Indian Compliance, Decoded.
Every framework that actually matters for Indian businesses — DPDP, RBI, SEBI, CERT-In, IRDAI, PCI-DSS, ABDM, ISO 27001, SOC 2. What it requires, who it applies to, what to do this quarter.
Frameworks every Indian business must comply with
If you process digital data in India or operate any IT infrastructure here, these two are non-negotiable regardless of size or sector.
DPDP Act 2023
India's privacy law. 14 sections covering consent, Data Principal rights, Significant Data Fiduciaries, cross-border transfers, breach notification, and ₹250 crore maximum penalties.
CERT-In Direction
Six-hour cyber-incident reporting to CERT-In, 180-day log retention, customer KYC retention for 5 years post-cancellation, server-time NTP sync. Non-negotiable since June 2022.
IT Act 2000 + IT Rules
India's foundational cyber law: §43A compensation, §69 interception, §70A NCIIPC, §70B CERT-In, §79 intermediary safe harbour. Plus IT Rules 2021 — Grievance Officer, Chief Compliance Officer, traceability, content takedowns. DPDP supersedes parts of §43A; everything else still applies.
Sector-specific cyber regulations
If your sector is regulated, you have a layered compliance regime: DPDP plus your sector authority's own cyber requirements. These usually have a shorter cadence and stricter audit obligations than DPDP alone.
RBI Cyber Security Framework
Master Direction on IT Governance, Risk, Controls and Assurance (Nov 2023) plus Cyber Security Framework. Annual VAPT, board-approved cyber strategy, CISO appointment, incident reporting to RBI within 2-6 hours, third-party risk obligations.
SEBI CSCRF
Cyber Security and Cyber Resilience Framework — granular MITRE ATT&CK-aligned controls, mandatory MII categorisation, SOC requirements, immediate reporting to stock exchanges, annual VAPT plus quarterly vulnerability scanning.
IRDAI Cyber Guidelines
Information and Cyber Security Guidelines covering identity, network, application, data security; mandatory CISO; annual independent assurance; sectoral incident reporting to IRDAI plus CERT-In; specific obligations for cloud-based insurance services.
ABDM & Health Data
Ayushman Bharat Digital Mission compliance — Health ID, HFR/HPR registration, EHR Standards 2016, Electronic Health Records compliance, NDHB framework, Health Data Management Policy. Cross-references DPDP for sensitive personal data.
PCI-DSS v4.0
Payment Card Industry Data Security Standard — 12 control objectives, 300+ requirements. Annual SAQ for small merchants; ROC for Level 1 (over 6M transactions/year). Network segmentation, encryption, quarterly ASV scans, annual pen test.
TRAI / DoT Cyber Rules
Unified Licence security requirements, lawful interception obligations, customer data localisation under DoT directions, annual security audit by CERT-In empanelled auditors, incident reporting to NCIIPC for critical telecom infrastructure.
NCIIPC Guidelines
India's nodal agency for Critical Information Infrastructure protection, set up under IT Act §70A in 2014. Designation as a "Protected System" under §70 makes unauthorised access a criminal offence (up to 10 years). Mandatory CISO, network segmentation, 6-hour incident reporting to NCIIPC, annual CERT-In empanelled audit, mandatory sectoral advisory consumption.
International & voluntary frameworks
These are not legally mandatory in India but are routinely required by enterprise buyers, EU customers, US clients, payment partners, and as evidence under DPDP §8(5) reasonable security obligations.
ISO 27001:2022
93 Annex A controls, formal ISMS, third-party certifiable. The most universally recognised security certification — typically the first one Indian SaaS pursues for global market access.
SOC 2 (Type I & II)
Five Trust Service Criteria (Security mandatory; Availability, Processing Integrity, Confidentiality, Privacy optional). Type II requires 6-12 months of evidence. The de-facto US enterprise sales requirement.
HIPAA (for US healthcare)
Health Insurance Portability and Accountability Act — Privacy Rule, Security Rule, Breach Notification Rule. Required if you process PHI on behalf of US covered entities. BAA + annual risk analysis + breach notification within 60 days.
GDPR (for EU customers)
EU General Data Protection Regulation. If you sell to EU customers or process their data, you are in scope regardless of where your servers are. €20M or 4% global revenue maximum penalty. Many DPDP obligations are GDPR-equivalent.
NIST CSF 2.0
NIST Cybersecurity Framework 2.0 (Feb 2024) — six Core Functions (Govern, Identify, Protect, Detect, Respond, Recover), 23 categories, 106 subcategories. Voluntary but cited by RBI IT Master Direction and SEBI CSCRF. Use as the spine for ISO 27001 / SOC 2 evidence and DPDP §8 reasonable-security claims.
What applies to my business?
Find your sector below. The frameworks listed are typically expected as a baseline — your specific obligations depend on size, customer mix, and regulator categorisation.
| Sector | Mandatory | Strongly recommended |
|---|---|---|
| Banks & NBFCs | DPDP, CERT-In, RBI Cyber Framework | ISO 27001, PCI-DSS (if cards) |
| Payment / fintech | DPDP, CERT-In, RBI PA-PG | PCI-DSS, ISO 27001, SOC 2 |
| Stock brokers / MFs | DPDP, CERT-In, SEBI CSCRF | ISO 27001 |
| Insurance | DPDP, CERT-In, IRDAI Cyber Guidelines | ISO 27001, SOC 2 |
| Healthcare / healthtech | DPDP, CERT-In, ABDM (if integrated) | ISO 27001, HIPAA (if US PHI) |
| SaaS B2B (India only) | DPDP, CERT-In | ISO 27001 (enterprise sales) |
| SaaS B2B (US/EU customers) | DPDP, CERT-In | SOC 2 Type II, ISO 27001, GDPR readiness |
| E-commerce | DPDP, CERT-In | PCI-DSS (if cards), ISO 27001 |
| Telecom / ISP | DPDP, CERT-In, DoT Cyber rules | ISO 27001 |
| Manufacturing / OT | DPDP, CERT-In | IEC 62443, ISO 27001 |
| Critical infra (NCIIPC) | DPDP, CERT-In, NCIIPC Guidelines | IEC 62443, ISO 27001, NIST CSF |
Common compliance questions
Eight questions we hear repeatedly from CTOs, CISOs, and compliance leads at Indian businesses.
Which compliance framework should I prioritise first?
Start with what's mandatory for your sector + DPDP + CERT-In, since those carry regulatory enforcement. Then layer ISO 27001 / SOC 2 / PCI-DSS based on customer demand. Trying to do all of them in parallel without sequencing typically produces evidence chaos. The summary table above maps the typical sequence by sector.
Are DPDP Rules in force, or do we wait?
The Act is in force. Several Rules have been notified (consent management, breach notification format, children's data verification, SDF designation criteria); some remain pending. Most fiduciary obligations are clear from the Act itself — don't wait for full Rules to start building. Read the DPDP pillar for the practical sequence.
Is ISO 27001 enough, or do we still need SOC 2?
For Indian customers and global enterprise sales — ISO 27001 is widely recognised. For US enterprise SaaS sales — SOC 2 Type II is often required. They overlap heavily on controls; many firms get SOC 2 first (faster to ship for Series-A/B SaaS) and add ISO 27001 within 12-18 months. The control evidence largely transfers.
What's the difference between RBI Cyber Framework and SEBI CSCRF?
RBI's framework is outcome-oriented and broad — built around principles. SEBI's CSCRF (Aug 2024) is more prescriptive — control-mapped with explicit MITRE ATT&CK alignment, RE categorisation, and audit-cadence specifics. If your entity is regulated by both (e.g., a broker that's also an NBFC), both apply and the audit programme must satisfy both. Read the RBI guide and CSCRF guide for the operational difference.
Do we need a CERT-In empanelled auditor?
For RBI / SEBI / IRDAI / NCIIPC / NPCI workloads — yes. Each framework explicitly references CERT-In empanelment. For non-regulated SOC 2 / ISO 27001 audits, empanelment is not required but a credentialed firm with strong methodology is what to look for. VAPT pillar has more detail on auditor selection.
Are we a "Significant Data Fiduciary" under DPDP §10?
SDF designation comes from the Central Government based on volume, sensitivity, risk to data principals, sovereignty/security/electoral integrity, and other listed factors. Fintech, healthtech, large e-commerce, social media, edtech, and many BPOs are likely candidates. SDFs must appoint a DPO, run DPIAs, and undergo independent data audits. Build SDF capability proactively if you're plausibly in scope.
How does DPDP interact with sectoral regulations?
DPDP is the cross-cutting baseline. Sectoral regulators (RBI, SEBI, IRDAI, UIDAI, NPCI, DoT, NCIIPC, ABDM) layer on top with stricter or more specific obligations. Where they diverge, the more stringent applies. Practical tip: run DPDP compliance as a foundation; layer sectoral specifics. Don't try to map sectoral controls to DPDP after the fact.
What if we serve EU or US customers from India?
EU customers → GDPR applies (Article 3 extra-territorial scope). Need SCCs + Transfer Impact Assessment for India transfers, EU Representative typically required. US healthcare clients → HIPAA cascades through BAAs. US enterprise customers → SOC 2 Type II often a sales requirement. All these layer on top of DPDP, not instead.
Map all this to your environment
A 30-minute consultation with a senior practitioner. You walk away with a prioritised compliance map for your sector — what's mandatory, what's strategic, what to ship in the next 90 days.