India hosts more Global Capability Centers than any other country in the world. As of FY26, there are roughly 2,117 GCCs generating $98.4 billion in revenue and employing approximately 2 million professionals, according to NASSCOM data. By 2030, that number is projected to exceed 2,500 GCCs with revenues approaching $150 billion.
Within this market, the mid-market segment — parent companies with revenue between $500M and $10B — is the fastest-growing piece. Roughly 480+ GCCs operate in this segment as of FY26, expanding 1.3x faster than the overall GCC market. These are companies like growth-stage SaaS firms post-Series C, mid-market fintech and healthtech, specialty enterprise software companies — not the Fortune 500 names that dominated India GCCs a decade ago.
For these mid-market GCCs, compliance is uniquely hard. They face the same enterprise customer expectations as billion-dollar players (SOC 2 Type 2, robust security questionnaires, DPDPA compliance, ISO 27001 in some sectors) but operate with leaner teams, tighter budgets, and less institutional infrastructure. They face the same India statutory compliance burden as large GCCs (provident fund, GST, TDS, labor law, the so-called 2,000-Filing Churn) but without dedicated India compliance teams.
This article is the operational compliance reference for India GCCs — particularly mid-market ones. It covers: the GCC landscape and structural patterns, the compliance domains that apply (US frameworks plus India statutory), the operating models that work, the tooling landscape, and the gaps where specialized support is most valuable.
The GCC landscape in 2026
The Indian GCC market is structurally different from where it was even two years ago. Several trends define the current state:
Multiplication of mid-market GCCs. Pre-2020, GCCs were dominated by Fortune 500 and large enterprise. Post-pandemic, mid-market companies (parent revenue $500M–$10B) discovered that India GCCs are accessible at their scale. Growth in this segment has outpaced overall GCC growth significantly. JLL India’s 2026 GCC Guide identifies this as the defining trend of the current cycle.
Tier 2/3 city expansion. Bengaluru, Hyderabad, Pune, Chennai, and Gurugram still dominate, but new GCC capacity is increasingly opening in Tier 2/3 cities — Coimbatore, Indore, Kochi, Visakhapatnam, Ahmedabad, Jaipur, Mysuru, Nagpur. Talent costs in these cities are 25–40% lower; infrastructure quality has caught up; and government incentives are aggressive.
Nano GCC emergence. A subset of these Tier 2/3 expansions are deliberately small — 20 to 100 people focused on a specific domain like AI/ML, ESG compliance, or specialized engineering. The “Nano GCC” terminology, which emerged in 2025–2026 trade press, captures this shift. They’re marketed as having “compliance-by-default architectures” — meaning regulatory oversight is baked in from day one rather than retrofitted.
Domain specialization. GCCs are no longer just “engineering offshoring.” Specialized GCCs in actuarial science, drug regulatory affairs, ESG reporting, AI safety, and FinOps are emerging. The implication for compliance: these GCCs are processing increasingly sensitive data — patient records, financial models, regulatory filings — and the compliance bar is rising.
Compliance pressure intensifying. DPDPA’s November 2025 notification, increasing enforcement of CERT-In directives, SDF (Significant Data Fiduciary) designations starting to roll out, board-level liability under ₹250 crore penalty regimes — all of this is pushing compliance from an IT concern to a board concern in 2026.
The compliance domains an India GCC must address
A complete India GCC compliance program spans four major domains. Most teams under-invest in two of them.
Domain 1: US framework attestations (for customer assurance)
These are the frameworks your US-based parent’s customers expect, and they’re what most teams focus on because the connection to revenue is direct.
SOC 2 Type 2. The default expectation for B2B SaaS selling to US enterprise. Trust Services Criteria covering Security (mandatory), and often Availability, Confidentiality, and Privacy. Audit by US-licensed CPA firm. India operations brought into scope inclusively (most common) or as carve-out subservice (rare and inadvisable for wholly-owned GCCs). Full treatment in our SOC 2 for US SaaS with India Teams guide.
ISO 27001:2022. Common in healthcare, financial services, and sectors that work with European customers. Internationally recognized. Can be issued by accredited certification bodies operating in India (TÜV Nord, BSI India, BSI Group, DNV, Bureau Veritas). Often easier to obtain in India than SOC 2 because of established certification body infrastructure.
SOC 1 Type 2. For companies whose service affects customers’ financial reporting (payroll processors, billing systems, ERP-integrated services). Different in focus from SOC 2 but similar in structure.
HIPAA / HITRUST. US healthcare sector. HITRUST CSF is becoming more common as a certification approach.
PCI DSS. If you handle payment card data.
FedRAMP / StateRAMP. If you serve US federal or state government.
Sector-specific. SEC requirements for financial services, FDA requirements for life sciences, GxP for pharmaceuticals — these can layer on top of foundational frameworks.
Domain 2: India regulatory frameworks (for India lawful operation)
These are the India-specific frameworks that govern your operations as an India entity. Most US-headquartered companies underestimate this layer.
DPDPA / DPDP Rules 2025. India’s data protection law. Notice, consent, rights, security, breach notification, cross-border transfer, SDF obligations. Penalty regime up to ₹250 crore. Full treatment in our DPDPA Meets SOC 2 guide.
IT Act 2000 + IT Rules. Information Technology Act with multiple subsidiary rules covering intermediary liability, cybersecurity, cyber forensics, electronic records, digital signatures. The 2021 IT Rules brought significant additional obligations for “intermediaries” (which can include SaaS platforms).
CERT-In directives. The Indian Computer Emergency Response Team issues binding directives. The 2022 cyber incident reporting directive requires reporting of specific cybersecurity incidents within 6 hours. CERT-In also maintains log retention and information-sharing requirements.
Sectoral regulations. RBI rules for financial services (data localization for payment system data, IT framework for NBFCs and banks), IRDAI for insurance, SEBI for capital markets, TRAI for telecom, FDA-equivalents (CDSCO) for life sciences, DGCA for aviation. Sectoral overlays often impose stricter requirements than DPDPA’s defaults.
Telecommunications (Telecom Act 2023). Recently enacted, with implications for any company using telecommunications infrastructure.
Other digital governance laws. The DIA (Digital India Act) is in development as of mid-2026 to consolidate and modernize the IT Act framework. Watch for changes.
Domain 3: India statutory compliance (corporate operation)
This is the layer most US founders don’t know exists until something breaks. It’s the operational compliance required to run an India entity lawfully — and the volume is staggering. Hence “the 2,000-Filing Churn.”
Companies Act 2013 / MCA filings. Annual returns, financial statements, director KYC, beneficial ownership, related party transactions, board meeting filings, shareholder filings. Filed with the Ministry of Corporate Affairs.
Income tax. Corporate tax filings, advance tax payments, TDS (tax deducted at source) on salaries and contractor payments, transfer pricing for related-party transactions with the US parent.
Goods and Services Tax (GST). Monthly and quarterly returns, state-specific registrations, input tax credit management, e-invoicing requirements.
Provident Fund (PF). Monthly contributions for employees, returns, employee KYC, transfer-on-exit procedures.
Employee State Insurance (ESI). Contributions and returns for eligible employees (wage threshold-based).
Professional Tax. State-specific. Karnataka, Maharashtra, West Bengal, Tamil Nadu, and others impose professional tax on salaried employees. Different states, different rates, different filing schedules.
Labor Welfare Fund. State-specific contributions.
Shops and Establishments Act. State-specific registration and renewals.
Gratuity Act. Provisioning and payouts for eligible employees.
Maternity Benefit Act. Compliance for women employees.
POSH Act. Internal Committee for Sexual Harassment, annual report filing.
Labour Codes (when fully notified). The four consolidated labour codes (Code on Wages, Industrial Relations Code, Social Security Code, OSH Code) will eventually replace dozens of existing laws once fully notified across states.
Apprenticeship Act, Contract Labour Act, Equal Remuneration Act, Payment of Bonus Act — additional layers that may apply.
Across a multi-state GCC operating in (say) Karnataka, Maharashtra, and Telangana, with 100+ employees, the total annual count of mandatory compliance events — filings, returns, registrations, renewals, payments — easily exceeds 2,000. Each one carries penalty exposure if missed.
Domain 4: Vendor and third-party compliance
The compliance posture of your vendors and sub-processors is part of your own compliance posture. This domain is often neglected.
Vendor inventory. Every SaaS, service provider, infrastructure vendor, contractor, consultant your India GCC uses.
Data Processing Agreements (DPAs). Required under DPDPA for any vendor processing personal data on your behalf. Required under GDPR for European-related vendors. Required under SOC 2 control expectations.
Vendor risk assessments. Annual or semi-annual review of each material vendor’s security posture, including review of their SOC 2 or equivalent reports.
Sub-processor tracking. Vendors’ vendors. Maintained as a publicly accessible list for many SaaS companies serving regulated customers.
India-specific vendor considerations. Background check vendors (AuthBridge, HireRight India), payroll/HR vendors (ADP, Keka, GreytHR, Darwinbox), audit firms (KPMG, EY, Deloitte, Grant Thornton, smaller specialists), legal counsel — each represents a vendor relationship requiring management.
The operating models that work
Mid-market GCCs that successfully manage all four compliance domains tend to converge on a similar operating model. Variations exist, but the core elements are consistent:
The India country manager. A senior India-based leader accountable for operations, with general oversight of compliance but not deep specialist expertise. Often comes from operations, HR, or general management backgrounds.
Outsourced statutory compliance. Payroll, PF, ESI, professional tax, GST, TDS handled by an external compliance vendor (ADP India, Keka, Excellence Auditing, ZetaPay, or local firms). These vendors specialize in the 2,000-Filing Churn at scale and produce the evidence trail needed.
Outsourced India HR ops. Background checks, onboarding, employee documentation, statutory record-keeping. Often the same vendor as statutory compliance.
Fractional compliance specialist for customer-facing frameworks. Either an India-based fractional CISO/compliance lead or a US-based specialist with India experience. Handles SOC 2, DPDPA, ISO 27001, vendor risk, security questionnaire response.
Internal compliance ops role at scale. Once GCCs exceed 80–100 people, an internal compliance ops manager typically becomes economical, working alongside the fractional specialist or assuming the role.
The GRC platform. Vanta, Drata, Sprinto, or Secureframe to automate framework controls, evidence collection, vendor management, security questionnaire response. Multi-Entity Workspace features are now standard for US-HQ + India-GCC structures.
The DPDPA layer. As of 2026, increasingly a separate workstream: consent capture mechanisms, data subject rights workflows, India-specific privacy notices, DPO role (for SDFs), DPIA processes. Sometimes integrated with the GRC platform; sometimes a separate consent management platform.
The Multi-Entity Workspace pattern
Vanta, Drata, and Sprinto have all introduced Multi-Entity Workspaces in 2025–2026 specifically to serve the US-HQ + India-GCC pattern. Worth understanding because it changes how you set up your GRC platform.
The pattern: one tenant in the platform, multiple “entities” or “workspaces” inside. The US entity is one. The India private limited subsidiary is another. (If you have other entities — Singapore holding company, UK subsidiary — those are additional.) Each entity has its own people, policies, evidence, and control configurations. The platform rolls them up into a unified compliance posture for customer-facing trust reports.
Why this matters:
Cleaner audit. SOC 2 auditors can review evidence from each entity separately, mapped to the inclusive scope decision.
Localized policies. India entity has India-specific HR policies, code of conduct, security policies that comply with India labor law. US entity has US versions. Both stay in sync where they need to and diverge where regulations require.
Localized evidence. Background checks for India staff appear in the India workspace. US background checks in the US workspace. Auditor sees both.
Localized vendor management. India vendors (payroll, statutory compliance) tracked in India workspace. US vendors in US workspace. Single SOC 2 report still rolls them up.
Future entities. When you add Singapore or UK or Australia, it’s another workspace, not a re-architecture.
If you’re on a GRC platform but not using Multi-Entity Workspace features, you’re likely accumulating organizational debt. Consider migrating.
The mid-market gap
The mid-market GCC pattern creates a specific gap that defines where specialized compliance services find product-market fit.
Too big for solo founders to handle on the side. Mid-market GCCs have 40–200 India employees, 3–5 customer-facing frameworks in scope, multi-state operations, and active enterprise sales motion. The founder/CTO can’t run this part-time.
Too small to justify dedicated compliance teams. Hiring a full-time India compliance lead ($60K–$120K USD-equivalent total comp), a US-based GRC manager ($120K–$180K), an India HR ops manager, a fractional CISO — total cost easily exceeds $500K/year. For a mid-market company, that’s prohibitive.
Bigger than what GRC platforms alone solve. Vanta, Drata, Sprinto handle the framework automation layer. They don’t run vendor risk reviews, write DPIAs, prepare for SDF designation, respond to enterprise security questionnaires with specific company context, or remediate vulnerabilities.
The mid-market answer that’s working: external compliance operations as a service. A specialist or specialist firm handles the operating layer that connects the platform to the operations.
This is the gap Attri Edge serves. Active Retainer engagements typically run $7,500–$9,000/month and cover the operating layer for a mid-market GCC — security questionnaire response, vulnerability remediation oversight, evidence operations, vendor risk management, DPDPA implementation, security training, and incident response readiness — leveraging the platform you’ve already chosen (Vanta, Drata, Sprinto, Secureframe).
Compared to building this in-house: roughly 1/5 to 1/8 the cost. Compared to large consulting firms: more specialized, more accountable, often more available.
Common GCC compliance failure modes
A few patterns I see repeatedly across mid-market GCCs:
The “audit-only” approach. GCC gets SOC 2 once because a deal requires it. Six months later, the controls aren’t operating. Twelve months later, the Type 2 audit reveals significant exceptions. Trust signal degrades. Fix: compliance ops must be ongoing, not project-based.
The “platform = compliance” assumption. Buying Vanta and assuming the dashboard’s 100% means the company is secure or audit-ready. The platform handles a subset of controls. The rest (incident response readiness, vendor risk depth, vulnerability remediation workflow, DPDPA’s specific obligations) sits outside. Fix: see The Compliance Automation Gap.
The “India statutory is HR’s problem” mindset. US founders treat India statutory compliance as a back-office HR concern, separate from security/compliance. Then a tax notice arrives or a labor inspection reveals gaps. Fix: integrate statutory and security under unified compliance ops.
The “we’ll deal with DPDPA later” plan. DPDPA enforcement is live as of late 2025. Penalties are board-level. Indian customers and enterprise procurement are increasingly asking about DPDPA status. Fix: build DPDPA into your 2026 plan now.
The “single auditor handles everything” mistake. Audit firms differ dramatically in India experience. Hiring a pure-US firm with no India presence to audit a major India operation is a common, expensive mistake. Fix: choose auditors with verified India experience.
The “fractional CISO solves everything” hope. A part-time CISO can lead the strategy and review reports but cannot run the daily compliance ops machine. Fix: clear separation of strategic role (fractional CISO) from operational layer (compliance ops as a service or in-house team).
Where to start
If you’re inheriting an India GCC compliance situation (newly funded mid-market company, post-acquisition integration, scaling past 50 India staff), here’s a 90-day starting sequence:
Day 1–14: Baseline. Document what frameworks you have, what’s in scope, what’s actually operating, what platform you’re on, what your statutory compliance vendor is doing, what’s broken.
Day 15–30: Gap mapping. Map your customer-facing requirements (SOC 2, DPDPA, ISO 27001, sector-specific) against your current control set. Identify the top 10 gaps by enterprise sales impact.
Day 31–60: Critical path remediation. Fix the top 5 gaps. Update vendor inventory and DPAs. Clean up the security questionnaire response library. Address any active enterprise deal blockers.
Day 61–90: Operational machine. Establish the operating cadence — monthly compliance review, quarterly access reviews, semi-annual vendor reviews, annual policy refresh, incident response readiness, training cadence.
The first 90 days are the difference between a GCC that runs on compliance operations and a GCC that runs from one fire to the next. Companies that get this right scale into Year 2 with deals closing faster and audits passing without surprises.
Conclusion
India GCC compliance is a four-domain problem: US framework attestations, India regulatory frameworks, India statutory compliance, and vendor management. Most teams handle the first one well and the other three poorly.
For mid-market GCCs — the fastest-growing segment of the India GCC market — the gap is structural: too large for ad-hoc handling, too small for fully in-house teams. The operating model that’s working in 2026 combines GRC platforms (Vanta/Drata/Sprinto with Multi-Entity Workspaces) plus external compliance operations as a service, plus outsourced statutory compliance.
If you’re running a mid-market GCC and want a structured assessment of where you are against this framework, the Attri Edge Diagnostic is built for exactly this scenario. $999, 48-hour deliverable, structured around the four compliance domains.
Related reading: