In May 2025, five major Indian banks were fined a total ₹2.5 crore in a single enforcement round. One of these banks faced the highest penalty of ₹97.80 lakh, partly for failing to report a cybersecurity incident to the RBI within the set timeline, as reported by Business Standard.
None of these institutions lacked a cybersecurity function. What they lacked was the operational discipline to execute their frameworks correctly under regulatory scrutiny.
Achieving full RBI IT compliance is not a documentation milestone anymore. It is an ongoing operational standard – and the gap between having a policy and being able to demonstrate it is exactly where most regulated entities get caught.
What the RBI actually expects today
The governing framework is the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (ITG-RC&AP), issued November 2023 and effective April 2024. It applies to all scheduled commercial banks, small finance banks, payments banks, NBFCs in the Top, Upper and Middle Layers, Credit Information Companies and All India Financial Institutions.
For non-bank Payment System Operators (PSOs) – card networks, payment aggregators and prepaid instrument issuers – a separate and additional direction applies: the Master Direction on Cyber Resilience and Digital Payment Security Controls which was issued in July 2024. Compliance timelines for this direction are phased: large PSOs by April 2025, medium PSOs by April 2026 and small PSOs by April 2028.
The RBI has been explicit that cybersecurity is a board-level concern, not a CIO problem. The Master Direction operationalises that expectation with specific governance structures, technical control requirements and assurance obligations – are verified during supervisory inspections.
The most common finding RBI inspectors surface, is not missing policies but the gap between documented policies and actual implementation – institutions that have frameworks on paper but have not operationalised them.
The 6-step roadmap for achieving full RBI IT compliance
The six steps below translate the Master Direction’s requirements into a structured, sequenced implementation programme. For regulated entities starting from a low base, a phased approach is practical – but proof of progress at each stage must be documentable.
Gap assessment
Before implementing controls, map your current policies, technical controls and documentation against the Master Direction’s requirements domain by domain: IT governance, information security, cybersecurity, incident response, BCP/DR, IS audit and vendor risk. This assessment becomes the compliance roadmap – identifying what is missing, what is partially implemented and what requires full remediation.
Governance setup
A board-approved IT and cybersecurity policy, a CISO who reports outside the IT function and a documented IT risk-management framework are the baseline requirements the RBI expects every regulated entity to have in place. The Board IT Strategy Committee and IT Steering Committee must be formally constituted, with defined terms of reference and documented meeting cadences.
Technical controls implementation
Network segmentation between corporate and core banking environments, privileged access management with session recording, endpoint protection on critical systems and encryption across data at rest and in transit are the baseline technical controls the RBI examines. Audit logging must be enabled on databases and operating systems of servers. The absence of database audit logs was specifically cited in enforcement actions against Bank of Bahrain & Kuwait BSC.
VAPT programme
The RBI’s Master Directions position VAPT as a core assurance activity – not just good practice but part of the minimum set of controls expected for secure operations. For banks and upper/middle layer NBFCs, this means quarterly vulnerability assessments and annual penetration testing, with findings formally reported to the board and remediation tracked to documented closure.
SOC and incident response operationalisation
A 24/7 Security Operations Centre is a key requirement under the RBI’s Cybersecurity Framework. Alongside SOC establishment, regulated entities must register on the RBI’s Centralised Information Management System (CIMS) before an incident occurs, not after. Major incidents require an initial report within 6 hours and a detailed root cause analysis within 21 days.
Continuous assurance
Achieving full RBI IT compliance involves sustained effort. Regulated entities must regularly re-test implemented controls and make adjustments. This means annual IS audits by an independent audit function, periodic board cybersecurity reports, vendor risk reassessments at defined intervals and policy reviews following any material change to the environment or a major incident.
Where regulated entities fall short
Understanding what regulators actually look for during supervisory inspections is as important as building the controls themselves. Based on documented enforcement actions and inspection findings, the most common compliance failures are:
- Incident reporting delays: The 6-hour initial CIMS reporting window is non-negotiable.
- SOC gaps: Either the SOC is not operational on a 24/7 basis, or monitoring coverage excludes critical systems like core banking and payment gateways.
- VAPT scope too narrow: Assessments that cover only internet-facing systems and exclude internal networks, APIs and third-party integrations fail the Master Direction’s expectations.
- Board reports absent or superficial: The board must receive regular, substantive cybersecurity posture reports – not just policy approvals signed once a year.
- Vendor risk documentation missing: Third-party risk assessments are often absent or do not cover concentration risk, supply chain exposure or contractual SLA enforcement.
- Policy-practice gaps: The most common inspection finding is documented policies that specify monthly vulnerability assessments, with no evidence the assessments were actually conducted.
Conclusion
Achieving full RBI IT compliance is a continuous governance obligation. The RBI’s enforcement posture makes clear that the question is not whether an institution has a cybersecurity policy, but whether that policy is operationally embedded, regularly tested and evidenced at every level from the SOC to the boardroom.
At CyberNX, our RBI Master Direction Compliance Services support regulated entities through the entire compliance journey – from gap assessment and policy drafting to VAPT, SOC alignment, CIMS readiness and IS audit. If your institution is working toward achieving full RBI IT compliance and needs expert guidance, our team is ready to help. Connect with us today and build a compliance programme that holds up under inspection.
Achieving Full RBI IT Compliance FAQs
What is the RBI Master Direction on IT Governance and who does it apply to?
The Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices was issued in November 2023 and came into effect on April 1, 2024. It applies to all scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, NBFCs in the Top, Upper and Middle Layers, Credit Information Companies and All India Financial Institutions including EXIM Bank, NABARD, NHB and SIDBI. A separate direction covering Cyber Resilience and Digital Payment Security Controls applies to non-bank Payment System Operators, with phased timelines through 2028.
What are the most common reasons regulated entities fail RBI IT compliance inspections?
Based on documented actions, the most common failures are – missing or delayed cyber incident reporting to CIMS, SOC not operational 24/7, VAPT scope that excludes internal systems and APIs, board not receiving substantive cybersecurity reports, and vendor risk assessments that are superficial or absent. The pattern is policies that exist on paper but have not been operationalised.
How frequently must VAPT be conducted under the RBI Master Direction?
Banks and upper and middle layer NBFCs are required to conduct quarterly vulnerability assessments and annual penetration testing on critical information systems. Findings must be formally reported to the board, and remediation must be tracked and evidenced to closure. For non-bank PSOs under the July 2024 direction, VAPT must be conducted before deployment or redeployment of services, in addition to periodic assessments.
What is CIMS and why does it matter for RBI IT compliance?
CIMS – the RBI’s Centralised Information Management System – is the mandatory portal for reporting cyber incidents. Regulated entities must register on CIMS before an incident occurs. Major cyber incidents require an initial report within 6 hours, and a detailed root cause analysis within 21 days. Failure to report within these timelines is one of the most directly penalised compliance failures under the RBI’s cybersecurity framework.
