Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI issues technical clarifications on cybersecurity framework implementation for regulated entities under multiple regulatory jurisdictions.

Summary

SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) originally published on August 20, 2024. This circular addresses queries from regulated entities and provides specific guidance for entities operating under multiple regulatory jurisdictions, along with technical clarifications and re-categorization of certain entity types.

Key Points

Technical clarifications issued in four parts covering multiple regulator scenarios, technical details, re-categorization, and CERT-In audit guidelines
Applies to all SEBI regulated entities including AIFs, mutual funds, stock exchanges, brokers, depositories, and other market intermediaries
Special provisions for entities regulated by multiple authorities (e.g., banks regulated by both SEBI and RBI)
References previous circulars and FAQs issued between August 2024 and June 2025
Includes CERT-In cyber security audit policy guidelines

Regulatory Changes

Part-A establishes principles for REs under multiple regulators’ purview
Part-B provides technical clarifications to the original framework
Part-C implements re-categorization of Portfolio Managers and Merchant Bankers
Part-D incorporates Cyber Security Audit Policy Guidelines from CERT-In

Compliance Requirements

All listed SEBI regulated entities must comply with the cybersecurity framework
Entities under multiple regulatory jurisdictions must follow specific compliance principles
Implementation timelines have been previously extended through various circulars
Cyber security audit requirements as per CERT-In guidelines must be followed

Important Dates

Original framework: August 20, 2024
First clarification: December 31, 2024
Implementation extension: March 28, 2025
Additional clarifications: April 30, 2025
FAQs published: June 11, 2025
Further extension: June 30, 2025
Current clarification: August 28, 2025

Impact Assessment

High impact on operational procedures for all SEBI regulated entities
Significant compliance burden requiring dedicated cybersecurity resources
Enhanced data protection and IT infrastructure security measures mandatory
Special considerations for entities operating under multiple regulatory frameworks
Market intermediaries must align their cybersecurity practices with SEBI standards

Impact Justification

Mandatory cybersecurity framework affects all SEBI regulated entities with specific compliance requirements and audit policies

Category	Compliance
Circular ID	`0e7fee1d0ef84ec1`
Impact	High
Severity	High
Tags	cybersecurity compliance sebi-framework regulatory-clarification multi-regulator cert-in
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink