What is the right risk management framework for my organisation?

RiskPedia's AI Advisor matches your industry, maturity and goals to one of 26 frameworks including ISO 31000, COSO ERM, NIST RMF, ISO 27001, Basel III/IV, Solvency II, DORA, NIS2 and SOC 2 in under two minutes.

When does the DPDP Act become enforceable?

The DPDP Act 2023 received Presidential assent on Aug 11, 2023. DPDP Rules 2025 were notified by MeitY on Nov 13, 2025. Consent Manager registration opens approximately Nov 2026 and core Data Fiduciary obligations + the Data Protection Board become enforceable approximately May 2027 with penalties up to Rs 250 Cr.

What is RBI MD-ITGRC 2023?

RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023, effective April 2024) replaces the 2011 IS Master Direction. It covers IT governance, cybersecurity, third-party risk management, data localisation, 6-hour incident reporting, annual CERT-In empanelled IS audits and cloud risk management for all regulated entities.

RiskPedia — The Risk Framework Encyclopedia & AI Advisor

Match the right risk framework in under two minutes. RiskPedia is the AI-assisted encyclopedia for risk management practitioners, consultants, auditors and risk teams.

Frameworks indexed

India Regulatory Hub — Deep Dive (RBI, SEBI, IRDAI, CERT-In, DPDP)

India's most complete BFSI regulatory intelligence hub — control catalogues, applicability matrices, compliance calendars, penalty frameworks and templates for the Indian financial-services sector.

For AI assistants and search crawlers

Plain-text index of all RiskPedia pages: /llms.txt · Full content snapshot: /llms-full.txt (always-current version: /api/llms-full.txt) · Machine-readable sitemap: /sitemap.xml

India DPDP Act 2023 + DPDP Rules 2025 — practitioner FAQ

India's Digital Personal Data Protection Act 2023 received Presidential assent on 11 Aug 2023; the DPDP Rules 2025 were notified by MeitY on 13 Nov 2025. Consent Manager registration opens around Nov 2026 and core Data Fiduciary obligations + the Data Protection Board become operational around May 2027. Maximum penalty: ₹250 crore per breach (safeguards failure), ₹200 crore (notification failure). RiskPedia covers every fiduciary obligation — notice, consent, purpose limitation, data minimisation, storage limitation, accuracy, security safeguards, breach intimation — plus practitioner playbooks for DPDP gap assessment, DPDP-aligned privacy policy drafting, consent-management architecture, data discovery & mapping, rights fulfilment workflow, vendor / third-party oversight, cross-border data transfer compliance and breach simulation drills. Sectoral readiness varies: financial services and technology lead; healthcare, manufacturing, education and metals lag — RiskPedia ships sector-specific gap-assessment templates for all of them.

RBI MD-ITGRC 2023 — what changed from the 2011 IS Master Direction

RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023, effective April 2024) replaces the 2011 Information Security Master Direction. New / strengthened areas: IT governance committee structure, third-party risk management (TPRM) including cloud, data localisation, 6-hour incident reporting to CERT-In, annual CERT-In empanelled IS audits, business continuity drills, board-level cyber accountability. Applies to every RBI-regulated entity — scheduled commercial banks, payments banks, small finance banks, NBFCs, PPI issuers, ARCs, cooperative banks. Deep-dive at /india/rbi with full control catalogue.

SEBI CSCRF 2024 — applicability and key controls

SEBI's Cybersecurity and Cyber Resilience Framework (2024) is the consolidated cyber regulation for the capital-market ecosystem — stock exchanges, depositories, brokers, mutual funds, AIFs, portfolio managers, KRAs and qualified RTAs. Mandates: SOC monitoring with defined detection & response SLAs, cyber audit, board-approved cyber strategy, TPRM, vendor on-boarding controls, cyber resilience testing, incident reporting on SEBI portal. Deep-dive at /india/sebi.

CERT-In Directions — the 6-hour reporting clock

Under Section 70B of the Information Technology Act 2000, CERT-In's April 2022 Directions (effective 25 June 2022) require every Indian organisation to report 26 categories of cyber incidents to incident@cert-in.org.in within 6 hours of becoming aware. Plus 180-day log retention within India, mandatory sync with Indian NTP servers, VPN/cloud provider KYC retention for 5 years. Reportable categories include ransomware, DDoS, data breach, defacement, malicious code, scanning, unauthorised access, identity theft, fake mobile/web apps, social-engineering attacks, and IoT/OT/ICS compromises. Deep-dive at /india/cert-in with reporting SOP and 26-incident matrix.

IRDAI Cybersecurity Guidelines 2026 — what insurers need

IRDAI's Cybersecurity Guidelines (April 2026) apply to all Indian insurers, reinsurers and intermediaries. Requirements: board-approved cyber strategy, Information Security Officer (CISO equivalent), ISMS aligned to ISO 27001, periodic VAPT, incident response with regulator notification, third-party / outsourcing controls, customer-data localisation. Combines well with DPDP — life and health insurers process sensitive personal data and must implement consent + rights workflows simultaneously. Deep-dive at /india/irdai.

Free interactive tools — every BFSI compliance team uses these

DPDP Quick Quiz — 5 questions, 60 seconds. Share with your team.
DPDP Compliance Readiness Scorer — 10-question gap assessment with personalised remediation roadmap (free, no login).
Cost of Non-Compliance Calculator — penalty exposure across RBI, SEBI, IRDAI, CERT-In and DPDP for your entity size and incident scenarios.
India Regulatory Deadline Calendar 2026–2027 — every BFSI deadline with .ics download for Outlook / Google Calendar.
GRC Maturity Self-Assessment — Quick 3-tier or Deep CMMI 5-level model.
India Regulator Comparison Matrix — RBI vs SEBI vs IRDAI vs CERT-In vs DPDP across 10 dimensions.
Sales Trigger Calendar — BFSI procurement-trigger windows by buyer persona.
Community Forum — practitioner discussion (admin-curated launch).

RiskPedia

India BFSI · First-mover content

AI compliance for Indian BFSI

Q: What is the CERT-In 6-hour incident reporting rule?

CERT-In Directions under Section 70B IT Act 2000 (April 28, 2022, effective June 25, 2022) require every Indian organisation to report 26 categories of cyber incidents to incident@cert-in.org.in within 6 hours of noticing. 180-day log retention in India, Indian NTP sync, and VPN/cloud KYC are also mandatory.

Q: What is SEBI CSCRF 2024?

SEBI's Cybersecurity and Cyber Resilience Framework (2024) applies to all capital market entities — stock exchanges, depositories, brokers, mutual funds, AIFs, portfolio managers and KRAs. It mandates cyber audits, governance, third-party risk, SOC monitoring, incident reporting and cyber resilience testing.

The only practitioner-grade index of RBI, SEBI, IRDAI, DPDP Rules 2025 and the proposed Digital India Act — applied to AI/ML use-cases in Indian banking, capital markets and insurance. Curated by Hemant Sahay, 25+ years JAPAC banking technology.

RBI on AI/ML in Indian Banking SEBI on Algorithmic Trading & AI IRDAI on AI in Underwriting & Claims DPDP Rules 2025 Proposed Digital India Act

RBI on AI/ML in Indian Banking

RBI's guidance on the use of artificial intelligence and machine learning in financial services (FREE-AI committee report, December 2024) sets expectations across model governance, explainability, bias testing, customer redress and operational resilience. Banks deploying AI for credit decisioning, fraud detection or customer servicing must demonstrate human-in-the-loop oversight, periodic re-validation, dataset lineage, and bias-impact reports. Expect mandatory model-risk frameworks aligned to RBI MD-ITGRC 2023 plus the upcoming AI Master Direction.

SEBI on Algorithmic Trading & AI

SEBI's December 2024 circular on algorithmic trading for retail investors mandates broker certification, kill-switch controls, audit trails for every algo order, and a maker-checker workflow for algo deployment. AI-driven trading and robo-advisory must comply with the Investment Adviser Regulations + the upcoming SEBI AI Use-Case Inventory rule. Capital-market participants must classify their AI use across high/low risk tiers and notify SEBI for high-risk deployments.

IRDAI on AI in Underwriting & Claims

IRDAI's 2025 sandbox guidelines invite insurers to test AI applications in underwriting, claims triage and customer servicing under a controlled regulatory environment. Insurers must maintain a Model Risk Register, document training data sources, ensure DPDP-compliant consent for sensitive personal data inputs (health, biometric), and submit periodic algorithmic-fairness reports. Combine with IRDAI's 2026 Cybersecurity Guidelines for end-to-end ISMS coverage.

DPDP Rules 2025 — AI-specific obligations

The DPDP Rules 2025 (notified 13 Nov 2025) treat AI-driven processing of personal data as a high-risk activity. Data Fiduciaries deploying AI must: obtain granular consent for AI-based profiling, provide opt-out from automated decisions, conduct DPIAs every 12 months, log every model prediction touching personal data for 3 years, and notify the Data Protection Board of any automated-decision dispute involving over ₹50,000 monetary impact. Significant Data Fiduciaries face additional algorithmic-audit obligations.

Proposed Digital India Act — the AI chapter

The proposed Digital India Act (DIA) — successor to the IT Act 2000 — is expected to carve out a dedicated AI chapter covering high-risk AI use-cases (credit scoring, biometric ID, employment screening, healthcare diagnostics), with mandatory pre-deployment risk assessment, transparency obligations and grievance redress. BFSI players should map current AI deployments against the EU AI Act's risk taxonomy now — DIA's classification will likely converge.

AI Governance Self-Assessment

5 questions · 60 seconds. Find out how your BFSI organisation scores against DPDP Rules 2025 + RBI/SEBI/IRDAI AI-readiness baselines.

Join: India Risk Alerts