Quick Answer
The RBI's Omnibus Framework for Information Technology and Cyber Security, issued in 2024 for Non-Banking Financial Companies (NBFCs), focuses on governance, IT and information security risk management, business continuity and disaster recovery, third-party and vendor risk, and incident reporting to CERT-In and the Reserve Bank. It applies a tiered approach so that larger and more interconnected NBFCs carry heavier obligations than smaller ones. Background and scope The Omnibus Framework consolidates earlier RBI guidance into a single, technology-neutral rulebook for NBFCs. It sits alongside the existing Cyber Security Framework for Scheduled Commercial Banks (SCBs), the Master Direction on Outsourcing of Information Technology Services, and the RBI Cyber Security Guidelines for Urban Cooperative Banks. NBFCs must follow the Omnibus Framework in addition to any sector-specific RBI circulars that already apply to them. The tiered approach for NBFCs RBI uses a four-layer classification under its Scale-Based Regulation for NBFCs.
Key Topics Covered
Free VAPT
CERT-In aligned VAPT and DPDP Act-ready reporting.
ApplyThe RBI's Omnibus Framework for Information Technology and Cyber Security, issued in 2024 for Non-Banking Financial Companies (NBFCs), focuses on governance, IT and information security risk management, business continuity and disaster recovery, third-party and vendor risk, and incident reporting to CERT-In and the Reserve Bank. It applies a tiered approach so that larger and more interconnected NBFCs carry heavier obligations than smaller ones.
Background and scope
The Omnibus Framework consolidates earlier RBI guidance into a single, technology-neutral rulebook for NBFCs. It sits alongside the existing Cyber Security Framework for Scheduled Commercial Banks (SCBs), the Master Direction on Outsourcing of Information Technology Services, and the RBI Cyber Security Guidelines for Urban Cooperative Banks. NBFCs must follow the Omnibus Framework in addition to any sector-specific RBI circulars that already apply to them.
The tiered approach for NBFCs
RBI uses a four-layer classification under its Scale-Based Regulation for NBFCs. The Omnibus Framework calibrates obligations to these layers:
| Layer | Typical NBFC profile | Cyber security expectation |
|---|---|---|
| Base Layer (NBFC-BL) | Non-deposit-taking NBFCs below asset thresholds | Core controls: access management, patching, backups, vendor due diligence, basic incident response |
| Middle Layer (NBFC-ML) | Deposit-taking NBFCs and larger non-deposit NBFCs | Formal IS policy, Board-approved IT strategy, periodic VAPT, SOC capability, BCP testing |
| Upper Layer (NBFC-UL) | Top NBFCs by size and systemic relevance | Bank-grade controls, CISO function, independent IS audit, advanced threat detection, red teaming |
| Top Layer (NBFC-TL) | Reserved for NBFCs of exceptional systemic risk | Highest scrutiny; supervisory expectations broadly equivalent to large SCBs |
Need help with cloud?
Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your needs and provide actionable recommendations โ no obligation, no cost.
Focus areas of the Omnibus Framework
- Governance โ Board and IT Strategy Committee oversight, a designated CISO independent of the CIO, and a documented Information Security Policy reviewed at defined intervals.
- Risk management โ Risk-based control selection covering identity, network, endpoint, application, data, and cloud layers.
- IT and IS audit โ Periodic independent audits, both internal and external, with closure tracking reported to the Board.
- Business continuity and disaster recovery โ Defined RTO and RPO per critical system, tested DR drills, and documented crisis communication plans.
- Vendor and third-party risk โ Due diligence, contractual security clauses, right-to-audit, and exit strategy for material outsourcing arrangements including cloud providers.
- Application security โ Secure SDLC, source code review, and pre-production VAPT for customer-facing applications.
- Data security โ Classification, encryption at rest and in transit, data loss prevention, and alignment to applicable data localization mandates.
- Incident management and reporting โ Reportable incidents must be notified to CERT-In within the six-hour window under the April 2022 CERT-In directions, and to RBI as per supervisory expectations.
- Cloud adoption โ Specific expectations around shared responsibility, segregation, encryption key control, and continuous monitoring of cloud environments.
Who must comply and how to get started
Every entity registered as an NBFC with the Reserve Bank of India is in scope, including loan companies, investment companies, infrastructure finance companies, microfinance institutions, and housing finance companies regulated under RBI. Practical starting steps:
- Identify which Layer your NBFC sits in and read the corresponding control set in the Master Direction.
- Run a gap assessment against the Framework's domains and document residual risks for Board sign-off.
- Establish or strengthen the CISO function and define escalation paths for major incidents.
- Codify cloud controls in your shared responsibility matrix. The principles in our note on how secure AWS is are a useful starting reference.
- Test BCP and incident response at least annually and retain evidence for supervisory inspection.
How Opsio helps
Opsio supports NBFCs through Middle and Upper Layer readiness with Board-grade documentation, CISO-as-a-service, 24x7 SOC operations, VAPT, and DR design on AWS and Azure. Our cybersecurity services map directly to Omnibus Framework domains so that an internal or RBI inspection finds evidence in the format expected. We also align cloud architecture to AWS IAM access control patterns required for least-privilege enforcement.
Frequently Asked Questions
When did the Omnibus Framework come into effect?
The Master Direction was issued in 2024 with a phased compliance timeline tied to NBFC layer. Larger NBFCs have shorter runways; smaller NBFCs received longer transition periods. Check the implementation dates in your specific Master Direction.
Does the Omnibus Framework replace the SCB Cyber Security Framework?
No. The 2016 RBI Cyber Security Framework for Scheduled Commercial Banks remains in force for banks. The Omnibus Framework targets NBFCs and complements, rather than replaces, banking guidance.
Are cloud providers in scope of the Framework?
Indirectly, through the NBFC's outsourcing obligations. The NBFC remains accountable. Cloud arrangements must follow RBI outsourcing guidance, with right-to-audit, exit strategy, and data residency considerations addressed contractually.
What incident reporting timelines apply?
CERT-In requires reporting of specified cyber incidents within six hours of detection under the April 2022 directions. RBI also expects timely reporting of material incidents to its supervisory team. Maintain a clear playbook so the dual notifications happen in parallel.
Do small NBFCs really need a CISO?
Base Layer NBFCs may not need a dedicated CISO role, but they still need clearly assigned ownership of information security. Middle and Upper Layer NBFCs are expected to formalise the CISO function and ensure independence from the IT function.
Written By
Group COO & CISO at Opsio
Fredrik is the Group Chief Operating Officer and Chief Information Security Officer at Opsio. He focuses on operational excellence, governance, and information security, working closely with delivery and leadership teams to align technology, risk, and business outcomes in complex IT environments. He leads Opsio's security practice including SOC services, penetration testing, and compliance frameworks.
Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. Content is reviewed quarterly for technical accuracy and relevance to Indian compliance requirements including DPDPA, CERT-In directives, and RBI guidelines. Opsio maintains editorial independence.