RingSafe Regulatory Brief — RBI Cyber Master Direction 2026 — 22 May 2026
What changed
The amendment, issued under [illustrative reference number], tightens the 2024 Master Direction in three significant ways:
- Continuous control monitoring — PSOs must run automated control assertions at least every 24 hours against a defined control library (NIST CSF aligned), with quarterly attestation reports to the RBI.
- Board-level cyber risk committee — previously a “preferred practice,” now mandatory for all Category PSOs (payment aggregators, PA-CB, NUE applicants). The committee must include at least one external cyber-domain director.
- 4-hour critical incident notification — tighter than the existing CERT-In 6-hour rule. Applies to ransomware, customer data exposure above 10,000 records, or any incident affecting payment finality.
RingSafe analysis
The CCM requirement is the operationally hardest of the three. Most PSOs we have audited still run controls on a quarterly internal-audit cadence. Moving to daily automated assertions requires either a build-out of detection engineering in-house or buy-in to a managed CCM platform. The 60-day window between publication and effective date is unrealistic for most mid-sized PSOs.
The board-level committee mandate matters because it shifts the accountability for cyber risk decisions out of the CISO function and into the boardroom — which in turn changes how cyber budget is negotiated and how cyber risk appetite is set. We expect 2026-27 to see a surge in “external cyber director” appointments at Indian payments boards.
What PSOs should do before 1 July
- Map your existing controls to the NIST CSF Subcategories called out in the annexure.
- Identify which of those can be asserted automatically today, and which need tooling investment.
- Brief your board on the committee requirement and begin director-search if you do not already have a qualified candidate.
- Revise your incident response playbook for the 4-hour notification window — including the explicit decision authority for “is this a critical incident?”
- Run a tabletop exercise simulating the new SLA with the regulator notification path.
Mapped frameworks
NIST CSF 2.0: GV.OC, GV.RM, DE.CM-1, RS.CO-2. ISO 27001:2022: A.5.4 (governance), A.5.30 (ICT readiness), A.6.8 (event reporting).
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.