Cybersecurity Compliance in India: DPDP Act, CERT-In, RBI, SEBI and ISO 27001 Explained

• 21 June, 2026
• No Comments

Cybersecurity Compliance in India: DPDP Act, CERT-In, RBI, SEBI and ISO 27001 Explained

Cybersecurity compliance in India has undergone a massive transformation in recent years. From the landmark DPDP Act 2023 to updated CERT-In guidelines and sector-specific frameworks from RBI and SEBI, Indian businesses face an increasingly complex regulatory landscape. Non-compliance can result in penalties running into crores of rupees, not to mention reputational damage and operational disruption. In this guide, we break down every major cybersecurity compliance India framework — what they are, who needs them, and how to comply.

1. DPDP Act 2023: India’s Data Protection Law

The Digital Personal Data Protection (DPDP) Act 2023 is India’s first comprehensive data protection legislation. Modelled after GDPR but adapted for the Indian context, the DPDP Act governs how organizations collect, process, store, and transfer personal data of Indian citizens.

Who Does It Apply To?

The DPDP Act applies to all organizations that process personal data of individuals in India — regardless of where the organization is based. This includes Indian companies, foreign companies with Indian customers, and government entities.

Key Requirements

• Consent: Explicit, informed consent must be obtained before collecting personal data. Consent must be free, specific, informed, unconditional, and unambiguous with a clear affirmative action.
• Data Protection Impact Assessment (DPIA): Organizations must conduct DPIAs for high-risk processing activities and maintain records of processing.
• Data Principal Rights: Individuals have the right to access, correct, erase, and port their data. They also have the right to grievance redressal.
• Data Fiduciary Obligations: Organizations must implement reasonable security safeguards, notify data breaches to the Data Protection Board and affected individuals, and appoint a Data Protection Officer (DPO) if they meet certain thresholds.
• Data Localization: Certain categories of sensitive personal data may be required to be stored within India, with cross-border transfer subject to government notification.
• Data Retention: Personal data must only be retained for as long as necessary for the purpose for which it was collected.

Penalties for Non-Compliance

The DPDP Act imposes significant financial penalties for violations:

• Up to ₹200 crore for failure to take reasonable security safeguards to prevent a data breach
• Up to ₹250 crore for failure to notify a breach to the Board and affected individuals
• Up to ₹150 crore for non-compliance with provisions related to children’s data
• Up to ₹50 crore for other violations

Given these substantial penalties, DPDP Act compliance is not optional — it is a business imperative for any organization handling personal data.

How to Comply with DPDP Act

A step-by-step approach to achieving how to comply with DPDP Act:

1. Conduct a data mapping exercise to understand what personal data you collect, where it is stored, and how it flows
2. Review and update privacy policies and consent mechanisms
3. Implement technical security measures (encryption, access controls, logging, monitoring)
4. Establish incident response and breach notification procedures
5. Appoint a Data Protection Officer (if applicable)
6. Conduct Data Protection Impact Assessments for high-risk processing activities
7. Train employees on data protection principles and procedures
8. Regularly audit and review compliance status

2. CERT-In Compliance

The Indian Computer Emergency Response Team (CERT-In) operates under the Ministry of Electronics and Information Technology (MeitY). In April 2022, CERT-In issued comprehensive directions that mandate specific cybersecurity practices for all organizations in India.

Key Requirements

• Incident Reporting: Any cybersecurity incident must be reported to CERT-In within 6 hours of detection or occurrence. This includes data breaches, ransomware attacks, denial of service attacks, website defacements, and targeted intrusions.
• Log Retention: Organizations must maintain logs of all ICT systems for a rolling period of 180 days. These logs must be retained within India.
• Sync Time: All ICT systems must be synchronized to Network Time Protocol (NTP) servers provided by the National Physical Laboratory (NPL) or other authoritative sources.
• VAPT: Organizations must conduct VAPT of their ICT systems at least once a year from CERT-In empanelled service providers.
• KYC of Subscribers: Telecom service providers, ISPs, and data center operators must maintain accurate KYC records of all subscribers.

CERT-In compliance is mandatory for all organizations operating in India, with specific additional requirements for service providers, intermediaries, and government entities.

3. RBI Cybersecurity Framework

The Reserve Bank of India (RBI) has issued a comprehensive cybersecurity framework applicable to all Scheduled Commercial Banks (SCBs) and Non-Banking Financial Companies (NBFCs). The framework is designed to ensure the resilience of India’s financial sector against cyber threats.

Who Does It Apply To?

• All Scheduled Commercial Banks (SCBs)
• All NBFCs (with different timelines based on size and complexity)
• Payment System Operators
• Credit Information Companies

Key Requirements

• Board-approved Cybersecurity Policy: A comprehensive policy covering all aspects of cybersecurity, reviewed annually by the Board of Directors.
• Security Operations Center (SOC): Banks must establish a SOC for 24×7 monitoring or subscribe to an MSSP.
• VAPT: Annual penetration testing and vulnerability assessment of all critical systems.
• Incident Response: Mandatory reporting of cyber incidents to RBI within 2-6 hours of detection, depending on severity.
• Cyber Crisis Management Plan (CCMP): A documented plan for handling cyber crises with regular drills and simulations.
• Third-Party Risk Management: Due diligence and ongoing monitoring of all third-party service providers and vendors.
• Data Localization: All payment system data must be stored within India, as per RBI’s 2018 circular on data storage.
• ISO 27001 Certification: While not mandatory for all, RBI strongly recommends ISO 27001 certification as evidence of robust information security practices.

4. SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)

SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) applies to all SEBI-registered entities including stock brokers, depository participants, clearing corporations, asset management companies (AMCs), and market intermediaries.

Key Requirements

• CISO Appointment: A designated Chief Information Security Officer (CISO) must be appointed.
• Cyber Security Policy: A documented and board-approved cybersecurity policy.
• VAPT: Annual VAPT by CERT-In empanelled auditors, with critical vulnerabilities to be remediated within 15 days.
• Audit Logs: Logs must be retained for at least 5 years.
• Incident Reporting: Cyber incidents must be reported to SEBI within 6 hours of detection.
• Business Continuity and Disaster Recovery: Documented BC/DR plans with annual testing.
• Cyber Insurance: Entities must maintain adequate cyber insurance coverage based on their risk profile.
• Third-Party Audits: Audits of all third-party service providers and vendors with access to critical systems.

5. ISO 27001: The Gold Standard for Information Security

Contact P J Networks today for a consultation.