach liability claims in India.