On Apr. 30, 2025, IND SEBI issued clarifications to CSCRF updating categorization thresholds; categories are determined annually based on prior year data.
Category of REs shall be decided at the beginning of the financial year based on the data of the previous financial year; Once category is decided, RE shall remain in the same category throughout financial year irrespective of any changes in parameters.
Category validated by respective reporting authority during compliance submission.
Stock brokers and DPs are categorized by client numbers and trading volume; those with fewer than 1,000 clients and INR 1,000 crore volume are exempt.
IAs and RAs not registered in other SEBI capacities are exempt; others follow their highest applicable category; BSE Ltd. is now the reporting authority for both.
KRAs are reclassified as qualified REs; portfolio managers, alternative investment funds/venture capital funds, merchant bankers are categorized based on AUM/corpus.
Small firms with under 100 clients may be exempt from market-security operations centre (M-SOC); RTAs with fewer than 100 clients are exempt from SOC and M-SOC.
Entities in multiple categories must comply with the highest applicable one.
Hardware security module (HSMs) are mandatory for MIIs and qualified REs using cloud services; others may adopt alternatives with risk-based justification.
Compliance deadline for covered REs is Jun. 30, 2025, and cyber audits from FY 2025–26 must adhere to the Aug. 20, 2024 circular and its clarifications.
On Jul. 4, IND SEBI consulted on cyber resilience framework.
IND SEBI consulted on consolidated cybersecurity and cyber resilience framework (CSCRF) for regulated entities, which supersedes previous circulars re cyber security.
Also follows other previous relevant circulars #139940, #50137 as well as #138400.
Framework
Provides a common structure for multiple approaches to prevent cyber-risks/incidents.
Applies to (specified) regulated entities (REs), market infrastructure institutions (MIIs).
Based on 5 concurrent functions, including identify, protect, detect, respond, recover.
REs shall identify critical assets; formulate a cybersecurity and cyber resilience policy.
Implement strong log retention policy, password policy, access policy; use layering offull-disk encryption (FDE) with file-based encryption (FE) for data protection.
Vulnerability assessment and penetration testing (VAPT) to detect vulnerabilities.
Establish appropriate security mechanism for continuous monitoring of security events.
REs shall also formulate an up-to-date cyber crisis management plan (CCMP).
Comprehensive response and recovery plan shall be documented and be triggered for the timely restoration of systems affected by the cyber incident; inform related parties.
Consultation Period
Consultation is open for comments, which should be submitted by Jul. 25, 2023.
Jul. 21, 2023 Deadline Extension
On Jul. 21, 2023, IND SEBI extended the comment period deadline for the consultation paper on consolidated cybersecurity and cyber resilience framework to Aug. 4, 2023.
Comments must be submitted in the specified format either via email or by post.
Aug. 2024 Finalized Circular
On Aug. 20, 2024, IND SEBI finalized circular introducing CSCRF for regulated entities.
This framework supersedes existing SEBI cybersecurity circulars, guidelines, advisories and letters, the list of which is given as part of the framework attached as annexure-1.
A glide-path for adoption of the framework will be provided; for six categories of REs where cybersecurity and cyber resilience circular already exists, by Jan. 1, 2025.
For other REs where CSCRF is being issued for the first time, by Apr. 1, 2025.
Dec. 2024 Implementation Clarification
On Dec. 31, 2024, IND SEBI issued clarifications regarding cybersecurity framework implementation for regulated entities, extending compliance grace period to Mar. 31.
No regulatory action for non-compliance if entities demonstrate meaningful progress.
Postpones compliance deadline to Apr. 1, 2025 for KYC registration agencies and depository participants; data localization provisions under data security standard PR.DS.S2 placed in abeyance, other guidelines to be issued after further consultation.
In Jan. 2025, IND BSE asked regulated entities to onboard to services, see #240347.
Mar. 2025 Deadline Extended
On Mar. 28, 2025, IND SEBI decided to extend the CSCRF compliance deadline, for all REs except MIIs, KYC registration agencies (KRAs), qualified registrars to an issue and share transfer agents (QRTAs); the new deadline for relevant entities is Jun. 30, 2025.
Apr. 2025 Clarifications
On Apr. 30, 2025, IND SEBI issued clarifications to CSCRF updating categorization thresholds; categories are determined annually based on prior year data.
Category of REs shall be decided at the beginning of the financial year based on the data of the previous financial year; Once category is decided, RE shall remain in the same category throughout financial year irrespective of any changes in parameters.
Category validated by respective reporting authority during compliance submission.
Stock brokers and DPs are categorized by client numbers and trading volume; those with fewer than 1,000 clients and INR 1,000 crore volume are exempt.
IAs and RAs not registered in other SEBI capacities are exempt; others follow their highest applicable category; BSE Ltd. is now the reporting authority for both.
KRAs are reclassified as qualified REs; portfolio managers, alternative investment funds/venture capital funds, merchant bankers are categorized based on AUM/corpus.
Small firms with under 100 clients may be exempt from market-security operations centre (M-SOC); RTAs with fewer than 100 clients are exempt from SOC and M-SOC.
Entities in multiple categories must comply with the highest applicable one.
Hardware security module (HSMs) are mandatory for MIIs and qualified REs using cloud services; others may adopt alternatives with risk-based justification.
Compliance deadline for covered REs is Jun. 30, 2025, and cyber audits from FY 2025–26 must adhere to the Aug. 20, 2024 circular and its clarifications.
