RBI Compliance and Data Centre Resilience

  • July 13, 2026

What BFSI Organisations Need to Know in 2026

The Regulatory Environment Has Changed. Has Your Data Centre?

The compliance obligations facing Indian BFSI organisations with respect to their data centre infrastructure have changed substantially in the past three years. New regulations have been issued, existing frameworks have been strengthened, and the enforcement posture of regulators has shifted from guidance-oriented to examination-oriented. For banks, NBFCs, insurance companies, payment operators and market infrastructure institutions, the question of whether their data centre infrastructure meets current regulatory expectations is no longer theoretical.

This article maps the current regulatory landscape as it applies to BFSI data centre infrastructure in India, identifies the compliance gaps that Technavious most commonly encounters during BFSI facility audits, and explains how an integrated approach to certification and compliance reduces regulatory exposure while improving operational resilience.

Note: this article references regulatory frameworks as understood at the time of publication (June 2026). BFSI organisations should refer directly to the relevant regulator for current requirements and seek qualified legal and compliance advice on their specific obligations.

The Regulatory Landscape: What Applies to BFSI Data Centres in 2026

RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices

The Reserve Bank of India’s Master Direction on IT governance, issued in 2023 and applicable to scheduled commercial banks, urban cooperative banks, NBFCs and payment system operators, establishes comprehensive requirements for IT infrastructure governance. For data centre infrastructure specifically, the Direction requires: formal IT risk management processes covering physical infrastructure risks; documented business continuity and disaster recovery arrangements tested against defined RTOs and RPOs; third-party risk management covering data centre service providers; and periodic assurance reviews of IT infrastructure controls.

RBI IT examinations now assess not just whether these policies exist, but whether they are implemented and effective. Data centre infrastructure that has not been formally assessed, documented and tested against the Direction’s requirements is a regulatory examination risk.

SEBI Circular on Cybersecurity and Cyber Resilience Framework

SEBI’s cybersecurity framework for market infrastructure institutions (stock exchanges, depositories, clearing corporations) and regulated intermediaries includes specific requirements for critical infrastructure resilience. The framework requires formal risk assessment of critical infrastructure, defined availability targets for systems supporting market operations, documented and tested DR arrangements, and third-party security

assessments of hosted infrastructure. The physical security and resilience requirements of the framework apply directly to data centre facilities hosting regulated market systems.

Digital Personal Data Protection Act, 2023

The DPDP Act imposes obligations on Data Fiduciaries and Data Processors to implement appropriate technical and organisational measures to protect personal data. The Act does not prescribe specific technical standards, but the regulatory guidance developing around it is clear that infrastructure security, including the physical and logical security of data centre facilities processing personal data, is within scope of the security obligation. For BFSI organisations processing large volumes of customer personal data, the DPDP Act creates a direct regulatory interest in the security posture of their data centre infrastructure.

PCI-DSS 4.0

PCI-DSS version 4.0 became mandatory in April 2024. The new version strengthens several requirements relevant to data centre physical security, including more prescriptive controls around physical access to cardholder data environments, enhanced requirements for media protection and disposal, and a new emphasis on customised implementation approaches that require organisations to document how their specific controls meet the intent of each requirement. For BFSI organisations processing payment card data, PCI-DSS 4.0 compliance review of data centre infrastructure is a near-term requirement.

ISO 27001:2022

The 2022 revision of ISO 27001 introduced updated controls in Annex A that are relevant to data centre infrastructure: new controls around physical security monitoring, threat intelligence, and information deletion -each of which has implications for data centre operations. BFSI organisations that hold ISO 27001 certification (or are seeking it) should review their Statement of Applicability and control implementation against the 2022 revision requirements.

The Most Common Compliance Gaps in BFSI Data Centre Audits

Based on Technavious’s experience conducting compliance audits of BFSI data centre facilities in India, the following gaps appear most consistently:

Compliance GapRegulatory FrameworkTypical Remediation
Undocumented physical access
control – CCTV footage retention
below 90 days, visitor logs
incomplete
RBI IT Direction, PCI-DSS 4.0, ISO 27001Access control policy update, CCTV storage upgrade, visitor management system
DR testing not conducted to defined
RTO/RPO – tests exist on paper but
results not formally documented
RBI IT Direction, SEBI Cyber FrameworkDR test programme redesign, formal test reporting and board sign-off
TVRA not maintained – risk
assessment more than 2 years old,
no evidence of periodic review
RBI IT Direction, ISO 27001, TIA 942CFresh TVRA against current threat landscape, quarterly register review process
Third-party data centre contracts
lack adequate security and audit
clauses
RBI IT Direction, DPDP ActContract review and amendment, right-to-audit clauses, annual security assessment requirement
Fire suppression system not tested
under live IT load conditions
TIA 942C, local fire code, PCI-DSSFull fire suppression test programme including actuation test with IT load simulation
UPS runtime not validated at current
IT load – battery capacity not tested
since installation
RBI IT Direction, TIA 942CBattery runtime test under actual IT load, replacement where capacity below specification

Operational Resilience as a Regulatory Requirement

The concept of operational resilience, the ability of an organisation to prevent, adapt to, respond to, recover from and learn from operational disruptions, has moved from best practice to regulatory requirement for Indian BFSI organisations. RBI’s IT Direction and SEBI’s cyber resilience framework both use the language of operational resilience explicitly, and their requirements go beyond traditional business continuity planning.

For data centre infrastructure, operational resilience has specific infrastructure implications:

• Availability targets must be defined and documented at the infrastructure level, not just at the application or service level

• The physical infrastructure must be designed and certified to meet those availability targets, not assumed to be adequate

• Failure scenarios must be tested, not just planned for, and test results must be documented and presented to the board

• Third-party data centre providers must be held to the same resilience standards as captive facilities, and their compliance must be verified, not assumed

TIA 942C certification provides a framework for demonstrating that the physical infrastructure meets defined availability and resilience standards. An organisation that can present a TIA 942C Rated Certificate for its data centre infrastructure has objective, third-party evidence that the facility was designed and built to meet a defined resilience standard – evidence that carries weight with regulators, auditors, insurers and board-level governance.

Technavious’s BFSI Practice

Technavious has deep experience working with BFSI organisations on data centre compliance and certification. The practice covers the full spectrum of BFSI infrastructure compliance requirements:

• RBI IT Direction compliance gap assessment – a structured review of data centre infrastructure controls against the Master Direction’s requirements, producing a prioritised remediation plan

• TVRA – Threat, Vulnerability and Risk Assessment conducted to TIA 942C and ISO 27001 standards, producing documentation suitable for RBI examination submission

• TIA 942C certification – as India’s only ANSI/TIA Certification Body, Technavious can issue TIA 942C Rated Certificates that provide objective evidence of infrastructure resilience

• ISO 27001 support – gap assessment and remediation advisory against the 2022 revision, with integration of physical infrastructure controls

• PCI-DSS 4.0 infrastructure review – assessment of cardholder data environment physical security controls against version 4.0 requirements

• DR testing programme design and execution – formal DR test programmes that produce documented evidence of RTO/RPO capability for regulatory submission

Read More Articles

Kickstart your DC Growth Journey

Don’t let infrastructure constraints limit your Digital ambitions. Talk to our experts to understand how we can together address your most important DC challenges

Get in touch

img