On Oct. 9, 2025, IND CDSL said IND SEBI requires DPs to plan VAPT at start of each financial year and ensure no audit cycle is left unaudited; missed periods must be included in the next cycle.
For self-certification, small-size, mid-size, and qualified REs (excluding QSBs), VAPT is annual, i.e., conduct by Jun. 30, 2026, submit report by Jul. 31, 2026, and submit ATR/revalidation by Nov. 30, 2026.
For QSBs and REs classified as protected systems/CII, VAPT is half-yearly, i.e., Apr to Sep. 2025 cycle submission by Dec. 31, 2025, with ATR by Mar. 31, 2026; Oct. 2025 to Mar. 2026 cycle submission by Jun. 30, 2026, with ATR by Sep. 30, 2026.
Any open vulnerabilities must be approved by the IT Committee within three months and closed before the next cycle; VAPT must cover all critical assets, including systems, servers, databases, applications, cloud, and public-facing infrastructure.
REs must use prescribed formats, maintain detailed reports and proofs of concept (POCs) for three years, and follow IND SEBI’s auditor selection norms.
On Jul. 4, IND SEBI consulted on cyber resilience framework.
IND SEBI consulted on consolidated cybersecurity and cyber resilience framework (CSCRF) for regulated entities, which supersedes previous circulars re cyber security.
Also follows other previous relevant circulars #139940, #50137 as well as #138400.
Framework
Provides a common structure for multiple approaches to prevent cyber-risks/incidents.
Applies to (specified) regulated entities (REs), market infrastructure institutions (MIIs).
Based on 5 concurrent functions, including identify, protect, detect, respond, recover.
REs shall identify critical assets; formulate a cybersecurity and cyber resilience policy.
Implement strong log retention policy, password policy, access policy; use layering offull-disk encryption (FDE) with file-based encryption (FE) for data protection.
Vulnerability assessment and penetration testing (VAPT) to detect vulnerabilities.
Establish appropriate security mechanism for continuous monitoring of security events.
REs shall also formulate an up-to-date cyber crisis management plan (CCMP).
Comprehensive response and recovery plan shall be documented and be triggered for the timely restoration of systems affected by the cyber incident; inform related parties.
Consultation Period
Consultation is open for comments, which should be submitted by Jul. 25, 2023.
Jul. 21, 2023 Deadline Extension
On Jul. 21, 2023, IND SEBI extended the comment period deadline for the consultation paper on consolidated cybersecurity and cyber resilience framework to Aug. 4, 2023.
Comments must be submitted in the specified format either via email or by post.
Aug. 2024 Finalized Circular
On Aug. 20, 2024, IND SEBI finalized circular introducing CSCRF for regulated entities.
This framework supersedes existing SEBI cybersecurity circulars, guidelines, advisories and letters, the list of which is given as part of the framework attached as annexure-1.
A glide-path for adoption of the framework will be provided; for six categories of REs where cybersecurity and cyber resilience circular already exists, by Jan. 1, 2025.
For other REs where CSCRF is being issued for the first time, by Apr. 1, 2025.
Dec. 2024 Implementation Clarification
On Dec. 31, 2024, IND SEBI issued clarifications regarding cybersecurity framework implementation for regulated entities, extending compliance grace period to Mar. 31.
No regulatory action for non-compliance if entities demonstrate meaningful progress.
Postpones compliance deadline to Apr. 1, 2025 for KYC registration agencies and depository participants; data localization provisions under data security standard PR.DS.S2 placed in abeyance, other guidelines to be issued after further consultation.
In Jan. 2025, IND BSE asked regulated entities to onboard to services, see #240347.
Mar. 2025 Deadline Extended
On Mar. 28, 2025, IND SEBI decided to extend the CSCRF compliance deadline, for all REs except MIIs, KYC registration agencies (KRAs), qualified registrars to an issue and share transfer agents (QRTAs); the new deadline for relevant entities is Jun. 30, 2025.
Apr. 2025 Clarifications
On Apr. 30, 2025, IND SEBI issued clarifications to CSCRF updating categorization thresholds; categories are determined annually based on prior year data.
Category of REs shall be decided at the beginning of the financial year based on the data of the previous financial year; Once category is decided, RE shall remain in the same category throughout financial year irrespective of any changes in parameters.
Category validated by respective reporting authority during compliance submission.
Stock brokers and DPs are categorized by client numbers and trading volume; those with fewer than 1,000 clients and INR 1,000 crore volume are exempt.
IAs and RAs not registered in other SEBI capacities are exempt; others follow their highest applicable category; BSE Ltd. is now the reporting authority for both.
KRAs are reclassified as qualified REs; portfolio managers, alternative investment funds/venture capital funds, merchant bankers are categorized based on AUM/corpus.
Small firms with under 100 clients may be exempt from market-security operations centre (M-SOC); RTAs with fewer than 100 clients are exempt from SOC and M-SOC.
Entities in multiple categories must comply with the highest applicable one.
Hardware security module (HSMs) are mandatory for MIIs and qualified REs using cloud services; others may adopt alternatives with risk-based justification.
Compliance deadline for covered REs is Jun. 30, 2025, and cyber audits from FY 2025–26 must adhere to the Aug. 20, 2024 circular and its clarifications.
Jun. 20, 2025 IND NSD on SEBI FAQs
On Jun. 20, 2025, IND NSD said IND SEBI has published FAQs re CSCRF for REs, in light of queries and suggestions received following SEBI's Aug. 2024 circular above.
Jun. 26, 2025 IND CDSL on SEBI FAQs
On Jun. 26, 2025, IND CDSL said IND SEBI has published FAQs re CSCRF for REs.
DPs are requested to take note of FAQs and ensure full compliance with frameworks.
Jun. 30, 2025 Extended Deadline
On Jun. 30, 2025, IND SEBI decided to extend the CSCRF compliance deadline for all REs except MIIs, KRAs, QRTAs; the new deadline for relevant entities is Aug. 31, 2025.
Aug. 22, 2025 IND BSE Clarification
On Aug. 22, 2025, IND BSE issued clarification on information technology / cybersecurity committees at qualified stockbrokers (QSBs).
Based on representations from QSBs and after consultation with SEBI, it is clarified that QSBs may maintain a single IT committee instead of two separate IT and cybersecurity committees.
This consolidated IT committee must include at least one external independent cybersecurity expert, will cover functions of both IT and cybersecurity committees.
The effective date of this requirement will align with the implementation timelines prescribed under the CSCRF circular of Aug. 20, 2024, detailed above.
Document dated Aug. 22, 2025, was received on Aug. 28, 2025 due to a fixed feed.
Aug. 2025 Technical Clarifications
On Aug. 28, 2025, IND SEBI issued technical clarifications on CSCRF for REs.
CSCRF applies only to systems/processes used exclusively for IND SEBI-regulated activities; shared infrastructure is included if not covered by primary regulator audits.
If equivalent cybersecurity controls are already mandated by another regulator (i.e., IND RBI), compliance with those is sufficient.
Key clarifications include broader definition of critical systems, recommendatory nature of mobile app security and ISO 27001, market-SOC onboarding for small/self-certified REs, confidentiality of audit reports, 2-hour RTO/15-minute RPO for critical systems.
Portfolio managers are reclassified by AUM thresholds (over INR 10k crores as qualified, INR 3k to 10k crores as mid-size, less than INR 3k crores as small).
Active merchant bankers are categorized as small-size, while inactive ones are exempt from CSCRF; IND SEBI also directs REs to follow CERT-In cyber audit policy guidelines.
The provisions are effective from Aug. 28, 2025.
Sep. 2025 Editorial Update
On Sep. 2, 2025, Reg-Track made an editorial update to the summary above, adding a sub-heading dated Aug. 22, 2025 with a link to the relevant IND BSE document.
On Oct. 9, 2025, IND CDSL said IND SEBI requires DPs to plan VAPT at start of each financial year and ensure no audit cycle is left unaudited; missed periods must be included in the next cycle.
For self-certification, small-size, mid-size, and qualified REs (excluding QSBs), VAPT is annual, i.e., conduct by Jun. 30, 2026, submit report by Jul. 31, 2026, and submit ATR/revalidation by Nov. 30, 2026.
For QSBs and REs classified as protected systems/CII, VAPT is half-yearly, i.e., Apr to Sep. 2025 cycle submission by Dec. 31, 2025, with ATR by Mar. 31, 2026; Oct. 2025 to Mar. 2026 cycle submission by Jun. 30, 2026, with ATR by Sep. 30, 2026.
Any open vulnerabilities must be approved by the IT Committee within three months and closed before the next cycle; VAPT must cover all critical assets, including systems, servers, databases, applications, cloud, and public-facing infrastructure.
REs must use prescribed formats, maintain detailed reports and proofs of concept (POCs) for three years, and follow IND SEBI’s auditor selection norms.
