FortiWeb for DPDP, RBI and SEBI compliance — the WAF as a regulatory control
Published 15 Jun 2026
· By
Pawan Sharma
· Compliance
· 16 min read
India's compliance landscape changed the question. It's not "do you have a WAF?" — it's "can you prove the WAF was the safeguard you claim it was, with logs, with timestamps, with chain of custody?" The DPDP Act, CERT-In's 6-hour clock, RBI's Cyber Security Framework, SEBI CSCRF and PCI DSS 4.0 each touch web-app protection from a different angle — but the operational answer across all five converges on the same control: an enforceable WAF with auditor-quality logging. This guide maps each regulator's requirement to the FortiWeb feature that satisfies it.
DPDP §8
Reasonable safeguards
Data Fiduciary obligation. WAF is the front-line control for personal data via web/API.
6 hours
CERT-In reporting
From detection to incident report. WAF-driven detection is the upstream input.
180 days
Log retention floor
Minimum log retention in India per CERT-In Direction.
PCI 4.0
Client-Side Protection
Requirements 6.4.3 + 11.6.1 — script inventory + change detection.
DPDP Act 2023 — what it actually demands
The Digital Personal Data Protection Act doesn't name a specific control. It places a continuing obligation on every Data Fiduciary under Section 8(5) to take "reasonable security safeguards" against personal-data breaches — and backs it with a Schedule penalty of up to ₹250 crore per instance for failure of those safeguards.
For any Data Fiduciary operating internet-facing applications that touch personal data, the WAF is the operational control most directly addressing the attack vectors that lead to those breaches at scale. The DPDP Rules (notified 2025-26) clarify the breach-notification process; FortiWeb's Threat Analytics provides the detection-side signal that feeds it.
The Schedule reality
₹250 crore is the cap. The auditor's question is what evidence you have that safeguards were "reasonable".
"Reasonable" is judged against industry-standard controls. WAF, MFA, encryption-at-rest, logging, incident response. Missing any of them weakens the safeguards argument. WAF with auditor-quality logs is hard to argue against.
CERT-In Direction No. 20(3)/2022 — the 6-hour reporting clock
CERT-In's Direction (28 April 2022) mandates incident reporting within 6 hours of becoming aware of a defined list of incident classes — including data breaches, unauthorised access, identity theft, and ransomware. It also requires 180 days of ICT-system log retention within Indian jurisdiction, with time synchronised to NPL or NIC NTP servers.
FortiWeb's role in this chain:
- Detection — the WAF generates the attack-attempt signal that the SOC team triages and escalates within the 6-hour window.
- Logs — forwarded to FortiAnalyzer (cloud or on-prem) with India-region storage. 180-day rolling retention default; configurable for longer.
- Time sync — appliance NTP configured to NPL / NIC sources per the Direction.
- Evidence package — incident reports can be generated in CERT-In format from FortiAnalyzer / FortiSOC.
RBI Cyber Security Framework for Banks
RBI's framework (DBS.CO.CSITE.BC.No.4083, June 2 2016 and successor circulars covering UCBs / NBFCs by category) mandates web application protection for internet-facing apps. WAF is treated as a baseline control under the framework's "Network security" and "Application security" control sets.
▸ Internet-facing app protection
WAF inline for every internet-facing banking application. FortiWeb appliance or HA pair in the DC perimeter is the standard pattern.
▸ 24×7 monitoring SOC
Required across all SCBs and qualifying UCB/NBFC categories. FortiWeb logs feed the SOC's SIEM; events become detected incidents.
▸ Forensic-grade logs
Tamper-evident log retention; WAF event logs included in the forensic-evidence scope.
▸ Annual SAR
Self-Assessment Reporting — WAF deployment status and effectiveness reports are part of the SAR control evidence.
SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)
SEBI's CSCRF (consolidated 2024 framework) covers market infrastructure institutions, stock brokers, depositories, mutual funds, AIFs and other regulated entities. WAF protection scales by entity categorisation. Specific control mapping varies — Ogma maps your entity category to the applicable CSCRF control set.
PCI DSS 4.0 — Client-Side Protection (a 2025 sea-change)
FortiWeb Enterprise tier — the PCI 4.0 anchor
Requirements 6.4.3 + 11.6.1 — addressed by FortiWeb Client-Side Protection
PCI DSS 4.0's most-watched 2025 requirements landed: Req 6.4.3 (inventory all scripts on payment pages + authorize them) and Req 11.6.1 (change-detection on payment pages + alerting). Both are directly addressed by FortiWeb Client-Side Protection — Magecart, formjacking, online skimming defence, real-time script-integrity checks.
Client-Side Protection is Enterprise-tier — across appliance, VM-S, and FortiAppSec Cloud Enterprise plan. Per the Data Sheet: "FortiWeb Client-Side Protection addresses key requirements by inventorying, authorizing, and monitoring all scripts on payment pages, in line with mandates such as requirements 6.4.3 and 11.6.1."
IRDAI Information & Cyber Security Guidelines
IRDAI's guidelines for insurance-sector entities include web application protection and 24×7 monitoring as control-set requirements. WAF deployment is standard practice for insurer-facing portals + claims systems.
The control mapping in one table
| Regulator / Standard | The requirement | FortiWeb feature that satisfies it | Tier |
|---|---|---|---|
| DPDP §8(5) | Reasonable security safeguards | WAF as front-line web/API control + Threat Analytics | Standard+ |
| CERT-In 6-hour | Incident reporting + 180-day log retention in India | FortiWeb logs → FortiAnalyzer India region; 180-day default | Standard+ |
| RBI Cyber Security | WAF for internet-facing banking apps + 24×7 SOC | FortiWeb appliance / VM-S + FortiSOC integration | Standard+ |
| SEBI CSCRF | WAF for internet-facing apps (scaled by entity category) | FortiWeb appropriate to entity scale | Standard+ |
| PCI DSS 4.0 Req 6.4.3 + 11.6.1 | Script inventory + change detection on payment pages | Client-Side Protection | Enterprise |
| IRDAI ICS Guidelines | Web app protection + monitoring | FortiWeb in-line + log feed to insurer SOC | Standard+ |
Compliance-ready FortiWeb deployment patterns
▸ BFSI on-prem
HA appliance pair in colo/DC. FortiAnalyzer on-prem for India-residency. 180-day+ retention. FortiSOC integration for the 6-hour CERT-In workflow.
▸ SaaS / e-commerce
FortiAppSec Cloud Enterprise plan. Multi-region delivery + Client-Side Protection for PCI DSS 4.0 + SOCaaS bundled.
▸ Hybrid bank cloud
On-prem appliance for legacy apps + FortiWeb-VM BYOL for AWS / Azure workloads. Same FortiManager policy plane.
▸ Brokerage / SEBI MII
Appliance with CSCRF-aligned policy set. Strict log retention. Quarterly compliance reports via FortiAnalyzer.
FAQ
Does the DPDP Act explicitly mandate a WAF?
Is FortiWeb CERT-In Empanelled?
What does RBI's Cyber Security Framework say about WAFs?
What about PCI DSS 4.0 for card-payment apps?
How long are FortiWeb logs retained?
Are FortiWeb logs admissible as forensic evidence?
What does the SEBI CSCRF require for stock brokers, depositories etc.?
What about DPDP breach notification?
Free DPDP / RBI / SEBI WAF gap assessment
See exactly which controls your current WAF satisfies — and which it doesn't
Ogma maps your applicable regulatory set (DPDP, CERT-In, RBI, SEBI, IRDAI, PCI DSS 4.0) to FortiWeb features and surfaces the gaps. 7 working days. The deliverable is a control-mapping report your auditor can use directly.
Request the gap assessment or explore the FortiWeb Managed WAF serviceSources
- cert-in.org.in — Direction No. 20(3)/2022-CERT-In, 28 April 2022 (6-hour + 180-day rules)
- meity.gov.in — DPDP Act 2023, Section 8 and Schedule
- rbi.org.in — Cyber Security Framework for Banks (DBS.CO.CSITE.BC.No.4083, June 2 2016)
- sebi.gov.in — Cybersecurity and Cyber Resilience Framework (CSCRF)
- irdai.gov.in — Information & Cyber Security Guidelines
- FortiWeb Data Sheet — Client-Side Protection and PCI DSS 4.0 mapping
- pcisecuritystandards.org — PCI DSS 4.0 (Requirements 6.4.3 and 11.6.1)
Related: Fortinet SOCaaS for India compliance · FortiWeb deployment models · FortiWeb Managed WAF
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
