What BFSI Organisations Need to Know in 2026
The compliance obligations facing Indian BFSI organisations with respect to their data centre infrastructure have changed substantially in the past three years. New regulations have been issued, existing frameworks have been strengthened, and the enforcement posture of regulators has shifted from guidance-oriented to examination-oriented. For banks, NBFCs, insurance companies, payment operators and market infrastructure institutions, the question of whether their data centre infrastructure meets current regulatory expectations is no longer theoretical.
This article maps the current regulatory landscape as it applies to BFSI data centre infrastructure in India, identifies the compliance gaps that Technavious most commonly encounters during BFSI facility audits, and explains how an integrated approach to certification and compliance reduces regulatory exposure while improving operational resilience.
Note: this article references regulatory frameworks as understood at the time of publication (June 2026). BFSI organisations should refer directly to the relevant regulator for current requirements and seek qualified legal and compliance advice on their specific obligations.
RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices
The Reserve Bank of India’s Master Direction on IT governance, issued in 2023 and applicable to scheduled commercial banks, urban cooperative banks, NBFCs and payment system operators, establishes comprehensive requirements for IT infrastructure governance. For data centre infrastructure specifically, the Direction requires: formal IT risk management processes covering physical infrastructure risks; documented business continuity and disaster recovery arrangements tested against defined RTOs and RPOs; third-party risk management covering data centre service providers; and periodic assurance reviews of IT infrastructure controls.
RBI IT examinations now assess not just whether these policies exist, but whether they are implemented and effective. Data centre infrastructure that has not been formally assessed, documented and tested against the Direction’s requirements is a regulatory examination risk.
SEBI Circular on Cybersecurity and Cyber Resilience Framework
SEBI’s cybersecurity framework for market infrastructure institutions (stock exchanges, depositories, clearing corporations) and regulated intermediaries includes specific requirements for critical infrastructure resilience. The framework requires formal risk assessment of critical infrastructure, defined availability targets for systems supporting market operations, documented and tested DR arrangements, and third-party security
assessments of hosted infrastructure. The physical security and resilience requirements of the framework apply directly to data centre facilities hosting regulated market systems.
Digital Personal Data Protection Act, 2023
The DPDP Act imposes obligations on Data Fiduciaries and Data Processors to implement appropriate technical and organisational measures to protect personal data. The Act does not prescribe specific technical standards, but the regulatory guidance developing around it is clear that infrastructure security, including the physical and logical security of data centre facilities processing personal data, is within scope of the security obligation. For BFSI organisations processing large volumes of customer personal data, the DPDP Act creates a direct regulatory interest in the security posture of their data centre infrastructure.
PCI-DSS 4.0
PCI-DSS version 4.0 became mandatory in April 2024. The new version strengthens several requirements relevant to data centre physical security, including more prescriptive controls around physical access to cardholder data environments, enhanced requirements for media protection and disposal, and a new emphasis on customised implementation approaches that require organisations to document how their specific controls meet the intent of each requirement. For BFSI organisations processing payment card data, PCI-DSS 4.0 compliance review of data centre infrastructure is a near-term requirement.
ISO 27001:2022
The 2022 revision of ISO 27001 introduced updated controls in Annex A that are relevant to data centre infrastructure: new controls around physical security monitoring, threat intelligence, and information deletion -each of which has implications for data centre operations. BFSI organisations that hold ISO 27001 certification (or are seeking it) should review their Statement of Applicability and control implementation against the 2022 revision requirements.
Based on Technavious’s experience conducting compliance audits of BFSI data centre facilities in India, the following gaps appear most consistently:
| Compliance Gap | Regulatory Framework | Typical Remediation |
| Undocumented physical access control – CCTV footage retention below 90 days, visitor logs incomplete | RBI IT Direction, PCI-DSS 4.0, ISO 27001 | Access control policy update, CCTV storage upgrade, visitor management system |
| DR testing not conducted to defined RTO/RPO – tests exist on paper but results not formally documented | RBI IT Direction, SEBI Cyber Framework | DR test programme redesign, formal test reporting and board sign-off |
| TVRA not maintained – risk assessment more than 2 years old, no evidence of periodic review | RBI IT Direction, ISO 27001, TIA 942C | Fresh TVRA against current threat landscape, quarterly register review process |
| Third-party data centre contracts lack adequate security and audit clauses | RBI IT Direction, DPDP Act | Contract review and amendment, right-to-audit clauses, annual security assessment requirement |
| Fire suppression system not tested under live IT load conditions | TIA 942C, local fire code, PCI-DSS | Full fire suppression test programme including actuation test with IT load simulation |
| UPS runtime not validated at current IT load – battery capacity not tested since installation | RBI IT Direction, TIA 942C | Battery runtime test under actual IT load, replacement where capacity below specification |
The concept of operational resilience, the ability of an organisation to prevent, adapt to, respond to, recover from and learn from operational disruptions, has moved from best practice to regulatory requirement for Indian BFSI organisations. RBI’s IT Direction and SEBI’s cyber resilience framework both use the language of operational resilience explicitly, and their requirements go beyond traditional business continuity planning.
For data centre infrastructure, operational resilience has specific infrastructure implications:
• Availability targets must be defined and documented at the infrastructure level, not just at the application or service level
• The physical infrastructure must be designed and certified to meet those availability targets, not assumed to be adequate
• Failure scenarios must be tested, not just planned for, and test results must be documented and presented to the board
• Third-party data centre providers must be held to the same resilience standards as captive facilities, and their compliance must be verified, not assumed
TIA 942C certification provides a framework for demonstrating that the physical infrastructure meets defined availability and resilience standards. An organisation that can present a TIA 942C Rated Certificate for its data centre infrastructure has objective, third-party evidence that the facility was designed and built to meet a defined resilience standard – evidence that carries weight with regulators, auditors, insurers and board-level governance.
Technavious has deep experience working with BFSI organisations on data centre compliance and certification. The practice covers the full spectrum of BFSI infrastructure compliance requirements:
• RBI IT Direction compliance gap assessment – a structured review of data centre infrastructure controls against the Master Direction’s requirements, producing a prioritised remediation plan
• TVRA – Threat, Vulnerability and Risk Assessment conducted to TIA 942C and ISO 27001 standards, producing documentation suitable for RBI examination submission
• TIA 942C certification – as India’s only ANSI/TIA Certification Body, Technavious can issue TIA 942C Rated Certificates that provide objective evidence of infrastructure resilience
• ISO 27001 support – gap assessment and remediation advisory against the 2022 revision, with integration of physical infrastructure controls
• PCI-DSS 4.0 infrastructure review – assessment of cardholder data environment physical security controls against version 4.0 requirements
• DR testing programme design and execution – formal DR test programmes that produce documented evidence of RTO/RPO capability for regulatory submission
