Third-party risk management for Indian regulated entities — a 2026 reference

ControlForge free guide · 2026-05-24 · Synthesis across RBI, SEBI, IRDAI, NCIIPC, CERT-In, and DPDPA

Quick reference

The problem in one line: a typical Indian regulated entity now has 5–8 distinct third-party / vendor obligations layered on the same vendor portfolio — RBI ITO 2023, RBI Cyber Resilience for PSOs, SEBI Cloud Framework, SEBI CSCRF supplier provisions, IRDAI 2023 intermediary risk, NCIIPC supply-chain requirements (where Protected Systems are involved), CERT-In incident-notification flow-back, and (from May 2027) DPDPA Data Processor obligations through the Data Fiduciary contract.
Audience: CISOs, Heads of Procurement, Heads of Compliance, Data Protection Officers, and Internal IS Auditors at RBI / SEBI / IRDAI regulated entities and at vendors serving them.
The hard timing facts:
RBI ITO 2023 glide-path closed 10 April 2026; existing arrangements not re-papered are now supervisory exposures.
SEBI Cloud Framework existing-arrangements deadline closed 6 March 2024; non-compliant cloud contracts have been on supervisory radar throughout 2024–26.
IRDAI 2023 annual cyber audit covering intermediaries became operational from April 2024.
DPDPA Data Processor obligations via contract apply from 13 May 2027.
ControlForge density: 70+ controls across the supplier-policy, third-party-due-diligence, supply-chain-risk, cloud-shared-responsibility, and data-processing-agreement clusters; cross-walked across all the regimes above.

Why TPRM in India is now structurally harder than it was

Through 2022, third-party risk management in India was largely a procurement-and-IT-security exercise with light regulatory overlay. Three things changed between 2023 and 2026 that materially raised the bar.

First, the Indian regulatory stack consolidated. RBI issued the IT Outsourcing Master Direction (April 2023, effective October 2023), the ITGRCA governance umbrella (April 2024), and the Cyber Resilience and Digital Payment Security Controls for non-bank PSOs (July 2024). SEBI issued the Cloud Framework (March 2023) and the consolidated CSCRF master circular (August 2024). IRDAI issued the Information and Cyber Security Guidelines 2023 with intermediary-classification provisions, then the March 2025 cyber-incident-preparedness amendments. Each of these instruments has explicit third-party / supplier / outsourcing provisions. The provisions are not identical across the regulators, but they overlap substantially.

Second, the DPDPA + Rules 2025 regime began phased commencement on 13 November 2025. Although Data Processors have no direct statutory obligations under DPDPA (unlike GDPR processors), the Data Fiduciary remains accountable for processor compliance, which is enforced through the mandatory contract (DPDPA Section 8(5)). From May 2027, every regulated entity processing personal data through a vendor will need DPDPA-compliant contractual coverage — and most existing vendor contracts predate DPDPA.

Third, vendor concentration risk and AI vendor risk have entered the supervisory frame. RBI ITGRCA explicitly addresses concentration risk and single-point-of-failure mitigation. The 2026 global TPRM surveys (KPMG, ncontracts, AuditBoard) all report AI vendor risk as a top concern with no organisation feeling extremely confident managing it. Indian regulators are starting to ask about AI-vendor governance in inspections, even where no AI-specific directions yet exist.

The net effect: a vendor portfolio that was previously managed through standard contracts, annual security questionnaires, and ISO 27001 attestations now needs to be governed through a multi-regulator-aware programme with active monitoring, contractual depth, materiality classification, exit-strategy testing, and (for cloud / AI vendors specifically) deeper assurance than was previously expected.

The five overlapping regimes — what each requires

The five regimes most likely to apply concurrently to an Indian regulated entity.

RBI Master Direction on Outsourcing of IT Services (ITO 2023)

Applies to: scheduled commercial banks (excluding RRBs), local area banks, SFBs, PBs, UCBs Tier 3/4, NBFCs in Middle / Upper / Top layers, CICs, AIFIs.

Key obligations: - Board-approved IT Outsourcing Policy with prohibited-outsourcing list. - Documented risk assessment per arrangement. - Pre-engagement due diligence on TPSPs (financial soundness, security posture, BCP, regulatory compliance, references). - Material outsourcing classification with Board approval for material arrangements. - Contractual obligations: right to audit, security clauses, sub-contractor controls, incident notification flow-back, exit assistance, data return and destruction. - Annexure 1 cloud-specific overlay; Annexure 2 SOC outsourcing specifics. - Reporting to RBI for material arrangements.

Inspection focus: materiality classification methodology, contract refresh against the closed glide-path, cloud-region MeitY empanelment, right-to-audit exercise evidence, exit-strategy testing.

SEBI Framework for Adoption of Cloud Services + CSCRF supplier provisions

Applies to: SEBI Regulated Entities (MIIs, intermediaries) adopting public / community / hybrid cloud. CSCRF supplier provisions apply more broadly.

Key obligations: - Board-approved cloud strategy with documented rationale. - MeitY-empanelled CSPs. - Data residency within India in MeitY-empanelled CSP data centres; documented exceptions for backup / DR where justified. - Shared responsibility model documented per service. - Contractual coverage: SEBI right to inspect the CSP, regulatory cooperation, data return on exit, sub-processor controls. - Cloud-specific security controls: CSPM, cloud IAM with MFA, encryption at rest with customer-managed keys for high-sensitivity workloads. - BCP / DR accommodating cloud architecture. - Concentration risk and vendor lock-in management. - Periodic reporting to SEBI including audit reports on cloud-resident systems.

Inspection focus: MeitY-region verification, shared responsibility matrix at control level, contract clauses against the prescribed list, data-residency posture for ancillary services (logs, backups, analytics), exit strategy testing.

IRDAI Information and Cyber Security Guidelines 2023

Applies to: insurers, FRBs, and the broad set of insurance intermediaries — brokers, corporate agents, web aggregators, TPAs, IMFs, repositories, ISNPs, corporate surveyors, MISPs, CSCs, IIB.

Key obligations relevant to TPRM: - Intermediary classification by access level and gross revenue, driving graded compliance. - Insurers accountable for the cyber posture of intermediaries with access to systems or policyholder data. - Documented vendor risk assessment; security clauses in contracts; periodic reviews. - Annual cyber audit by an Annexure IV-eligible firm; reports submitted to IRDAI. - 180-day log retention within Indian jurisdiction.

Inspection focus: classification methodology applied per intermediary; depth of insurer's assessment of high-classification intermediaries (TPAs, large MISPs); Annexure IV firm credentials; log residency in India.

NCIIPC + IT (Information Security Practices and Procedures for Protected Systems) Rules 2018

Applies to: entities operating declared Protected Systems under Section 70A of the IT Act.

Key obligations relevant to TPRM: - Vendor risk assessment for all third parties with access to or impact on the Protected System. - Contractual security obligations including incident notification, audit rights, sub-contractor controls. - Particular scrutiny on cloud, managed-service, and IT outsourcing arrangements supporting the Protected System. - SBOM (software bill of materials) for critical applications. - Supplier-incident notification flowback into the CISO–NCIIPC reporting chain.

Inspection focus: supply chain risk depth; supplier-incident flowback paths; SBOM coverage for the Protected System; advisory closure related to supplier vulnerabilities.

DPDPA 2023 + Rules 2025 — Data Fiduciary / Processor contract regime

Applies to: all Data Fiduciaries from 13 May 2027.

Key obligations relevant to TPRM: - A Data Fiduciary may engage a Data Processor only under a valid contract (Section 8(5)). - Contract must ensure compliance through the Data Fiduciary's accountability — purpose limitation, security safeguards (Rule 6(f) specifics), data return / destruction on termination, sub-processor notification, breach notification flowback, audit rights. - Cross-border processor flows are permissible subject to Section 16 conditions and any Central Government restriction notifications under Rule 14. - Data Processors themselves have no direct statutory obligations under DPDPA, but their failures expose the Data Fiduciary.

Inspection focus (from May 2027): contract refresh against DPDPA Section 8(5) and Rule 6(f); sub-processor inventory; breach-notification flowback discipline; cross-border processor compliance posture.

How the regimes overlap — and where they diverge

A typical mid-tier private bank operating cloud + multiple SaaS + AML / KYC vendors + AI / fraud detection vendors will face RBI ITO 2023 + RBI ITGRCA + RBI CSF + CERT-In + DPDPA + sectoral supplier expectations in parallel. Where the obligations converge, evidence and contracts can satisfy multiple regimes. Where they diverge, each regime's specifics must be addressed.

Common convergence points (evidence and controls reusable across regimes): - Vendor risk assessment and due diligence file: the same diligence file can support RBI ITO 2023, SEBI Cloud, IRDAI vendor-risk, and DPDPA Section 8(5) accountability. - Contractual coverage: right to audit, security clauses, sub-processor controls, incident notification flowback, data return / destruction, exit assistance — these clauses appear in all five regimes' requirements. A consolidated TPRM contract template, with regime-specific addenda, satisfies all. - Ongoing monitoring: vendor performance reviews, security assessments, audit-right exercise — same evidence across regimes.

Key divergences to address explicitly: - Material outsourcing classification is RBI-specific; SEBI / IRDAI use different criticality terminologies. - MeitY-empanelment is SEBI-specific for cloud; RBI ITO 2023 Annexure 1 recommends it but does not strictly mandate. - Annexure IV eligibility for the annual cyber audit firm is IRDAI-specific. - DPDPA Section 8(5) contract content has specific Rule 6(f) security-safeguard requirements that are more granular than the general RBI / SEBI clauses. - Cross-border processor treatment differs: SEBI has India-residency for cloud-resident data; RBI has sectoral data localisation for payment data; DPDPA uses negative-list; IRDAI requires 180-day log retention in India. - Sub-processor notification thresholds vary: RBI ITO 2023 requires notification / approval for sub-contracting; DPDPA Rule 6(f) sub-processor handling; SEBI cloud sub-processor disclosure.

A practical operational pattern: maintain one master vendor risk programme with a regime-overlay matrix showing which clauses, evidence, and review intensity apply to each vendor based on the regimes touching it.

The contract layer — what every vendor contract needs in 2026

Across all five regimes, the contract is the operational mechanism for managing third-party risk. A 2026-compliant vendor contract for an Indian regulated entity needs the following clause families, at minimum.

Scope and SLA: - Detailed service description. - Service levels with operational metrics. - Performance reporting cadence. - Service credits or other remediation for SLA breach.

Data handling and protection (DPDPA + sectoral): - Identification of the personal data and other regulated data categories handled. - Purposes for which the vendor may process data (purpose limitation). - Storage and processing locations (India residency where required; cross-border conditions where permitted). - Rule 6(f) security safeguards (specific, not "reasonable security"): encryption in transit and at rest, access control, monitoring, vulnerability management. - Sub-processor notification or approval; sub-processor flow-down of obligations. - Data return and destruction on termination with documented certification. - Cross-border transfer conditions where applicable.

Security obligations: - Maintain a documented information security programme aligned to ISO 27001 or equivalent. - Comply with applicable sectoral cybersecurity frameworks. - Vulnerability management and patching commitments. - Background checks for personnel with access to regulated data. - Termination of access for departing personnel within defined SLA.

Incident notification and cooperation: - Notify the regulated entity within a defined SLA (typically 1–4 hours) of any incident affecting the entity's data or services. - Provide all information the regulated entity needs to meet its CERT-In, sectoral regulator, and DPBI notification timelines. - Cooperate in investigation, forensics, customer notification.

Audit and inspection: - Right to audit by the regulated entity (annually for critical vendors; on incident; for cause). - Right to inspect by the regulated entity's regulator (RBI / SEBI / IRDAI / DPBI / CERT-In). - Cooperation with regulator investigations.

Termination and exit: - Termination rights including for material breach, change of control, regulatory direction. - Exit assistance from outgoing vendor (data export, transition support). - Data return and destruction with certification. - Notice period for non-fault termination.

Sub-contracting: - Pre-approval or notification requirement for sub-contracting material services. - Sub-contractor security obligations flow-through. - Liability allocation for sub-contractor failures.

Liability and indemnification: - Indemnification for regulatory penalties arising from vendor failure. - Insurance requirements (cyber insurance, professional indemnity). - Limitation of liability calibrated to regulated-entity exposure.

Many existing vendor contracts are missing several of these clause families. The 2026 priority is contract refresh — particularly for material / critical vendors whose contracts were drafted before the current regulatory stack matured.

Materiality, classification, and concentration

RBI ITO 2023 introduces material outsourcing classification, which dictates which arrangements face Board approval and enhanced governance. Materiality criteria include:

Impact on customer service if the arrangement fails or is disrupted.
Impact on the regulated entity's financial position.
Impact on the regulated entity's regulatory compliance.
Concentration — does the vendor or the underlying sub-processor concentration create systemic exposure.
Complexity and ease of substitution.
Duration and embeddedness.

For SEBI cloud arrangements, the classification is principally around cloud workload criticality — front-office trading systems differ from back-office reporting tools. For IRDAI intermediary risk, classification is by system access and gross revenue per Annexure II of the 2023 Guidelines.

Concentration risk is the second axis. Even when individual vendor relationships are material, the concentration of multiple material vendors in a single underlying party (e.g. multiple SaaS providers all hosted on one CSP region) creates aggregate risk that the individual-vendor risk reviews do not surface.

A practical approach to concentration assessment: - Map vendor-level risk for material arrangements. - Map underlying-infrastructure dependencies (CSP, CSP region, software-supply-chain dependencies). - Identify concentrated dependencies — single CSP, single CSP region, single sub-processor across multiple top-tier vendors. - Treatment options: multi-cloud, multi-region, alternate-provider contractual standby, in-house fallback for the most critical workloads.

This is one of the areas where RBI inspections have observed the greatest gap: individual vendor risk assessment is mature, but concentration risk at the CSP-region and sub-processor level is rarely modelled.

AI vendor risk — the emerging frontier

Three vectors of AI vendor risk that 2026 Indian regulated entities are starting to encounter:

AI in vendor products without disclosure. Many established vendors (KYC, fraud detection, AML, decision support) have introduced AI / ML capabilities into existing products. The regulated entity may not know the vendor has done so unless it asks specifically. Treatment: ask every material vendor to disclose AI / ML use, training-data sources, model retraining cadence, and AI-related incident history. Add to the vendor questionnaire as a standard section.

Pure-play AI vendors. New entrants providing AI-as-a-service (LLM gateways, AI coding assistants, AI content moderation, AI compliance review). These vendors face the same regulatory expectations as any other vendor plus AI-specific risks: training data provenance, model output reliability, prompt injection exposure, hallucination consequences, intellectual property contamination. Treatment: AI-specific due diligence layer including model documentation (model cards), training data attestations, output reliability metrics, AI red-team / robustness testing evidence.

Customer-facing AI through vendor channels. Bank chatbots, insurance claim AI, securities-broker copilots — vendors increasingly provide AI capabilities directly to the regulated entity's customers. This invokes IT (Intermediary Guidelines) Amendment Rules 2026 (where applicable), DPDPA Section 7 automated-decision-making implications, and sectoral consumer-protection expectations. Treatment: customer-impact assessment per AI-mediated touchpoint; human-in-the-loop design for high-stakes decisions; clear AI disclosure to customers per IT Rules / DPDPA expectations.

The cluster cl-ai-supplier-management in ControlForge surfaces the synthesis across NIST AI RMF, EU AI Act Article 25 (re-classification on substantial modification), ISO 42001 A.10, and the emerging Indian AI governance expectations.

Common findings — what inspectors and auditors are catching in 2026

Across multiple supervisory engagements through 2024–26, six recurring TPRM findings dominate:

Material outsourcing classification under-applied. Arrangements that are clearly material (core banking SaaS, AML / KYC providers, cloud-hosted critical applications) classified as non-material to avoid additional governance overhead. Inspectors push back; classification methodology has to be defensible.
Contract refresh against the ITO 2023 / SEBI Cloud / DPDPA 2025 stack incomplete. Legacy contracts using "reasonable security" language; missing right-to-audit, data return, sub-processor controls. The glide paths have closed; the supervisory exposure is now active.
Cloud region not MeitY-empanelled. Default cloud region selection without verification; logs / backups / analytics routed to non-India regions. Particularly affects SEBI REs.
Right-to-audit clause exists but never exercised. The contract has the clause; the regulated entity has never actually conducted independent audit of the vendor. Inspectors increasingly ask for audit-exercise evidence.
Sub-processing visibility incomplete. TPSPs sub-contract aspects of service delivery; the contract requires notification but the operational process is weak. Sub-processor inventory drifts.
Exit strategy theoretical. Exit documents exist; nothing has been tested; the regulated entity doesn't actually know how long an exit would take. Particularly affects cloud and material SaaS arrangements.

Two further patterns specific to 2026:

AI vendor disclosure not in standard due diligence. Vendors using AI in their existing products without the regulated entity being aware. Treatment: AI-specific section in standard due diligence and re-due-diligence cadence.
Vendor incident flow-back to the regulated entity's IR is slow. Vendor incident detection happens; flow-back to the regulated entity slips beyond the 6-hour CERT-In / sectoral notification window. Treatment: contractual flow-back SLA of ≤2 hours; tested via supplier-side incident simulation.

What good looks like in 2026 — a mature India TPRM programme

A mature programme operating across the five regimes typically exhibits:

A consolidated vendor inventory with regime-overlay matrix (which regimes apply per vendor; what evidence and controls each regime requires; what the contractual posture is).
Risk-based materiality classification with documented criteria and Board-visible reporting.
Concentration risk modelling at vendor, CSP, CSP-region, and key sub-processor levels.
Standard contract templates with regime-specific addenda; contract refresh on annual review cadence and on material change.
Pre-engagement due diligence with depth proportionate to materiality; documented diligence file maintained and refreshed.
Ongoing monitoring including KPIs, periodic reviews, right-to-audit exercise on a structured rotation.
Tested exit strategies for material arrangements; partial exit drills annually for the most critical.
Incident flow-back SLA under 2 hours with tested simulation.
AI vendor governance integrated into standard due diligence.
Sub-processor inventory maintained as a structured artefact; updated on vendor notification.
Annual TPRM programme review at Board / Audit Committee with metrics.

This represents a substantial uplift from the 2022-era vendor-questionnaire programme that many Indian regulated entities still operate. The transition is non-trivial; budget and authority for a dedicated TPRM function are usually warranted for material RE programmes.

How ControlForge supports this

The TPRM area is one of the most heavily cross-referenced parts of the KB. Relevant clusters include:

cl-supplier-policy — the governance and policy backbone.
cl-third-party-due-diligence — pre-engagement assessment.
cl-supply-chain-risk — risk identification and treatment.
cl-data-processing-agreement — the contract layer; specific to DPDPA processor obligations.
cl-cloud-shared-responsibility — cloud-specific TPRM.
cl-cspm-cloud-posture — cloud configuration assurance.
cl-ai-supplier-management — AI-vendor-specific governance.

Each cluster has cross-walked controls from RBI ITO 2023, RBI ITGRCA, RBI CSF, SEBI Cloud, SEBI CSCRF, IRDAI 2023, NCIIPC, DPDPA, CERT-In, and global frameworks (ISO 27001, ISO 27017, ISO 27018, NIST CSF, NIST 800-53, AICPA SOC 2, CSA CCM). The synthesis surfaces the strictest-clause patterns so that a single evidence trail satisfies overlapping obligations.

For the practitioner-level question — "what does our contract template need to satisfy all five regimes simultaneously?" — the answer is the strictest-clause synthesis across the regime-specific contractual requirements, plus DPDPA Section 8(5) / Rule 6(f) specifics, plus the AI / cloud overlays where applicable.

A 90-day TPRM uplift plan

For Indian regulated entities recognising the gap, a practical 90-day uplift plan that builds the foundation without disrupting existing operations:

Days 1–30: Inventory and classification. - Build / refresh the vendor inventory with regime-overlay matrix. - Apply materiality classification with documented methodology. - Identify the top 10 critical vendors and surface the regulatory regimes touching each.

Days 31–60: Contract refresh. - Audit existing contracts for the top 10 critical vendors against the regime-specific contractual requirements. - Identify gaps; prioritise refresh. - Negotiate addenda or full re-paper for the gap arrangements.

Days 61–90: Operational uplift. - Establish the regime-overlay monitoring cadence. - Exercise right-to-audit on 1–2 critical vendors to test the operational process. - Conduct a tabletop exercise simulating a vendor-side incident with flow-back to the RE's IR process. - Document the 90-day delta and surface to the Board / Audit Committee.

By day 90, the programme should be in operational uplift mode with the highest-risk gaps closed and the structural improvements (inventory, classification, contract template, monitoring cadence) in place. The medium-term work (concentration modelling, exit-strategy testing, AI vendor governance) extends from there.