RBI Cloud Outsourcing Framework: What Indian Banks Must Do

The RBI cloud outsourcing framework requires Indian banks, NBFCs, and all Regulated Entities (REs) to follow structured governance controls before and after migrating to cloud infrastructure. Under the RBI Master Direction on Outsourcing of IT Services (2023) and the Guidelines on IT Governance, Risk, Controls and Assurance Practices (2023), REs must conduct board-level risk assessments, maintain data sovereignty with critical data held within India, secure contractual audit rights over cloud service providers, document and test exit strategies, and report security incidents to CERT-In within six hours. Non-compliance invites direct supervisory intervention from the Reserve Bank of India.

Why the RBI Cloud Outsourcing Framework Exists

Financial institutions adopted cloud infrastructure faster than the regulatory framework could absorb. Earlier guidance under the IT Act 2000 addressed general IT outsourcing but did not account for the elastic, multi-tenant, geographically distributed nature of cloud deployments. Two concerns drove the 2023 framework. First, data sovereignty — customer financial records and KYC data processed outside India create jurisdictional uncertainty the RBI considers unacceptable. Second, concentration risk — the dominance of a handful of global CSPs means a single outage or regulatory action can simultaneously impair dozens of banks and payment operators.

The framework makes one principle non-negotiable: a regulated entity may outsource IT operations to a cloud provider, but it cannot outsource accountability. Every obligation the RE owes to customers and regulators travels with the data, regardless of where the compute happens.

ℹ️

INFO

The RBI's outsourcing framework applies to all Regulated Entities — scheduled commercial banks, urban co-operative banks, NBFCs, payment system operators, and asset reconstruction companies. The principle of proportionality allows implementation depth to scale with complexity, but the core obligations apply to every RE regardless of size.

The RBI Cloud Adoption Decision Flow

Before any cloud migration, regulated entities must follow a structured approval pathway. Skipping stages — even for workloads that appear non-critical — creates regulatory exposure that can surface during IT examination cycles.

graph TD
    A["Risk Assessment
Classify data sensitivity"]:::normal --> B{"Board Level
Approval Gate"}:::normal
    B -->|"Approved"| C["Vendor Due Diligence
CSP security evaluation"]:::normal
    B -->|"High Risk — Rejected"| Z["On-Premise Alternative
or Defer Migration"]:::danger
    C --> D["Contract Requirements
Audit rights and SLAs locked"]:::normal
    D --> E["Data Localisation
Critical data stays in India"]:::success
    E --> F["Ongoing Monitoring
Quarterly risk reviews"]:::normal
    F --> G["Incident Reporting
6-hour CERT-In window"]:::danger
    F --> H["Exit Strategy
Lock-in risk documented and tested"]:::success

    classDef normal fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    classDef danger fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    classDef success fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Each gate is mandatory. A bank that migrates customer data to a foreign cloud zone without board-level sign-off has violated the framework before a single workload goes live.

Stage 1 — Risk Assessment and Data Classification

The process begins with classifying data by sensitivity and regulatory weight. The RBI distinguishes between two broad categories:

Critical data — customer personal and financial records, transaction logs, KYC documents, and account-level data. These must remain within Indian territory with contractual guarantees.
Non-critical data — anonymised analytics, internal tooling logs, and non-customer-facing workloads. These carry more flexibility on geography.

This classification must be documented, version-controlled, and reviewed at least annually — or whenever the RE's data architecture changes materially. The risk assessment must also evaluate concentration risk: if a single cloud provider experiences an outage or becomes subject to regulatory action, what share of the RE's operations is affected?

⚠️

WARNING

Many regulated entities assume that selecting a cloud provider's Indian region is sufficient to satisfy data sovereignty requirements. It is not. The RBI requires a contractual guarantee that critical data remains within India — not just the CSP's default region configuration, which the provider can change unilaterally.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Stage 2 — Board-Level Accountability

The RBI framework is unambiguous: cloud adoption decisions involving customer data and critical systems require board-level awareness and approval. This is not a CTO-level decision. The board must:

Approve the IT outsourcing policy and review it annually
Sanction material changes to existing cloud arrangements
Receive regular risk reports covering cloud vendor performance and concentration exposure
Maintain documented oversight of the RE's exit preparedness at all times

Boards that receive only high-level technology briefings without explicit cloud risk exposure details are not satisfying this obligation under the RBI framework.

Stage 3 — Vendor Due Diligence

The due diligence framework for cloud vendors is more rigorous than for traditional software vendors. The RBI expects regulated entities to assess each CSP against a defined set of criteria before contracting and to refresh that assessment periodically.

Criterion	What to Verify
Data residency	Contractual guarantee that critical data stays within India
Security certifications	ISO 27001, SOC 2 Type II, CSA STAR Level 2 or equivalent
Subcontractor disclosure	Identification of all material sub-processors the CSP uses
Audit access	Right to inspect or appoint a third-party auditor for CSP systems
Incident notification	CSP obligation to notify the RE within a defined window of detection
Business continuity	Documented RTO and RPO for cloud service failures affecting the RE
Exit assistance	Data portability formats and migration support on contract termination

Third-party cloud security assessments — conducted with a CERT-In empanelled partner — are strongly recommended before signing any enterprise cloud agreement. Application-layer vulnerability assessments should also run against internet-facing cloud workloads independently of the infrastructure audit.

Stage 4 — Mandatory Contract Clauses

The RBI framework specifies contractual protections that must appear in every cloud agreement. These are not negotiation points — they are baseline minimums required before any RE data is processed on a third-party cloud platform.

Mandatory clauses:

Audit rights — the RE and RBI must retain the right to audit the CSP directly or via an appointed third party
Data sovereignty — explicit prohibition on storing critical data outside India without written RE and RBI approval
Subcontracting disclosure — the CSP must disclose and obtain RE approval for material subcontractors
Incident notification — the CSP must notify the RE within a defined window of any security event affecting RE data
Exit and migration support — minimum notice periods, data return obligations, and data destruction confirmation on termination
Regulatory access — RBI inspectors must have direct access to relevant records held by the CSP

🚨

DANGER

Standard enterprise cloud contracts from major CSPs do not include all of these clauses by default. If your legal or procurement team signed a standard agreement without negotiating these RBI-mandated terms, your institution may already be in violation — even if the technology is functioning without issues. Review every active cloud agreement against this checklist.

Stage 5 — Ongoing Monitoring and Incident Reporting

Cloud migration is not a point-in-time compliance activity. The RBI framework requires continuous monitoring throughout the life of the cloud arrangement:

Periodic risk reviews — at minimum annually, and whenever material changes occur to the RE's cloud architecture or the CSP's ownership or certification status
Vendor performance monitoring — SLA tracking with documented escalation paths for persistent underperformance
Security event logging — logs must be retained, tamper-evident, and accessible to RBI inspectors on demand
Change management — significant architectural changes to cloud deployments require re-assessment and, where material, board notification

The incident reporting obligation is time-critical. Under the CERT-In Directions of April 2022, all RBI Regulated Entities must report cyber incidents within six hours of detection — not confirmation or completed investigation. Reportable incidents include data breaches, ransomware, unauthorised access, DDoS attacks, and cloud disruptions affecting critical operations.

6 hoursMandatory CERT-In incident reporting window from time of detection (CERT-In Directions April 2022)

2023Year RBI issued Master Direction on Outsourcing of IT Services (RBI 2023)

130+Urban Co-operative Banks directly under RBI IT governance framework (RBI Annual Report 2023-24)

Stage 6 — Exit Strategy and Lock-in Risk

The most consistently neglected element of the RBI cloud framework is the exit strategy. The RBI explicitly requires regulated entities to document and assess their ability to exit any cloud arrangement, covering:

The realistic effort and timeline to migrate data and workloads away from the current CSP
Proprietary format dependencies (serverless functions, managed database schemas, vendor-specific APIs) that create practical lock-in
Data portability mechanisms, supported export formats, and tooling requirements
Whether contract termination triggers immediate data deletion, a retention window, or requires active data destruction confirmation
Business continuity planning for the transition period, including interim service availability

Lock-in risk is real. A bank that has built core banking workflows around one CSP's proprietary orchestration layer may face migration that is technically feasible but financially impractical under time pressure. The RBI's requirement to assess this risk before signing is designed to prevent that outcome.

🛡️

SECURITY

Exit strategies must be tested, not just documented. If your exit plan asserts that data can be migrated within 30 days, conduct a tabletop exercise or a partial dry run to validate that claim. A plan that exists only as a document provides false assurance to your board and will not satisfy an RBI IT examiner who asks for evidence of rehearsal.

Distribution of RBI Cloud Compliance Control Categories

Understanding how the framework distributes control requirements helps compliance teams sequence their implementation effort.

pie title RBI Cloud Compliance — Control Category Distribution
    "Data Security and Sovereignty" : 25
    "Access Management and IAM" : 20
    "Audit Rights and Oversight" : 20
    "Exit Planning and Portability" : 15
    "Incident Reporting" : 10
    "Geographic Controls" : 10

Data security and sovereignty accounts for the largest share of control requirements — reflecting the RBI's primary concern that customer financial data must be protected and physically within Indian jurisdiction at all times.

NBFC-Specific Considerations

NBFCs face the same core obligations as scheduled commercial banks. Proportionality applies to implementation depth, not to which rules apply — the obligations around board policy, vendor due diligence, data sovereignty, and CERT-In incident reporting are universal regardless of NBFC size.

Digital lenders with cloud-native architectures processing loan origination, credit bureau integrations, and KYC entirely on cloud infrastructure are particularly exposed to governance gaps. Many have a cloud stack that functions technically but lacks the documented board approval, contractual audit rights, and tested exit strategy the RBI framework requires.

The DPDP Act 2023 adds a complementary obligation layer for any entity processing Indian citizens' personal data. See DPDP compliance resources for how the two frameworks align. Further analysis of Indian regulatory compliance is on the Bachao.AI blog.

Authoritative references:

If you are assessing your institution's cloud security posture ahead of an RBI IT examination, a free VAPT scan run by Bachao.AI (built by Dhisattva AI Pvt Ltd, a DPIIT Recognized Startup) surfaces application-layer vulnerabilities across your internet-facing cloud workloads — giving your security team a documented baseline before your CERT-In empanelled partner conducts the full infrastructure and outsourcing audit.

🎯Key Takeaway

The RBI cloud outsourcing framework is a continuous governance obligation, not a one-time checklist. Board approval, data sovereignty contracts, explicit audit rights, six-hour incident reporting, and a tested exit strategy are the five non-negotiable pillars. Banks and NBFCs that treat cloud adoption as a technology decision without parallel compliance review will face exposure during RBI IT examinations. Start with data classification, work upward to board policy, verify every active cloud contract against the mandatory clause list, and ensure your CERT-In reporting chain is live before the next workload goes to cloud.

Frequently Asked Questions

Does the RBI cloud outsourcing framework apply to NBFCs or only scheduled commercial banks?

The framework applies to all RBI Regulated Entities, including scheduled commercial banks, urban co-operative banks, NBFCs, payment system operators, and asset reconstruction companies. The principle of proportionality means implementation depth scales with the RE's risk profile, but the core obligations — board oversight, data sovereignty, vendor due diligence, incident reporting — apply to every RE without exception.

Can Indian banks store customer data on a foreign cloud provider's Indian region?

Using an Indian region of a foreign cloud provider can satisfy the geographic requirement, but it is not sufficient on its own. The RBI requires regulated entities to hold contractual guarantees — not rely on default platform settings — that critical data remains within India. The contract must also include explicit audit rights enabling the bank or RBI inspectors to verify data residency independently of the provider's self-attestation.

What types of incidents must be reported to CERT-In within 6 hours?

Under CERT-In Directions 2022, reportable incidents include data breaches, ransomware attacks, unauthorised access to IT systems, identity and credential theft at scale, DDoS attacks affecting service availability, website defacements, and cloud service disruptions affecting critical operations. The 6-hour window begins at the moment of detection, not at the point of confirmed attribution or completed investigation.

What happens if a cloud service provider refuses to grant audit rights?

A CSP's refusal to grant contractual audit rights is a disqualifying condition under the RBI framework. Regulated entities cannot engage a cloud provider that does not permit inspection by the RE or its designated third-party auditor, and cannot use any CSP that refuses to grant RBI inspectors access to relevant records. If a preferred CSP will not agree to these terms, the RE must identify an alternative provider.

Is an exit strategy required even for non-critical cloud workloads?

The RBI framework requires documented exit strategies for all material cloud arrangements, not only those hosting classified or critical data. The intent is to prevent operational and financial lock-in that would impair an RE's ability to change providers or repatriate workloads if the CSP faces financial distress, regulatory sanction, or prolonged service failure. The depth and testing frequency of the exit strategy may be proportional to the criticality of the workload.

How does the RBI cloud framework interact with the Digital Personal Data Protection Act 2023?

The two frameworks are complementary but governed independently. The RBI framework governs IT outsourcing governance and cloud risk management for regulated financial entities. The DPDP Act 2023 governs how any organisation processes Indian citizens' personal data, including obligations around data principal rights, purpose limitation, and breach notification. Banks and NBFCs must satisfy both simultaneously — DPDP obligations around breach notification and data principal consent sit alongside RBI obligations around cloud vendor contracts, data localisation, and board accountability.

RBI Cloud Outsourcing Framework: What Indian Banks Must Do

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.