What is the right risk management framework for my organisation?

RiskPedia's AI Advisor matches your industry, maturity and goals to one of 26 frameworks including ISO 31000, COSO ERM, NIST RMF, ISO 27001, Basel III/IV, Solvency II, DORA, NIS2 and SOC 2 in under two minutes.

What is the CERT-In 6-hour incident reporting rule?

CERT-In Directions under Section 70B IT Act 2000 (April 28, 2022, effective June 25, 2022) require every Indian organisation to report 26 categories of cyber incidents to incident@cert-in.org.in within 6 hours of noticing. 180-day log retention in India, Indian NTP sync, and VPN/cloud KYC are also mandatory.

When does the DPDP Act become enforceable?

The DPDP Act 2023 received Presidential assent on Aug 11, 2023. DPDP Rules 2025 were notified by MeitY on Nov 13, 2025. Consent Manager registration opens approximately Nov 2026 and core Data Fiduciary obligations + the Data Protection Board become enforceable approximately May 2027 with penalties up to Rs 250 Cr.

What is RBI MD-ITGRC 2023?

RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023, effective April 2024) replaces the 2011 IS Master Direction. It covers IT governance, cybersecurity, third-party risk management, data localisation, 6-hour incident reporting, annual CERT-In empanelled IS audits and cloud risk management for all regulated entities.

What is SEBI CSCRF 2024?

SEBI's Cybersecurity and Cyber Resilience Framework (2024) applies to all capital market entities — stock exchanges, depositories, brokers, mutual funds, AIFs, portfolio managers and KRAs. It mandates cyber audits, governance, third-party risk, SOC monitoring, incident reporting and cyber resilience testing.

Tools

India · Regulator comparison

India Regulator Comparison Matrix

Side-by-side comparison of India's five BFSI / data-protection regulators across applicability, penalties, breach SLAs, board obligations and audit cadence. Toggle regulators below to focus the view.

Dimension	RBI Hub	SEBI Hub	IRDAI Hub	CERT-In Hub	DPDP Hub
Applies to	All RBI Regulated Entities — Banks (PSB, PVB, FB), NBFCs, NBFC-MFIs, AIFIs, ARCs, payment system operators.	All SEBI Regulated Entities tiered as MII, QRTA, RE-T1 and RE-T2/T3 (brokers, AMCs, depositories, exchanges).	Insurers (Life/General/Health), Reinsurers, Foreign Reinsurance Branches, Insurance Intermediaries.	All organisations operating in India (sectoral CERTs may add overlay obligations).	All Data Fiduciaries processing personal data of individuals in India (incl. extra-territorial scope).
Primary instrument	Master Direction on IT Governance, Risk, Controls & Assurance (MD-ITGRC, Nov 2023; effective Apr 2024).	Cybersecurity & Cyber Resilience Framework (CSCRF, Aug 2024).	Information & Cybersecurity Guidelines (Apr 2023, updated 2026).	CERT-In Directions Apr 28, 2022 (under §70B IT Act).	Digital Personal Data Protection Act 2023 + DPDP Rules 2025 (notified).
Incident / breach reporting SLA	6 hours to RBI CSITE (cyber incidents).	6 hours to SEBI + CERT-In (for cyber incidents).	Without undue delay — within 24 hours for material incidents.	6 hours of noticing the incident.	72 hours to the Data Protection Board for personal-data breaches.
Board / committee obligation	IT Strategy Committee + IT Steering Committee mandatory; CRO mandatory for banks > defined size.	Board-approved cybersecurity policy + Cyber Crisis Mgmt Plan; annual board review.	Board Information Security Committee + IT Strategy Committee; annual policy approval.	No direct board obligation, but C-suite-level accountability for compliance.	DPO mandatory for SDFs; board-level oversight of consent mgmt expected as good practice.
Audit / assurance cadence	Annual IS Audit by CERT-In empanelled firm; quarterly to ITSC.	Annual VAPT; ½-yearly for MIIs; annual cyber audit.	Annual SAR within 90 days of FY-end (or 30 days post-audit).	No fixed audit — but log retention 180 days, sync to Indian NTP, KYC for VPN providers.	SDFs to undergo periodic DPIAs + algorithm audits (frequency in Rules).
Maximum statutory penalty	Compounded under Banking Reg Act / PSA — up to ₹5 Cr per violation, plus de-novo licensing risk.	Up to ₹25 Cr or 3× wrongful gain (SEBI Act §15HB; cyber-specific schedules).	Up to ₹25 Cr (IRDA Act §102) + license cancellation.	Imprisonment up to 1 year + fine (IT Act §70B(7)).	Up to ₹250 Cr per breach (safeguards failure); ₹200 Cr (breach notification failure).
Data localisation	Mandatory for payment system data (RBI 2018 circular) — full storage in India.	Mirror copy in India; cloud OK if SEBI is granted timely access.	Critical data + customer-sensitive data to remain in India (sectoral guidance).	Logs retained 180 days within Indian jurisdiction.	No blanket localisation; Government can notify restricted countries (negative list).
Vendor / third-party obligation	Detailed TPRM under MD-ITGRC; outsourcing of financial activity restricted.	All vendors with access to RE data must meet CSCRF controls; documented assessments.	Vendor risk assessments and contract clauses mandatory; cloud risk assessment template prescribed.	Service providers (cloud, VPN, datacentres) must comply with logging + reporting obligations.	Processors only on written contract; Fiduciary remains liable for processor breaches.
Recommended certifications	ISO 27001, PCI-DSS (cards), ISO 22301 (BCM).	ISO 27001, ISAE 3402 (for MIIs), CSCRF self-attestation.	ISO 27001 + ISO 22301; SAR auditor must be CERT-In empanelled.	Empanelment as CERT-In auditor; cyber-crisis exercises.	ISO 27701 (PIMS), BS 10012; SDF may require DPO certification.
2026-27 enforcement focus	Resilience of digital lending stack; outsourcing concentration risk.	MII cyber drills; CCI submissions and remediation tracking.	Health-insurer fraud & cyber readiness; SAR quality benchmarking.	VPN / cloud KYC adherence; SOC-led incident triage.	Consent Manager registrations; SDF designations; cross-border data flow notifications.

Compare global frameworks →

RiskPedia — The Risk Framework Encyclopedia & AI Advisor

Frameworks indexed

India Regulatory Hub — Deep Dive (RBI, SEBI, IRDAI, CERT-In, DPDP)

For AI assistants and search crawlers

India Regulator Comparison Matrix