Scroll to top

RBI MD on IT: A Compliance Guide

April 8, 2026 RBI Compliance

The Reserve Bank of India's Master Directions on Information Technology (RBI MD on IT) consolidate IT governance, cybersecurity, and audit requirements for scheduled commercial banks, primary urban cooperative banks, NBFCs, and payment system providers. Here's what the Master Directions require and how regulated entities should approach compliance.

  1. Who Must Comply

    The RBI MD on IT applies to: scheduled commercial banks (including foreign banks operating in India), primary urban cooperative banks with assets above a threshold, Non-Banking Financial Companies (NBFCs), Payment System Providers, and certain credit information companies. Smaller cooperative banks and NBFCs may face proportionate requirements based on their size and systemic importance.

  2. The Cybersecurity Framework Requirement

    RBI requires each regulated entity to implement a Board-approved Cybersecurity Policy and establish a robust cybersecurity framework. The framework must include: governance structure with Board oversight, risk-based identification of critical systems, security controls aligned to the entity's risk profile, incident detection and response capabilities, and regular cybersecurity assessments.

  3. IS Audit Requirements

    Banks and NBFCs must conduct periodic Information Security Audits by CERT-In empanelled auditors. The IS audit must cover all critical IT systems, assess control adequacy, and produce findings that are reported to the Board's IT Strategy Committee or equivalent governance body. Audit findings must be tracked to closure with Board visibility on open items.

  4. IT Governance Structure

    RBI MD on IT requires a governance structure that includes: an IT Strategy Committee at the Board level; a management-level IT Steering Committee; an IS function with a designated CISO; and a Board-approved IT policy framework. For smaller NBFCs, proportionate governance arrangements are acceptable, but Board ownership of IT risk is non-negotiable.

  5. Business Continuity and Resilience

    Regulated entities must maintain Business Continuity Plans (BCP) and Disaster Recovery (DR) capabilities tested at least annually. RBI specifies Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for different categories of critical systems. DR testing must be documented and results reported to senior management and the Board.

  6. VinfraSec's RBI Approach

    VinfraSec implements RBI MD on IT compliance using IaC-based cybersecurity controls for Azure India or AWS Mumbai, IS audit preparation and evidence packaging, Board-level governance documentation, and unified log management that satisfies both RBI and CERT-In retention requirements in a single architecture.

Need India Compliance Help?

Book a free gap assessment with VinfraSec.

Book Free Assessment

Free India Compliance Assessment

VinfraSec offers a free DPDPA, CERT-In, or RBI gap assessment. Book a 30-minute call.

Book Now