India's converging regime on IT governance, outsourcing and DPDP
The RBI's IT Governance Direction took effect on 1 April 2024, the IT outsourcing master direction is in force, and the DPDP Act is being operationalised. Together they reshape resilience expectations for Indian financial firms.

India's regulatory landscape for technology and operational resilience moved decisively in 2023 and 2024. The Reserve Bank of India issued the Master Direction on Outsourcing of Information Technology Services in April 2023, followed by the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices in November 2023, with effect from 1 April 2024. The Digital Personal Data Protection Act was passed in August 2023, with rules and operational guidance being phased in. The three instruments together set the perimeter for resilience and data handling across regulated entities.
The IT Governance Direction is the most consequential change for boards and senior management. It requires regulated entities to establish a robust IT governance framework, with clear roles for the board, an IT strategy committee at board level and an IT steering committee at the executive level. It sets expectations on information security, business continuity, disaster recovery, change management and audit. It also defines minimum standards for risk assessment of significant IT projects and for the management of end-of-life systems, which has been a persistent supervisory concern.
The Outsourcing of IT Services Direction sits alongside and applies whether the service is provided by a group entity, a domestic vendor or a cross-border provider. Regulated entities remain accountable for outsourced services and must conduct due diligence proportionate to the criticality of the service, maintain contractual rights including audit and inspection and ensure that data localisation, confidentiality and exit arrangements are properly addressed. The direction also expects active monitoring of the service provider's performance and risk posture across the life of the arrangement.
The DPDP Act introduces a comprehensive data protection regime grounded in consent, purpose limitation and obligations on data fiduciaries to implement reasonable security safeguards. Significant data fiduciaries face additional obligations, including data protection impact assessments and the appointment of a data protection officer. Personal data breach notification to the Data Protection Board is required, and the operational detail of timelines and process is being settled through subordinate rules. Cross-border transfer is permitted to jurisdictions other than those specifically restricted by the government.
Digital payments resilience is a parallel and intense supervisory focus. UPI now handles a very large share of retail payments by volume, and the wider digital public infrastructure stack supports a growing share of financial and government services. The RBI has signalled clearly that recovery for UPI-dependent services and the broader payments stack must be tested as a system, not only at the level of individual participants. Recent disruptions, including a notable UPI outage earlier this year, reinforced the point.
Cyber expectations are layered on top through the RBI's cyber security framework for banks and equivalent guidance for other entity types, with CERT-In's six-hour reporting requirement for significant cyber incidents under the April 2022 directions sitting alongside sectoral requirements. Regulated entities therefore manage at least two notification clocks during an incident. Practical readiness requires a single playbook that captures both, rather than separate processes that risk inconsistency under pressure.
For Indian institutions setting priorities, three workstreams tend to matter most. Reconcile the IT Governance Direction's board and committee expectations with how decisions actually flow today, because the supervisory test is the practice, not the structure. Treat the IT outsourcing direction and DPDP as a single data and third-party programme rather than two parallel ones. And rehearse incidents that engage the CERT-In and sectoral clocks simultaneously, because the next significant event almost certainly will.

