Pillar deep dive

The India Statutory Compliance Layer: IT Act, Labor Law, and the 2,000-Filing Problem

The India statutory compliance layer that runs parallel to US framework attestations — IT Act, labor law, tax compliance, and the 2,000-Filing Churn of running an India GCC.

By Hemant Attri, Founder, Attri Edge July 18, 2026 Updated July 18, 2026 1 min read

US founders running India GCCs typically learn about India statutory compliance when something breaks — a tax notice, a labor inspection, a blocked filing. Here’s the layer that exists from day one, running parallel to your US framework attestations. SOC 2 doesn’t cover any of it.

Companies Act / MCA filings

Annual returns, financial statements, director KYC, beneficial-ownership and related-party disclosures, board and shareholder filings — all to the Ministry of Corporate Affairs. Missed MCA filings carry per-day fines and director liability, so a company secretary or CA owns this calendar.

Income tax and TDS

Corporate tax filings, advance tax, and TDS on salaries and contractor payments. Transfer pricing applies to related-party transactions with the US parent — a recurring audit focus for US-HQ-with-India-subsidiary structures.

GST

Monthly and quarterly returns, state-specific registrations, input-tax-credit management, and e-invoicing. GST is high-frequency and unforgiving on deadlines.

Provident Fund and ESI

Monthly PF contributions and returns, plus ESI for wage-threshold-eligible employees. These are employee-facing — lapses affect staff directly and draw scrutiny.

State-specific (professional tax, labor welfare, S&E)

Professional tax, labor welfare fund, and Shops & Establishments registration are state-specific, each with its own rate and schedule. Operating in three states triples these — the core driver of the 2,000-Filing Churn.

Sector-specific overlays

RBI (financial services), IRDAI (insurance), SEBI (capital markets), CDSCO (life sciences) layer additional obligations — often including data localization that overrides DPDPA’s general permissibility.

Outsourcing landscape

Most mid-market GCCs outsource this to payroll/compliance vendors (ADP, Keka, GreytHR, Darwinbox) plus a CA/CS firm, running it through a centralized compliance calendar. How it fits the full program is in the GCC compliance encyclopedia.

Where Attri Edge fits

We don’t replace your statutory vendor — we make sure the statutory layer is integrated with your security/compliance program so nothing falls between “HR’s problem” and “the auditor’s question.” The diagnostic maps your India statutory coverage alongside your US frameworks.

Related reading:

Frequently asked questions

Required vendors for compliance?

Most mid-market GCCs use a payroll/compliance vendor (ADP, Keka, GreytHR, Darwinbox, or local firms) for PF, ESI, professional tax, GST, and TDS, plus a CA/CS for Companies Act filings. Few staff this in-house at mid-market scale.

Penalty exposure for missed filings?

Varies by filing — interest and penalties on late PF/ESI/GST/TDS, per-day fines and director liability on Companies Act lapses, and inspection risk on labor-law gaps. Individually modest, collectively material across 2,000+ events.

Multi-state implications?

Each additional state adds professional tax, labor welfare fund, shops-and-establishments, and state labor-law obligations — which is what drives the filing count up. Multi-state operations need a centralized compliance calendar.

Tools and platforms?

Payroll/HR platforms (Keka, GreytHR, Darwinbox), payroll-compliance services (ADP), and a centralized compliance tracker. GRC platforms don't cover this layer — it runs in parallel to SOC 2/DPDPA.