Cybersecurity Compliance for Indian Fintech Companies — RBI, SEBI and CERT-In Requirements

Running a fintech company in India means navigating one of the most complex regulatory environments in the world. You are not just building a product — you are building a product that must comply with requirements from the RBI, SEBI, CERT-In, IRDAI, and now the DPDP Act, often simultaneously. Miss any one of these, and you face penalties, license revocation, or worse — customer data breaches that destroy trust overnight.

This guide breaks down exactly what cybersecurity compliance looks like for Indian fintech companies in 2026 — no generic frameworks, no theoretical advice, just the specific requirements you need to meet and how to meet them.

The Regulatory Landscape for Indian Fintech in 2026

Indian fintech companies operate under multiple overlapping regulatory frameworks. Which ones apply to you depends on your specific business model:

RBI Cybersecurity Framework — What Fintech Companies Must Do

The Reserve Bank of India cybersecurity framework applies to all banks, NBFCs, payment aggregators, and entities regulated by the RBI. Here are the specific requirements that fintech companies often struggle with:

Board-Level Cybersecurity Governance

The RBI requires a Board-approved cybersecurity policy that is reviewed annually. This is not a formality — the Board must demonstrate active oversight of cybersecurity risks. Many fintech startups struggle here because their boards lack cybersecurity expertise.

What you need:

• A documented Cybersecurity Policy approved by the Board
• A designated CISO (or equivalent) reporting to the Board
• Quarterly cybersecurity reports to the Board
• Cyber risk included in the enterprise risk management framework

Security Operations Center (SOC)

RBI-regulated entities need continuous security monitoring. For most fintech companies, building an in-house SOC is impractical and expensive. A SOC-as-a-Service model from a CERT-In empanelled provider is the practical solution — providing 24/7 monitoring at a fraction of the cost.

Vulnerability Assessment and Penetration Testing (VAPT)

The RBI mandates regular VAPT conducted by CERT-In empanelled auditors. Specific requirements include:

• VAPT of all internet-facing applications before go-live
• Annual comprehensive VAPT of all critical systems
• Vulnerability assessment after any significant changes
• Remediation of critical and high vulnerabilities within defined timelines

Incident Reporting

Cyber incidents must be reported to RBI and CERT-In within 6 hours of detection. Many fintech companies are unprepared for this — they lack the detection capability to identify incidents quickly and the processes to report them within the mandated timeframe.

SEBI CSCRF — For Fintech in Capital Markets

The Securities and Exchange Board of India Cybersecurity and Cyber Resilience Framework (CSCRF) applies to stock brokers, depository participants, mutual fund platforms, and other SEBI-regulated entities. Key requirements include:

Cyber Resilience Framework

• Identify, Protect, Detect, Respond, and Recover functions aligned with NIST CSF
• Annual cybersecurity audit by a CERT-In empanelled auditor
• Quarterly vulnerability assessments
• Incident response plan with defined escalation matrices

Data Localization

SEBI mandates that all data related to Indian capital market operations must be stored in India. This affects your cloud infrastructure choices — you need data centers in India, and your backup and disaster recovery sites must also be within India.

Access Controls and Monitoring

• Multi-factor authentication for all privileged access
• Network segmentation between trading systems and corporate networks
• Real-time monitoring of market-facing systems
• Log retention for minimum 5 years

CERT-In Directions — Universal Requirements

CERT-In’s Directions issued in April 2022 apply to all organizations in India, including fintech companies. These are often underestimated but carry significant compliance weight:

• 6-hour incident reporting: Mandatory reporting of cybersecurity incidents to CERT-In within 6 hours of noticing them
• Log retention: All ICT system logs must be maintained for 180 days within Indian jurisdiction
• Time synchronization: All ICT systems must synchronize to NIC or NPL NTP servers
• KYC for VPN, cloud, and VPS providers: Service providers must maintain customer records for 5 years

DPDP Act 2023 — Data Protection for Fintech

The Digital Personal Data Protection Act 2023 introduces data protection obligations that directly affect fintech operations:

Consent Management

Fintech companies must obtain clear, specific, and informed consent before processing personal data. This means redesigning KYC flows, app onboarding, and data collection processes to include proper consent mechanisms — not buried in terms and conditions, but clear and understandable.

Data Minimization

Collect only the data you need for the stated purpose. Many fintech apps request access to contacts, SMS messages, photos, and location data without legitimate business need. Under the DPDP Act, this over-collection is non-compliant.

Breach Notification

Data breaches affecting personal data must be reported to the Data Protection Board of India and affected individuals. The timeline and process are being finalized, but fintech companies should prepare breach notification procedures now.

Penalties

Non-compliance penalties under the DPDP Act go up to INR 250 crore — enough to bankrupt most fintech startups. The financial impact of non-compliance now potentially exceeds the cost of proper cybersecurity implementation.

PCI DSS for Payment Fintech

If your fintech company processes, stores, or transmits credit/debit card data, PCI DSS compliance is mandatory. Key requirements include:

• Network segmentation isolating cardholder data environment
• Encryption of card data in transit and at rest
• Regular vulnerability scans by an Approved Scanning Vendor (ASV)
• Annual penetration testing
• Comprehensive access controls and audit logging
• Security awareness training for all personnel

For most fintech companies processing less than 6 million transactions annually, a SAQ (Self-Assessment Questionnaire) may suffice. Larger processors need a QSA (Qualified Security Assessor) assessment.

Practical Compliance Roadmap for Fintech Startups

Quarter 1: Foundation

• Identify applicable regulations based on your business model
• Conduct a gap assessment against each framework
• Appoint a CISO or engage a virtual CISO service
• Draft cybersecurity and data protection policies

Quarter 2: Core Controls

• Implement MFA, endpoint protection, and network segmentation
• Set up log aggregation and retention (180 days per CERT-In)
• Conduct comprehensive VAPT by a CERT-In empanelled firm
• Implement consent management for DPDP Act compliance

Quarter 3: Monitoring and Response

• Deploy SOC-as-a-Service for continuous monitoring
• Develop and test incident response plan
• Conduct security awareness training for all employees
• Implement vendor risk management program

Quarter 4: Audit and Certification

• Complete regulatory compliance audits
• Obtain required certifications (ISO 27001, PCI DSS as applicable)
• Submit compliance reports to regulators
• Plan for the next year’s compliance cycle

Common Compliance Failures in Indian Fintech

• Treating compliance as a one-time project: Compliance is continuous. Controls degrade, systems change, and regulations evolve. Many fintech companies pass an audit and then neglect security until the next audit cycle.
• Paper compliance without real security: Having policies documented but not implemented. Auditors are increasingly looking for evidence of operational controls, not just policy documents.
• Ignoring the DPDP Act: Many fintech companies are focused on RBI and SEBI compliance but have not started DPDP Act preparation. This is a significant risk as enforcement begins.
• Using non-empanelled auditors for VAPT: RBI and SEBI specifically require CERT-In empanelled auditors. Using non-empanelled firms can result in audit findings being rejected by regulators.

Frequently Asked Questions

Which compliance framework should a fintech startup prioritize first?

Start with CERT-In Directions (mandatory for all), then address your primary regulator’s requirements (RBI for lending/payments, SEBI for capital markets). The DPDP Act should be implemented in parallel. If you process card data, PCI DSS has its own timeline. A gap assessment will help you prioritize based on your specific risk profile.

How much does fintech compliance cost in India?

For an early-stage fintech, expect to invest INR 15–30 lakhs in the first year covering VAPT, compliance consulting, SOC-as-a-Service, and necessary security tools. Ongoing costs typically run INR 10–20 lakhs annually. This is significantly less than the cost of non-compliance — a single regulatory penalty or data breach can run into crores.

Can a startup handle compliance without a full-time CISO?

Yes, through a Virtual CISO (vCISO) service. A vCISO provides strategic cybersecurity leadership on a fractional basis — typically 2–4 days per month — at a fraction of a full-time CISO salary. This is the most practical approach for fintech companies with fewer than 200 employees.

What happens if we miss the CERT-In 6-hour incident reporting deadline?

Non-compliance with CERT-In Directions can result in penalties under the IT Act 2000, including imprisonment up to one year and fines. While enforcement has been selective, CERT-In is increasingly active in monitoring compliance. Having an incident response plan with clear CERT-In reporting procedures is essential.

Is ISO 27001 certification sufficient for RBI compliance?

No. ISO 27001 is a good foundation and demonstrates security maturity, but it does not cover all RBI-specific requirements — particularly around incident reporting timelines, SOC requirements, and specific technical controls mandated by the RBI. You need ISO 27001 plus RBI-specific implementations to be fully compliant.