Who Must Comply
All RBI-regulated entities: Scheduled Banks, Co-operative Banks, NBFCs (Upper Layer, Middle Layer, Base Layer), Payment Aggregators, Payment Gateways, Prepaid Payment Instrument Issuers, and Housing Finance Companies.
Key Requirements
01
Board-Approved Cybersecurity Policy
The board must approve the cybersecurity policy. Annual review. CISO appointment mandatory for upper-layer NBFCs.
02
SOC / Continuous Monitoring
Security Operations Centre — in-house or outsourced. Real-time monitoring of all critical systems. Upper-layer NBFCs must have dedicated SOC.
03
Vulnerability Assessment (Quarterly)
VA to be conducted at least quarterly. VAPT annually. Results reported to the board and remediated within defined timelines.
04
Data Localisation
All payment system data to be stored only in India. Processing may happen abroad but data must be brought back within prescribed time.
05
Vendor Risk Management
Due diligence on all IT vendors. Contractual security requirements. Right to audit. Business continuity provisions.