RBI Updates Cyber Security Framework for Banks: New Requirements Effective July 2026
Source: Reserve Bank of India
The Reserve Bank of India (RBI) has released an updated cyber security framework for all scheduled commercial banks, mandating stricter compliance requirements effective July 1, 2026. The new framework introduces significant changes in incident reporting timelines, vulnerability assessment frequency, and board-level oversight.
Key Requirements
- Incident Reporting: Banks must report cyber security incidents to RBI-CERT within 2 hours of detection (reduced from 6 hours)
- VAPT Mandate: Quarterly Vulnerability Assessment and Penetration Testing (VAPT) for all critical systems
- Security Operations Center: Mandatory 24x7 SOC for all scheduled banks with minimum team of 5 analysts per shift
- Board-Level Reporting: Cyber security dashboard review at every board meeting with CISO attendance mandatory
- Third-Party Audit: Annual independent cyber security audit by CERT-In empanelled auditors
Implementation Timeline
Banks are required to achieve full compliance by December 31, 2026. The RBI has indicated that non-compliance may result in penalties under the Banking Regulation Act, including restrictions on digital banking operations for serious violations.
What Banks Need to Do Now
- Review and update incident response plans to meet 2-hour reporting window
- Engage CERT-In empanelled VAPT vendors for quarterly assessments
- Upgrade or establish 24x7 SOC capabilities
- Implement automated threat detection and SIEM solutions
- Conduct board-level cyber security training
Need Help with Compliance?
P J Networks offers RBI-compliant managed SOC services, VAPT, and SIEM implementation for Indian banks and financial institutions.
Contact PJ Networks