Cross-Border Data Transfer and Cyber Cover: India-EU Compliance in 2026

Indian IT services firms process European personal data at a scale that few outside the industry fully appreciate. TCS Europe operations alone handle data for banks, insurers, and public sector clients across the UK, Germany, France, the Nordics, and the Benelux region. Infosys, Wipro, HCL, Tech Mahindra, LTIMindtree, Coforge, and Persistent each carry European client books with embedded personal data processing roles. Indian-based GCCs of European multinationals (Deutsche Bank's Pune centre, BNP Paribas's Mumbai centre, AstraZeneca's Bengaluru and Chennai centres, Unilever's India tech hubs) operate as data processors for European parent entities. Indian SaaS exporters (Zoho, Freshworks, Postman, BrowserStack, ChargeBee) operate platforms used by European customers, ingesting personal data from EU data subjects.

For every one of these flows, the General Data Protection Regulation (GDPR) governs the lawful basis for transfer of personal data from the EU to India. India is not a country with an EU adequacy decision (as of mid-2026), which means transfers require explicit transfer mechanisms under Chapter V of GDPR: Standard Contractual Clauses (SCCs) in the post-Schrems II form, Binding Corporate Rules (BCRs) for intra-group transfers, derogations under Article 49 for specific situations, or supplementary measures where the recipient country's surveillance laws or data subject rights regimes are deemed inadequate.

The Digital Personal Data Protection Act 2023 (DPDP Act), notified progressively from 2024 and with major operational provisions live by 2026, establishes India's domestic data protection regime. The DPDP Act creates parallel obligations on Indian data fiduciaries (controllers in GDPR terms) including notice, consent, purpose limitation, data subject rights, breach notification to the Data Protection Board of India, and significant data fiduciary obligations (where applicable). For Indian firms also subject to GDPR, the compliance overlap is meaningful but not identical.

The cyber insurance implications run in two directions. First, first-party cyber cover (incident response, business interruption, data restoration, ransom) must respond to incidents involving European personal data, including GDPR-mandated notification timelines and regulatory cooperation. Second, third-party cyber liability cover must respond to GDPR regulatory investigation costs, GDPR administrative fines (where insurable under applicable law), data subject claims, and contractual liabilities to European data controllers. The insurance design must align with both the GDPR and DPDP Act compliance picture, not one or the other.

GDPR enforcement has intensified materially since the regulation's 2018 entry into force. Cumulative GDPR administrative fines crossed EUR 4.5 billion by end-2024 across all member states, with annual fine totals continuing to rise. The largest individual fines have targeted US technology companies (Amazon's EUR 746 million fine from Luxembourg in 2021, Meta's EUR 1.2 billion fine from Ireland in 2023), but the broader enforcement pattern affects every controller and processor handling EU personal data, including Indian companies acting as processors for European controllers.

What Cyber Insurance Typically Covers on a GDPR Incident

A cyber insurance policy responds to a covered event (typically a data breach, security incident, or specified cyber peril) with a defined set of first-party and third-party benefits. For a GDPR-relevant incident, the policy's response includes:

1. Incident response services: Forensic investigation, legal counsel, breach coach, public relations support, and notification logistics. Insurers provide these through panel firms, with costs covered subject to policy limits and deductibles.
2. Regulatory investigation defence costs: Legal costs of responding to data protection authority investigations under GDPR, including representations, evidence submission, and negotiations.
3. GDPR fine indemnity (where insurable): GDPR administrative fines are insurable in some EU member states and not in others. The applicable law to the fine determines insurability. UK ICO fines have generally been treated as insurable; certain continental European jurisdictions take a stricter view. Cyber policies typically include an insurability clause stating that GDPR fines are covered to the extent insurable under applicable law, leaving the actual coverage outcome contingent on case-specific legal analysis.
4. Data subject claims: Civil claims by EU data subjects under GDPR Article 82 for material and non-material damage from a breach. UK and EU litigation funding and class action mechanisms have made these claims increasingly material.
5. Notification costs: The cost of notifying affected EU data subjects of a breach, including translation, multiple-language communication, and call centre support.
6. Business interruption: For breaches affecting Indian operations serving European clients, BI cover may respond to revenue loss during outage periods.

What Cyber Insurance Does Not Cover

Key exclusions matter as much as covered perils:

1. War and warlike action: Following the 2022 to 2024 industry recalibration of war exclusions on cyber, most policies now exclude cyber events arising from war or warlike action, with specific definitions and carve-outs that vary by insurer.
2. Infrastructure failures: Outages of third-party infrastructure (AWS, Azure, Google Cloud) may or may not trigger cyber cover depending on policy wording; some policies require a malicious cause, others extend to non-malicious outages.
3. Contractual liability beyond defined scope: Indemnification obligations assumed contractually to European controllers may exceed the cyber policy's general liability response, particularly where the contract requires uncapped indemnity or specific carve-outs.
4. Pre-existing vulnerabilities and conditions: Incidents arising from known unpatched vulnerabilities or previously identified deficiencies in security controls may be excluded or have coverage reduced.

Indian cyber insurance brokers should walk every European-data-handling client through these covered and excluded items explicitly at placement, not just at claim time.

Standard Contractual Clauses (SCCs) are the most widely used GDPR transfer mechanism for India-EU data flows. The post-Schrems II SCCs, adopted by the European Commission in June 2021 and mandatory for new contracts from September 2022, require:

1. Module-specific contractual terms depending on whether the transfer is controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller
2. Transfer impact assessment (TIA) documenting the laws and practices of the recipient country (India) and assessing whether they ensure essentially equivalent protection of personal data
3. Supplementary measures (technical, contractual, organisational) where the TIA identifies risks, including encryption, pseudonymisation, contractual restrictions on government access disclosure, and audit rights
4. Updated audit rights for the EU data exporter against the Indian data importer

For Indian IT services firms and GCCs, the operational reality of SCCs is significant. Every contract with an EU client requires SCC integration into the data processing agreement. The TIA must address Indian surveillance laws (the Information Technology Act 2000 and rules including the 2009 interception rules, and emerging telecommunications surveillance provisions), the absence of an independent data protection authority pre-DPDP Act, and the data subject rights framework. Supplementary measures often include encryption of EU data in transit and at rest with Indian-based personnel having access limited to specific roles, contractual restrictions on disclosure to Indian authorities except as legally required, and notification commitments where disclosure is sought.

Insurance Implications

Cyber insurance does not directly cover the GDPR compliance burden of SCC implementation, TIA preparation, or supplementary measures. These are operational compliance costs borne by the Indian firm. However, cyber insurance interacts with the SCC regime in two ways:

1. Demonstration of security controls: Insurance underwriters increasingly require evidence of SCC-compliant security measures (encryption, access controls, audit logging) as part of cyber insurance underwriting. The same evidence supports both insurance placement and SCC compliance demonstration.
2. Coverage scope on government access incidents: If Indian authorities require an Indian processor to disclose EU personal data without notification to the EU data exporter, the resulting GDPR breach exposure may or may not be covered depending on policy wording. Some policies exclude government-mandated disclosures from breach coverage; others include them subject to specific terms.

The Digital Personal Data Protection Act 2023 (DPDP Act), notified by the Government of India in August 2023 and with operational provisions and rules being phased in from 2024 through 2026, establishes India's domestic data protection regime. Key operational obligations for Indian data fiduciaries handling personal data of Indian principals (including in the cross-border context):

1. Notice and consent requirements for processing personal data, with specific provisions for translation into recognised Indian languages
2. Purpose limitation restricting processing to the notified purpose
3. Data subject rights including access, correction, erasure, grievance redressal, and nomination
4. Breach notification to the Data Protection Board of India and to affected data principals
5. Significant data fiduciary obligations for entities classified as such by the Central Government, including data protection impact assessments and appointment of a data protection officer
6. Cross-border transfer provisions, with the Central Government empowered to notify countries to which transfers are restricted (the default position is permissive subject to such notifications)
7. Substantial penalty regime with fines up to INR 250 crore for specific contraventions

How Cyber Insurance Responds to DPDP Act Exposure

Indian cyber insurance policies are progressively updating to address DPDP Act exposures. The relevant coverage elements include:

1. Regulatory investigation cover for Data Protection Board inquiries and proceedings
2. Penalty indemnity for DPDP Act administrative penalties, subject to insurability under Indian law (similar to the GDPR fine insurability analysis; the legal position is still developing)
3. Data principal claims for civil action under DPDP Act provisions, although the Act's compensation mechanism is distinct from GDPR's Article 82 and is still working through judicial interpretation
4. Notification costs for breach notifications to data principals and the Data Protection Board
5. Incident response services with India-specific legal, forensic, and PR panel resources

For Indian firms with both GDPR and DPDP exposures (most large IT services firms, GCCs, and SaaS exporters), the cyber insurance policy should be structured to respond to incidents triggering both regulatory regimes simultaneously. A breach affecting EU and Indian data principals requires coordinated response: notification to the EU supervisory authority within 72 hours under GDPR Article 33, notification to the Data Protection Board under DPDP rules (timing requirements being clarified), parallel notification to affected EU and Indian data principals, and coordinated legal defence.

For Indian IT services firms and GCCs with significant European data processing roles, the cyber insurance tower typically follows a layered structure scaled to the firm's revenue and contractual exposure.

Typical Tower for a Large Indian IT Services Firm

1. Primary layer: USD 25 to 50 million from a Lloyd's syndicate or specialist cyber insurer with strong incident response panel and international experience
2. First excess layer(s): Multiple insurers each providing USD 25 to 50 million, building the tower to USD 100 to 200 million on a US, Bermuda, and London-syndicated basis
3. High excess layer(s): Additional capacity to USD 300 to 500 million for the largest firms, with high-attachment-point insurers covering catastrophic events
4. Side cyber lines: Separate policies for specific exposures (technology errors and omissions for software services, media liability for content distribution, intellectual property cover for specific IP risks)

The total tower limit reflects worst-case scenario thinking: a major breach affecting multiple large European clients, with regulatory enforcement, data subject claims, business interruption, and contractual indemnity all firing simultaneously, can produce aggregate losses in the hundreds of millions of dollars.

Typical Cover for a Mid-Market Indian SaaS Exporter

1. Cyber policy with limits of USD 5 to 25 million including first-party and third-party cover
2. Specific GDPR sub-cover where the policy explicitly addresses GDPR-related costs and (subject to insurability) fines
3. Tech E&O integration since SaaS providers face professional indemnity exposure alongside cyber

The pricing reflects revenue concentration, customer base size, and security maturity, with annual premium typically running 0.50 to 2.50% of cyber limits for well-controlled SaaS firms.

Typical Cover for an Indian GCC

For an Indian GCC operating as a data processor for its European parent, the cyber insurance arrangement is often coordinated with the parent's global cyber tower. Three common structures:

1. Coverage under the parent's global cyber programme with the Indian GCC as a named insured
2. Stand-alone Indian cyber policy for the GCC entity, with contractual coordination with the parent's programme on multi-entity incidents
3. Hybrid structure with the parent providing high-limit excess cover and the Indian GCC purchasing primary cover for India-specific exposures

The choice depends on the parent's global programme architecture, the regulatory environment of the parent's home country, and the contractual allocation of cyber risk between parent and GCC.

Modern Indian data processing rarely operates as a single-tier arrangement. An Indian IT services firm processing EU client data typically engages sub-processors (cloud infrastructure providers like AWS or Azure, specialist analytics services, payment processors, identity providers) who in turn may use further sub-processors. Each layer expands the attack surface and complicates incident response.

GDPR Article 28 imposes specific requirements on processor-sub-processor relationships: written contracts, prior authorisation, equivalent data protection obligations, and audit rights. The DPDP Act has parallel provisions for data fiduciary-processor arrangements. Indian firms must maintain current sub-processor registers, document the transfer mechanisms applicable to each sub-processor relationship, and ensure contractual cascading of data protection obligations down through the supply chain.

Insurance Implications

Cyber insurance responds differently depending on whether an incident originates with the named insured or with a sub-processor:

1. Named insured incidents: Full coverage subject to policy terms
2. Sub-processor incidents affecting the named insured's data: Coverage typically responds but may be subject to specific terms, sub-limits, or coordination requirements with the sub-processor's own cyber cover
3. Sub-processor incidents triggering the named insured's contractual liability to clients: Coverage typically responds as third-party liability cover, subject to scope of contractual obligations
4. Aggregation of multiple-tenant incidents: A cloud infrastructure outage affecting many of an insurer's clients simultaneously may trigger aggregation limits and reduce per-insured payouts

For Indian firms with heavy cloud sub-processor reliance, the cyber insurance broker should explicitly review:

1. The aggregate exposure to specific cloud providers (concentration risk)
2. The insurer's appetite and aggregation treatment of cloud provider incidents
3. The interaction between the named insured's cyber cover and the cloud provider's own insurance and contractual indemnity
4. The data transfer mechanism applicable to data flowing through the cloud provider's infrastructure (some major cloud providers have EU data residency options that simplify GDPR compliance and corresponding insurance treatment)

For an Indian firm with European data processing exposure (whether IT services, GCC, or SaaS), the 2026 cyber insurance programme design should address four areas explicitly.

Coverage Scope Alignment

The policy must cover incidents involving EU personal data with appropriate response to:

1. GDPR breach notification timelines (72 hours to supervisory authority)
2. DPDP Act notification requirements (rules-driven, being finalised)
3. Multiple-jurisdiction regulatory engagement (EU supervisory authority, Data Protection Board of India, sector regulators where relevant)
4. Contractual notification obligations to European clients (typically more aggressive than statutory minimums)
5. Class action exposure in EU member states and emerging exposure in India

Incident Response Panel

The insurer's panel of incident response providers (forensic firms, breach coaches, PR firms, notification logistics) must include experience with both EU and Indian regulatory engagement. Firms with operations only on one side may delay or complicate response. The named insured should review and (where required) approve the panel at placement.

Regulatory Cooperation Coverage

GDPR investigations can extend over many months, with substantial legal and consulting costs. The cyber policy should provide explicit cover for regulatory investigation defence, with adequate sub-limits and reasonable insurer-counsel arrangements. Specific attention to the insurability of GDPR fines under applicable law (member-state by member-state analysis) is required.

Cross-Cover Coordination

Where the Indian firm has multiple policies that could respond to a cyber incident (cyber policy, professional indemnity, technology E&O, directors and officers liability, crime policy for cyber-enabled fraud), the placement should be structured to avoid duplicate cover and to ensure clear primary-excess relationships. Brokers should produce a clear cross-cover map at placement showing which policy responds to which scenario.

Renewal and Refresh Cadence

Cyber insurance terms shift materially every 12 to 18 months as the threat environment evolves, the regulatory environment changes, and insurer appetite recalibrates. Indian firms with European exposure should:

1. Conduct annual cyber insurance reviews coordinated with their GDPR Article 30 records of processing and DPIA cycles
2. Track GDPR enforcement trends in their sector and adjust limits accordingly
3. Monitor DPDP Act rulemaking and adjust policy terms as new obligations crystallise
4. Maintain documentation of security control maturity for renewal submissions

The combination of GDPR enforcement maturity, DPDP Act operationalisation, and the underlying threat environment makes 2026 a particularly important year for Indian cyber insurance programme refresh. Brokers and risk managers who treat cyber cover as a once-set-and-renew product are likely to find their clients underprotected at the moment of a major incident.

To see how Sarvada's broker workflow supports designing and refreshing cyber insurance programmes for Indian firms with European data exposure, Request Access to our platform.

The medium-term outlook for India-EU data flow regulation and the corresponding insurance picture turns on several open questions.

EU adequacy decision for India: The European Commission has the power to adopt adequacy decisions for non-EU countries whose data protection regimes are deemed essentially equivalent to GDPR. Such decisions allow personal data to flow to the recognised country without requiring SCCs or other transfer mechanisms. India has not been the subject of an adequacy decision as of mid-2026, and the DPDP Act's operationalisation is one of the prerequisites the Commission will assess before any adequacy discussion. A future adequacy decision (potentially in the 2027 to 2029 window if regulatory development proceeds) would materially simplify the compliance burden on Indian firms and would shift cyber insurance focus from transfer mechanism compliance to incident response and regulatory engagement.

Sectoral rules and supplementary obligations: EU sectoral regulations including the Digital Operational Resilience Act (DORA) (live January 2025 for financial services), the NIS2 Directive (member state transposition continuing through 2024 to 2025), and the AI Act (phased entry into force from 2025) impose additional obligations on Indian service providers to EU financial institutions, critical infrastructure operators, and AI deployers. Each set of obligations has parallel insurance implications, particularly for Indian IT services firms with major EU client books.

Indian sectoral guidelines: Beyond the DPDP Act, sector-specific guidance from the RBI, SEBI, IRDAI, and TRAI continues to evolve, with cyber security and data protection elements that interact with the federal DPDP framework. Indian firms operating in regulated sectors (financial services, insurance, telecommunications) must align cyber insurance with the sector-specific obligations as well as the federal framework.

Underlying threat environment: Ransomware, supply chain attacks, AI-enabled social engineering, and nation-state activity continue to drive the underlying frequency and severity of cyber incidents. Insurance pricing and capacity respond to this environment with a lag, meaning that periods of benign loss experience produce capacity expansion and softer pricing, while shock events produce hardening and capacity contraction. Indian firms should not assume current pricing or terms will persist; planning for a renewal cycle with potential disruption is prudent.

For brokers advising Indian firms with European data exposure, the consistent message through 2026 and into 2027 is that the cyber insurance design is a moving target tied to GDPR enforcement, DPDP Act operationalisation, sectoral regulation, and the underlying threat environment. Disciplined annual review with documented decisions on coverage scope, limits, and panel arrangements is the working pattern.