We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Flagship Report · 2026

The State of Indian Compliance 2026

The five regulatory shifts reshaping security and compliance for Indian organisations this year — and where each industry actually stands.

Executive summary

2026 is the year India's compliance landscape stops being a set of separate audits and becomes a continuous, board-level obligation. Four forces converge: the DPDP Act moving toward enforcement, RBI's new AI-governance regime, SEBI's cyber-resilience framework maturing, and PCI DSS v4.0.1 making dozens of formerly best-practice controls mandatory. Organisations that still treat compliance as an annual point-in-time exercise are the most exposed.

₹250 cr
Maximum DPDP penalty per breach category — India's largest-ever data-protection fines
51
PCI DSS requirements that became mandatory in 2025 under v4.0.1
6 hrs
CERT-In incident-reporting window from detection
~25
Documentation artefacts RBI's draft MRM guidance expects per AI model

The five shifts of 2026

1. DPDP moves from law to enforcement

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data-protection law, and the DPDP Rules are progressing toward active enforcement. Penalties reach ₹250 crore per breach category. The organisations most at risk are consumer-data-heavy sectors — healthcare, e-commerce, fintech, edtech — that lifted a GDPR programme instead of building an India-specific one, and those that wrote policies before mapping their data.

2. RBI regulates AI: FREE-AI and Model Risk Management

RBI's FREE-AI framework (2025) set the strategic direction; the draft Model Risk Management guidance (2026) adds the control layer — board-approved frameworks, model inventories, risk-based tiering, independent validation, GenAI red-teaming and vendor accountability for every AI/ML model in a regulated entity. Banks, NBFCs and payment operators face a documentation-heavy regime (a defensible file runs to roughly 25 artefacts per model) with a compressed window before final guidance lands.

3. SEBI CSCRF matures for capital markets

SEBI's Cyber Security and Cyber Resilience Framework sets graded obligations by entity category for brokers, AMCs, depositories and market infrastructure — with hard submission deadlines and VAPT requirements. Gap-to-submission in a single cycle is now the practical bar.

4. PCI DSS v4.0.1 raises the payment-security floor

Version 4.0.1 made 51 previously best-practice requirements mandatory in 2025 — stronger authentication, encryption and key management, and a shift toward continuous evidence rather than annual snapshots. An automated scan no longer proves compliance; acquirers are enforcing the new bar.

5. CERT-In and continuous obligations

CERT-In's six-hour incident-reporting window, log-retention requirements and empanelment expectations mean security is now an always-on obligation, not an annual audit. Government and PSU procurement increasingly requires CERT-In empanelled testing.

Where each industry stands

  • BFSI (banks/NBFCs): most exposed to the RBI AI regime and SAR/data-localization; strongest existing audit muscle but least AI-model governance.
  • Fintech & payments: PCI v4.0.1 + RBI PA/PSS + DPDP stack simultaneously — the heaviest overlapping load.
  • SaaS & IT/ITES: enterprise-driven (ISO 27001, SOC 2) and export-driven (US SOC 2); DPDP is the newer gap.
  • Healthcare & e-commerce: large consumer-PII exposure, DPDP-critical, often the least mature privacy programmes.
  • Capital markets: SEBI CSCRF deadline-driven; VAPT-submission readiness the common gap.

The recurring gap: point-in-time thinking

Across every industry the single most common failure is treating compliance as a once-a-year event. A point-in-time audit certifies one day; the new regimes — DPDP, RBI MRM, PCI v4.0.1 continuous evidence — expect controls to operate and be evidenced year-round. Continuous compliance is no longer a nice-to-have; it is what the regulations increasingly assume.

Recommendations

  • Map before you write: data inventory and model inventory come before policies.
  • Build once, reuse everywhere: map overlapping controls (PCI/ISO/RBI/SOC 2) a single time.
  • Move to continuous evidence: instrument controls to produce evidence continuously, not at audit time.
  • Get AI governance moving now: model inventory, validation and documentation take months.
  • Use empanelled, senior assessors: regulator- and tender-accepted evidence is defensible evidence.

Benchmark your organisation

A senior auditor will map your gaps across every framework in one prioritised plan.

Free compliance assessmentBook a Consultation