The RBI Cybersecurity Framework sets the baseline for banks and NBFCs, and in 2026 the expectations sharpened: independent assessment of critical vendors, mandated annual VAPT, and evidence over self-attestation. Vendor questionnaires alone no longer cut it.
What RBI now expects
- Annual VAPT of critical systems, with findings tracked to closure.
- Independent vendor assessment. Critical third parties — cloud, core banking, AML, KYC — must be independently assessed; a signed questionnaire is no longer sufficient evidence.
- Board ownership. Cybersecurity posture is a board-level responsibility, with reporting to match.
- Incident reporting within the tight RBI window, aligned with CERT-In.
- SOC / continuous monitoring proportionate to the institution’s size and risk.
The vendor-assessment shift is the big one
Most NBFCs run on a stack of third-party platforms. RBI now wants independent evidence that those vendors are secure — which means real assessments of your cloud and fintech partners, not a spreadsheet they filled in themselves. This is where many institutions are out of compliance without realising it.
A practical compliance path
- Scope your critical systems and the vendors that touch them.
- Run (or commission) annual VAPT and an independent assessment of critical vendors.
- Track findings to closure with evidence — auditors want the remediation trail.
- Align incident reporting across RBI, CERT-In, and DPDP into one workflow.
RingSafe delivers RBI-aligned VAPT and independent vendor assessments with boardroom-ready reporting. See our VAPT services.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.