A product manager raises a Jira ticket: "New WhatsApp-based loan repayment reminder feature. Go live in 6 weeks." Buried in that sentence are four distinct regulatory obligations the CISO is now personally liable for — DPDP consent requirements for mobile number processing, RBI IT outsourcing obligations for Meta as a third-party processor, CERT-In 6-hour reporting readiness if the channel is compromised, and an AI governance obligation if there's any personalisation logic in the reminders.

In most Indian banks today, none of those obligations surface until an audit. By then, the product has been live for months.

This is the orchestration problem. It isn't that CISOs don't know the regulations. It's that there is no structured mechanism to connect a proposed initiative to the compliance assessments it legally requires — before a line of code ships.

Why the Problem Is Getting Worse

India's regulatory environment has accelerated significantly since 2023. DPDP Act 2023 Rules came into force in 2025, creating new vendor contract obligations. SEBI CSCRF moved from annual checkpoints to continuous audit from April 2025. IRDAI cut its incident reporting window from 24 hours to 6 hours in March 2025. MeitY published AI Governance Guidelines in November 2025.

Each of these changes creates new obligations that must be assessed before any new initiative involving the relevant data type, vendor, or technology goes to production. The volume of change is outpacing any manual process of tracking it.

The regulatory anchor: RBI Master Directions on IT Framework for Banks, 2021 — Chapter IV requires a formal Threat & Risk Assessment before any new system or material change goes to production. IRDAI Cybersecurity Guidelines 2023 require the same for insurers. Skipping this step creates a direct, documented non-compliance finding — not a risk of one.

What Structured Governance Looks Like

The organisations that manage this well have replaced ad-hoc review with a structured intake process. Before an initiative moves forward, it passes through a defined sequence: declaration of data types and vendors, AI-assisted classification of regulatory obligations, assignment of mandatory assessment gates, and evidence-linked gate clearance before production approval.

The critical difference from a checklist is that every gate produces evidence — a threat assessment record, a vendor contract review, a data protection impact assessment — that is traceable to the specific initiative that required it. When an inspector asks "what did you assess before this system went live?", the answer is a record, not a recollection.

From Initiative to Go-Live — Structured Gate Model
1
Declaration
Data types, vendors, regulators, go-live date
2
Classification
Risk level, DPDP applicability, regulatory obligations
3
Gate Assignment
Architecture review, vendor assessment, DPIA
4
Assessment
Evidence collected per gate, findings tracked
5
Go-Live Approval
All gates cleared, evidence linked, signed record

The Vendor Contract Gap

One of the most consistently missed obligations in this process is the vendor contract review. DPDP Act 2023 Section 8 requires a signed Data Processing Agreement with every entity that processes personal data on your behalf — including cloud providers, analytics platforms, and communication APIs. Under RBI IT Outsourcing Guidelines, contracts with IT service providers must include mandatory clauses covering audit rights, breach notification timelines, data localisation declarations, and exit provisions.

In practice, most Indian enterprises can tell you how many vendor contracts they have. Very few can tell you, in real time, which of those vendors process personal data, which have a signed DPA on file, and which contracts are due for renewal in the next 60 days. That gap is what a DPDP inspection surfaces immediately.

The Architecture Review Obligation

Separate from vendor contracts, RBI and IRDAI both require that any new system or material change to an existing system undergo a formal Threat & Risk Assessment before production deployment. For regulated entities, this is not optional guidance — it is a prerequisite that, if missing, appears as a direct finding in a regulatory inspection.

The challenge is that a meaningful architecture review requires context about the system being built: what data it processes, what components it exposes to the internet, what third parties it connects to, and what regulatory obligations it carries. Without that context, the review is a checkbox. With it, the review produces evidence that the CISO can defend.

Why This Matters for the Board

₹250Cr
DPDP penalty ceiling per breach
6 hrs
CERT-In reporting window — criminal liability
90 days
IRDAI board attestation deadline from FY end

These are not hypothetical penalties. They are the consequence of what happens when a new initiative ships without the compliance assessments it legally required. The CISO who survives a regulatory inspection is not necessarily the one with the best controls — it is the one who can show that every initiative in the past 12 months went through a structured process, with a record of what was assessed, what was found, and what evidence was collected.

The difference between a compliance programme and a compliance posture is documentation. And documentation starts at intake, not at inspection.