The Reserve Bank of India is moving to close a gap its November 2023 Master Direction left open: the assumption that outsourcing governance on paper is the same as resilience in practice. The anticipated update reframes cloud and IT outsourcing as a sectoral concentration problem, not just a vendor management problem.
What RBI tightened
The November 2023 Master Direction set the baseline: a board-approved IT strategy, an IT Strategy Committee, third-party risk management, and incident reporting. RBI’s emerging direction, signalled through recent supervisory communications, layers operational evidence on top of that baseline. The recognised theme is that concentration risk and exit readiness must be measurable.
- Concentration risk register — quarterly disclosure listing every material IT and cloud provider, the share of critical workloads on each, and a substitutability score.
- Annual cloud DR test — live failover for every Tier-1 application on a hyperscaler, with board sign-off on recovery time and recovery point achieved.
- Board-attested exit plan — a tested, dated exit runbook covering data localisation evidence, key escrow status, and a costed migration window.
- Fourth-party visibility — disclosure of sub-contractors used by the primary provider for any service touching customer data.
- Outage attestation — a 24-hour root-cause submission for customer-impacting outages, replacing the current 6-hour summary.
Who is in scope and from when
| Layer | Category | Effective date | Key new obligation |
|---|---|---|---|
| Top Layer | Identified NBFC-TL | October 2026 | All five controls; quarterly concentration register |
| Upper Layer | NBFC-UL | October 2026 | Annual cloud DR test, exit plan, fourth-party disclosure |
| Middle Layer | NBFC-ML (assets above INR 5,000 crore) | April 2027 | Exit plan and annual DR test; concentration register half-yearly |
| Base Layer | NBFC-BL | Under review | Proportionate exit plan; no DR test mandate yet |
The concentration-risk angle
The supervisory concern is not any single hyperscaler. It is that the Indian regulated financial sector has migrated a disproportionate share of its critical workloads onto two or three cloud providers and a small number of core banking vendors. A regional outage at any one of them now produces a sectoral event, not a single-firm event. Recent outages and their cascading impact on UPI rails and NBFC origination flows have made the concentration thesis concrete. A tested exit plan is the only credible answer to substitutability — without it, concentration risk is unmeasured by definition.
What to do in the next 90 days
- Commission a first-pass concentration register listing every IT and cloud provider supporting a material business service, with workload percentages.
- Identify the Tier-1 applications that have never had a live cloud failover test, and schedule one for the current financial year.
- Draft an exit plan template covering data extraction format, key escrow, localisation evidence, and a costed migration window; circulate to legal and procurement.
- Get the IT Strategy Committee to add concentration risk and exit readiness as standing agenda items.
- Ask each material vendor for a written list of sub-contractors touching customer data, with locations.
- Update the incident response runbook to support a 24-hour root-cause submission window; pre-stage the template fields.
- Brief the board on the October 2026 deadline and compliance cost envelope so capex is approved before financial year end.
References
- RBI Cyber Security Framework — full guide
- RBI readiness checklist for regulated entities
- Compliance programme overview for Indian financial services
- CERT-In direction guide and reporting workflow
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.