Insuring Indian IT and GCC Operations Delivering Services to the EU Under GDPR and DORA

India's IT services industry generates approximately USD 254 billion in annual revenue (NASSCOM data for FY 2024-25), with Europe accounting for roughly 30% of this revenue. The continent is served by every major Indian IT firm, including TCS, Infosys, Wipro, HCLTech, and Tech Mahindra, as well as hundreds of mid-market IT companies and the rapidly growing Global Capability Centre (GCC) sector. India hosts over 1,700 GCCs as of 2025, with a significant share delivering services to European parent companies and EU-domiciled clients.

This deep service delivery relationship exposes Indian IT companies and GCCs to two major EU regulatory frameworks that have direct insurance implications: the General Data Protection Regulation (GDPR), which has been in force since May 2018, and the Digital Operational Resilience Act (DORA), which became applicable in January 2025.

GDPR applies to any entity that processes the personal data of individuals located in the EU, regardless of where the processing entity is located. An Indian IT company that manages customer databases, processes employee records, or handles financial data on behalf of an EU client is a "data processor" under GDPR and is directly subject to GDPR obligations, including data security requirements, breach notification duties, and potential administrative fines of up to EUR 20 million or 4% of global annual turnover (whichever is higher). The extraterritorial reach of GDPR means that an Indian IT company with no physical presence in the EU can still face GDPR enforcement action and fines.

DORA applies to EU financial entities (banks, insurance companies, investment firms, payment institutions, crypto-asset service providers) and, critically, to their ICT third-party service providers. Indian IT companies and GCCs that provide IT services to EU financial institutions, including application development, infrastructure management, cloud services, data analytics, and cybersecurity services, are classified as "critical ICT third-party service providers" under DORA if their services are material to the financial entity's operations. DORA imposes specific requirements on these service providers, including ICT risk management standards, incident reporting obligations, resilience testing requirements, and the obligation to permit direct oversight by EU financial supervisory authorities.

The insurance implications of these regulatory frameworks are substantial. GDPR enforcement fines, data breach response costs, regulatory investigation expenses, and third-party claims by affected data subjects all create insurable exposures. DORA adds operational resilience requirements that, if breached, can trigger contractual penalties, regulatory sanctions, and loss of critical client relationships. Indian IT companies and GCCs need insurance programmes that address both the regulatory liability and the business interruption consequences of EU compliance failures.

GDPR creates multiple categories of insurable liability for Indian IT companies serving EU clients. Understanding each category and the corresponding insurance coverage is essential for structuring an adequate programme.

The first category is regulatory fines and penalties. GDPR provides for administrative fines of up to EUR 10 million or 2% of global turnover for lower-tier infringements (such as inadequate data processing records) and EUR 20 million or 4% of global turnover for higher-tier infringements (such as violations of data processing principles or data subject rights). For an Indian IT company with global turnover of INR 10,000 crore (approximately EUR 1.1 billion), the maximum theoretical fine exposure is EUR 44 million (approximately INR 400 crore). While fines of this magnitude have been rare, the European Data Protection Board (EDPB) data shows that GDPR fines exceeding EUR 1 million have been issued in over 150 cases since 2018, with a noticeable acceleration in enforcement since 2023.

The insurability of GDPR fines varies by jurisdiction and by policy. In most EU member states, regulatory fines are insurable as a matter of public policy. The standard cyber insurance policy includes coverage for "regulatory proceedings" and "regulatory fines and penalties," but the coverage may be subject to a sub-limit (typically 25-50% of the policy limit) and an "insurable at law" condition that limits coverage to fines that are legally insurable in the jurisdiction where the fine is imposed. Indian companies should ensure that their cyber insurance policy specifically references GDPR fines and does not exclude administrative penalties imposed by EU data protection authorities.

The second category is data breach response costs. When a personal data breach occurs, GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours, and Article 34 requires notification to affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms. The costs of managing a breach response, including forensic investigation to determine the scope of the breach, legal advice on notification obligations, the actual notification process (which for large-scale breaches can involve millions of letters or emails), credit monitoring services for affected individuals, and public relations management, are significant. Industry data suggests that the average cost of a data breach affecting EU personal data is EUR 3.5-4.5 million for mid-sized incidents.

The third category is third-party claims. GDPR Article 82 grants data subjects the right to compensation for material and non-material damage resulting from a GDPR violation. Class action or group litigation by affected data subjects is emerging as a meaningful risk, particularly in jurisdictions like the Netherlands and Germany where collective redress mechanisms are well-established.

The fourth category is contractual liability to the EU client. The data processing agreement (DPA) between the Indian IT company and its EU client typically includes indemnification provisions requiring the IT company to indemnify the client for losses arising from the IT company's failure to comply with GDPR or the DPA's data protection provisions. This contractual indemnity can be unlimited or capped at a multiple of the annual service fees, and it represents a potentially significant uninsured exposure if the Indian IT company's professional indemnity or cyber insurance does not cover contractual liability.

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, entered into application on January 17, 2025, and represents a fundamental shift in how EU financial regulators approach ICT risk at financial institutions and their service providers. For Indian IT companies and GCCs that serve EU financial institutions, DORA's implications extend beyond compliance to directly affect insurability and insurance requirements.

DORA imposes five pillars of requirements. First, ICT risk management: financial entities must implement and maintain sound ICT risk management frameworks, and their ICT third-party service providers (including Indian IT companies) must support these frameworks through contractual commitments on security standards, incident response capabilities, and business continuity measures. Second, ICT-related incident reporting: financial entities must report major ICT incidents to their competent authority, and their service providers must support this reporting by providing timely information about incidents affecting the services they deliver. Third, digital operational resilience testing: financial entities must conduct regular testing of their ICT systems, including threat-led penetration testing (TLPT), and their critical service providers must participate in and facilitate these tests. Fourth, ICT third-party risk management: financial entities must maintain a register of all ICT third-party arrangements, conduct due diligence on service providers, and include specific contractual provisions in their ICT service agreements. Fifth, the oversight framework: the European Supervisory Authorities (EBA, ESMA, EIOPA) can designate critical ICT third-party service providers for direct oversight, and designated providers must comply with recommendations and requests from the lead overseer.

For Indian IT companies, the contractual provisions required by DORA are particularly significant. DORA Article 30 specifies mandatory contractual clauses that financial entities must include in their agreements with ICT service providers. These include service level requirements for availability and performance, data protection and access provisions, participation in resilience testing, audit rights for the financial entity and its supervisory authority, incident notification obligations with specified timelines, and exit and transition arrangements.

The insurance implications are threefold. First, the contractual liability exposure increases. If the Indian IT company fails to meet the DORA-mandated contractual standards and this failure causes a loss to the financial entity (for example, a service outage that prevents the bank from processing payments), the contractual indemnification liability could be substantial. Professional indemnity insurance must cover this contractual liability, and the policy limit must be adequate for the potential exposure. Second, the operational risk increases. DORA's resilience testing requirements may expose vulnerabilities in the Indian IT company's systems that, if exploited, could cause a data breach or service interruption triggering GDPR, DORA, and contractual liabilities simultaneously. Third, the regulatory risk extends to the IT service provider itself. If the Indian IT company is designated as a critical ICT third-party service provider under DORA's oversight framework, it becomes directly subject to regulatory oversight by EU authorities, with the power to issue recommendations and, if not followed, to request that financial entities suspend or terminate their contracts with the provider.

The business impact of a DORA-triggered contract termination or suspension for a major Indian IT company could be measured in hundreds of crore of lost revenue, making the risk of DORA non-compliance not merely a regulatory matter but a strategic business threat.

Cyber insurance is the primary insurance product for addressing GDPR and DORA-related exposures, but not all cyber insurance policies are created equal. Indian IT companies and GCCs need to ensure that their cyber insurance programme specifically addresses the EU regulatory environment.

A cyber insurance policy for an Indian IT company serving EU clients should include the following coverage sections, each with adequate limits and without prohibitive exclusions.

First-party coverages should include breach response costs (forensic investigation, legal advice, notification costs, credit monitoring, call centre services), business interruption (loss of income and extra expenses resulting from a cyber event that disrupts the insured's operations), data recovery costs (the cost of restoring or recreating data lost due to a cyber event), cyber extortion (ransom payments and associated negotiation and remediation costs), and reputational harm (costs of public relations and communications to mitigate reputational damage following a cyber event).

Third-party coverages should include network security liability (claims by third parties arising from a failure of the insured's network security, including transmission of malware, unauthorized access, or denial of service), privacy liability (claims by individuals whose personal data has been compromised due to the insured's security failure or privacy violation), regulatory proceedings (defence costs and, where insurable, fines and penalties imposed by data protection authorities including EU DPAs), media liability (claims arising from content distributed through the insured's digital channels), and contractual liability (claims arising from the insured's failure to meet data protection obligations under its contracts with clients).

For the GDPR-specific exposure, the policy should explicitly cover administrative fines imposed under GDPR Articles 83 and 84, subject to insurability in the relevant jurisdiction. The policy should not contain a broad regulatory fine exclusion that effectively removes GDPR fine coverage. The GDPR fine sub-limit should be at least 25% of the total policy limit.

For the DORA-specific exposure, the policy should cover the insured's liability arising from ICT service disruptions that affect EU financial entity clients, the costs of participating in regulatory investigations and supervisory assessments under DORA's oversight framework, and the business interruption loss resulting from a mandatory service suspension or contract termination directed by an EU supervisory authority.

Policy limits for Indian IT companies serving EU clients should be calibrated to the exposure. For a mid-sized Indian IT company with EU revenue of USD 50-100 million, a cyber insurance limit of USD 10-25 million (approximately INR 84-210 crore) is appropriate. For large Indian IT companies with EU revenue exceeding USD 500 million, limits of USD 50-100 million or more may be warranted. The premium for a well-structured cyber policy for a mid-sized Indian IT company typically ranges from 1-3% of the policy limit, meaning a USD 15 million policy might cost USD 150,000-450,000 (INR 1.25-3.75 crore).

Indian IT companies should place cyber insurance through specialist cyber brokers who understand the EU regulatory environment and can negotiate policy terms that specifically address GDPR and DORA exposures. The London and Singapore markets have the deepest capacity for large cyber placements, and Indian specialist brokers increasingly have access to these markets.

Professional indemnity (PI) insurance covers claims alleging negligence, errors, or omissions in the professional services provided by the insured. For Indian IT companies and GCCs delivering services to EU clients, the PI policy must be structured to address the specific liability exposures created by GDPR and DORA.

The standard Indian PI policy, while covering general professional negligence claims, may not adequately address three EU-specific exposures. First, data processing errors that result in GDPR violations. If an Indian IT company's software bug causes incorrect processing of EU personal data, leading to data subjects receiving incorrect information or having their records corrupted, the resulting GDPR enforcement action and third-party claims may fall outside a standard PI policy if the policy does not specifically cover data protection breaches. The PI policy should be endorsed to include "data protection wrongful act" as a covered act, and the definition should reference GDPR-specific violations.

Second, failure to meet DORA-mandated service levels. If the Indian IT company's infrastructure management service fails to meet the availability requirements specified in the DORA-compliant contract, and the EU financial entity client incurs regulatory penalties or business losses as a result, the client's claim against the Indian IT company is a professional negligence claim that should be covered by the PI policy. However, standard PI policies may exclude claims arising from the insured's failure to meet contractual service level agreements (SLAs) on the basis that SLA breaches are contractual, not professional, in nature. The PI policy should be endorsed to include SLA breach liability, at least for SLAs that relate to the insured's professional service delivery.

Third, intellectual property infringement in service delivery. Indian IT companies developing software for EU clients may inadvertently infringe third-party intellectual property rights (patents, copyrights, trade secrets) that result in claims against both the client and the IT company. The PI policy should include IP infringement coverage, which is standard in most technology E&O policies but may be absent from general PI policies used by Indian companies.

The policy limit for PI insurance should be calibrated to the contractual indemnification obligations in the Indian IT company's EU client contracts. Many EU financial institution contracts require IT service providers to carry PI insurance with limits of EUR 5-20 million per claim and in the aggregate. For Indian IT companies with multiple large EU financial institution clients, the aggregate PI limit may need to be EUR 50 million or more to avoid a situation where a single large claim from one client exhausts the aggregate, leaving subsequent claims from other clients uninsured.

Pricing for technology PI with EU-specific extensions ranges from 0.5-1.5% of the policy limit for well-managed Indian IT companies. For a USD 15 million policy, the premium would be USD 75,000-225,000 (INR 63 lakh to INR 1.9 crore). The PI policy should be placed as a claims-made policy with a retroactive date that covers prior acts, ideally extending back to the inception of the EU client relationships.

The most significant insurance gap for Indian IT companies and GCCs serving EU clients often lies not in regulatory exposure but in contractual liability. EU financial institutions and large enterprises impose substantial indemnification obligations on their IT service providers, and many Indian IT companies accept these obligations without fully understanding whether their insurance will respond.

A typical IT services contract with an EU financial institution includes the following indemnification provisions. The IT service provider indemnifies the client against losses arising from the provider's breach of data protection obligations (unlimited in many contracts, or capped at a high multiple of annual fees). The provider indemnifies the client against losses arising from the provider's failure to comply with applicable law, including GDPR and DORA. The provider indemnifies the client against IP infringement claims. The provider indemnifies the client against losses arising from the provider's failure to maintain agreed security standards. The aggregate indemnification cap may be set at 100-200% of the annual contract value, but carve-outs for data protection breaches and IP infringement are often unlimited.

The insurance disconnect arises because standard PI and cyber policies may not cover all of these contractual indemnification obligations. Most PI and cyber policies contain a "contractual liability" exclusion that removes coverage for liabilities assumed under contract that exceed the insured's common law or statutory liability. In other words, if the insured would not have been liable absent the contract's indemnification provision, the policy may not cover the contractual indemnity.

For Indian IT companies, this exclusion can be devastating. If the IT company's contract with an EU bank requires unlimited indemnification for data protection breaches, but the IT company's cyber policy excludes contractual liability, the IT company bears the indemnification obligation from its own balance sheet. For mid-sized Indian IT companies with net worth of INR 500-1,000 crore, a single unlimited indemnification claim from a major EU client could threaten the company's financial viability.

The solution is to negotiate the contractual liability exclusion in the insurance policy. Most specialist cyber and technology PI underwriters are willing to modify or delete the contractual liability exclusion for an additional premium, provided the underlying contracts are commercially reasonable and the indemnification caps are within normal market parameters. The Indian IT company should provide its standard client contract template and its most significant EU client contracts to the insurer during the placement process, so the insurer can assess the contractual liability exposure and price accordingly.

Alternatively, Indian IT companies can purchase a specific contractual liability policy or a contingent liability policy that responds to liabilities assumed under specified contracts. These products are available from the London market and provide coverage that sits alongside (or excess of) the PI and cyber policies.

From a risk management perspective, Indian IT companies should also review their contractual indemnification practices. Accepting unlimited indemnification for data protection breaches, when the company's insurance provides limits of USD 10-20 million, creates a gap that no insurance programme can fully close. Negotiating reasonable indemnification caps that align with available insurance coverage is a fundamental risk management discipline that protects the company's balance sheet.

India's Digital Personal Data Protection (DPDP) Act, 2023, which received Presidential assent in August 2023, creates a domestic data protection framework that intersects with EU regulatory requirements in several important ways for Indian IT companies and GCCs.

The DPDP Act classifies entities processing personal data as "Data Fiduciaries" (analogous to GDPR's "data controllers") and "Data Processors" (analogous to GDPR's "data processors"). Indian IT companies processing EU personal data on behalf of EU clients operate as Data Processors under both GDPR and the DPDP Act, creating dual regulatory exposure. A data breach affecting EU personal data processed in India could trigger enforcement action under both GDPR (by the relevant EU DPA) and the DPDP Act (by the Data Protection Board of India), with separate fines under each regime.

The DPDP Act provides for penalties of up to INR 250 crore (approximately EUR 28 million) for specified violations, including failure to implement reasonable security safeguards and failure to notify the Data Protection Board of a personal data breach. While the DPDP Act's penalty levels are lower than GDPR's maximum fines for large companies, they are substantial for mid-sized Indian IT firms and add a separate layer of financial exposure.

For insurance purposes, Indian IT companies need coverage that addresses both GDPR and DPDP Act exposures. The cyber insurance policy should reference both regulatory frameworks and should not be limited to fines and penalties under a single jurisdiction's data protection law. The policy's territorial scope should be worldwide, covering claims, regulatory proceedings, and data breach incidents regardless of where the data breach occurs or which regulator initiates enforcement.

The DPDP Act's adequacy assessment implications are also relevant. The European Commission's assessment of whether India provides an "adequate" level of data protection (under GDPR Article 45) will influence the mechanisms that Indian IT companies must use to transfer EU personal data to India. If India receives an adequacy decision, data transfers become simpler and the regulatory risk is reduced. If India does not receive adequacy, Indian IT companies must rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), which impose additional contractual and compliance obligations that, if breached, create further insurable liability.

GCCs face a particular complexity. A GCC in India processing personal data on behalf of its European parent company operates as both a Data Processor under GDPR (for EU data) and potentially as a Data Fiduciary under the DPDP Act (for its own employee data and any Indian customer data). The GCC's insurance programme must cover both roles, with the cyber and PI policies structured to respond to claims and regulatory actions arising from both GDPR and DPDP Act obligations.

The interaction between the two regulatory frameworks also affects breach notification timelines and procedures. GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. The DPDP Act's notification requirements (to be specified in the rules, which are expected to require notification "without delay") may impose a different timeline. The Indian IT company's breach response plan and its insurance policy's notification provisions must accommodate both timelines, with the shorter timeline governing the response.

Indian IT companies and GCCs delivering services to the EU need an integrated insurance programme that combines cyber insurance, professional indemnity, and potentially directors and officers liability into a coordinated structure that addresses the full spectrum of EU regulatory and contractual exposure.

The programme architecture should follow a layered approach. The first layer is the primary cyber insurance policy, which covers first-party breach costs, regulatory proceedings, privacy liability, and network security liability. The cyber policy should be placed with a specialist cyber underwriter that has experience with EU regulatory claims and can provide pre-breach services (risk assessments, incident response planning) as well as post-breach claims handling. The primary limit should be sufficient to cover the costs of a major data breach involving EU personal data, typically USD 10-25 million for mid-sized Indian IT companies.

The second layer is the professional indemnity policy, which covers claims alleging errors, omissions, and negligence in the IT services delivered. The PI policy should be endorsed to include data protection wrongful acts, SLA breach liability, and IP infringement coverage. The PI policy limit should match or exceed the largest contractual indemnification obligation in the insured's EU client portfolio.

The third layer, for larger companies, is an excess or umbrella policy that sits above both the cyber and PI policies and provides additional limits on a follow-form basis. This layer is particularly important for Indian IT companies with multiple large EU financial institution clients, where the aggregate exposure from multiple potential claims could exhaust the primary limits.

D&O insurance should cover the personal liability of the Indian IT company's directors and officers for decisions related to data protection and DORA compliance. If the company's GDPR or DORA failures are attributed to board-level governance deficiencies, directors may face personal liability under both EU and Indian law.

The programme should be reviewed at least annually, and more frequently if there are significant changes in the EU regulatory environment, the company's EU client base, or the nature of services delivered. The introduction of new EU regulations (such as the EU AI Act, which imposes specific obligations on providers of AI systems) can create new insurable exposures that require programme adjustments.

Indian IT companies should also invest in risk mitigation measures that complement the insurance programme. Implementing ISO 27001 certification, obtaining SOC 2 Type II attestation, conducting regular penetration testing, maintaining documented data protection impact assessments (DPIAs) for EU personal data processing activities, and training all employees with access to EU data on GDPR and DPDP Act obligations all reduce the probability of a breach, lower insurance premiums, and strengthen the company's position in regulatory investigations and client negotiations. A company that can demonstrate a mature risk management framework will obtain better insurance terms, higher limits, and lower premiums than a company that relies solely on risk transfer.