RBI Cybersecurity Framework: A 2026 Compliance Guide

The Reserve Bank of India has been steadily expanding its cybersecurity expectations for regulated entities since the 2016 framework circular. By 2026 the requirements span direct circulars (the master direction on IT governance), thematic guidance (cyber resilience, IT outsourcing, digital lending), and operational expectations baked into supervisory exams.

If you're a CISO or compliance head at a regulated entity, this is the practical map.

Who is in scope

Every commercial bank, cooperative bank, NBFC, payment system operator, and increasingly any financial-sector intermediary that processes payments or holds customer data. RBI has tiered expectations — the largest banks face the deepest requirements, but even smaller NBFCs are now expected to maintain documented IT governance, conduct VAPT, and demonstrate incident response capability.

The four pillars

1. IT governance and risk management

A board-approved IT and cybersecurity policy. A CISO who reports outside the IT function. A documented IT risk-management framework. Periodic risk assessments. RBI has been explicit that cybersecurity is a board-level concern, not a CIO problem.

2. Technical controls

Network segmentation between corporate and core banking. Privileged access management with session recording. Endpoint protection on critical systems. Data loss prevention. Encryption of customer data at rest and in transit. Patch management with a documented SLA.

3. Vulnerability assessment and penetration testing

VAPT is required at least annually for internet-facing applications, and after any significant change. The expectation in supervisory exams has moved from "did you do a scan" to "did you do a manual penetration test, were the findings remediated, and did you re-test." Reports must be available to inspectors. CERT-In empanelment of the auditor is the de-facto standard for acceptance — though not universally mandated, supervisors prefer it.

4. Incident response and reporting

Incidents above thresholds must be reported to RBI within stipulated timelines. CERT-In's six-hour reporting window applies in parallel. Banks are expected to maintain a documented incident response plan, conduct tabletop exercises, and have forensic capability either in-house or through a retainer.

What's new in 2026 supervisory focus

Three themes have intensified in recent inspections:

1. Third-party risk. RBI now expects evidence that critical vendors (cloud, core banking, AML, KYC providers) have been independently assessed. Vendor questionnaires alone are no longer sufficient.

2. API and digital-channel security. As digital lending and UPI volumes have grown, so has supervisory scrutiny of API authentication, rate limiting, and fraud detection. Open banking expectations are converging with global PSD2 norms.

3. Operational resilience. Beyond cyber, RBI is pushing for tested business continuity — including scenarios where the cloud provider, the core banking vendor, or the payments switch itself becomes unavailable.

A practical compliance cycle

Annual: full VAPT of internet-facing assets, IT and cybersecurity audit, board review of cyber posture, BCP test.

Quarterly: targeted re-tests of high-risk applications, vendor risk reviews, patch compliance review.

Continuous: vulnerability scanning, log monitoring with a documented retention period, incident response drills, KRI/KPI reporting to risk committees.

How we help

Security Brigade is CERT-In empanelled (continuously since 2008) and has supported BFSI clients through RBI inspections, post-breach remediation, and pre-merger due-diligence cycles. If you need help benchmarking against the framework or scoping a VAPT engagement that maps cleanly to inspector expectations, request a scoping call.