Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI issues technical clarifications for the Cybersecurity and Cyber Resilience Framework covering entities under multiple regulators and implementation guidelines.

Summary

SEBI has issued comprehensive technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) originally published on August 20, 2024. The clarifications address queries from regulated entities and provide guidance for entities operating under multiple regulatory jurisdictions, along with re-categorization of certain entity types and CERT-In audit policy guidelines.

Key Points

Technical clarifications issued in four parts: principles for multi-regulated entities, technical clarifications, re-categorization of Portfolio Managers and Merchant Bankers, and CERT-In audit guidelines
Framework applies to all SEBI regulated entities including AIFs, clearing corporations, depositories, mutual funds, stock exchanges, and brokers
Special provisions for entities regulated by multiple authorities (e.g., banks regulated by both SEBI and RBI)
Multiple previous clarifications and extensions have been issued since the original framework

Regulatory Changes

Establishes comprehensive cybersecurity requirements for all SEBI regulated entities
Introduces specific compliance obligations for data protection and IT infrastructure security
Creates framework for entities operating under multiple regulatory jurisdictions
Re-categorizes certain entity types for framework applicability

Compliance Requirements

All listed SEBI regulated entities must implement the Cybersecurity and Cyber Resilience Framework
Entities under multiple regulators must follow specific principles outlined in Part-A
Portfolio Managers and Merchant Bankers subject to re-categorization requirements
Compliance with CERT-In cyber security audit policy guidelines
Regular monitoring and reporting of cybersecurity measures

Important Dates

Original Framework: August 20, 2024
First Clarifications: December 31, 2024
Implementation Extension 1: March 28, 2025
Additional Clarifications: April 30, 2025
FAQs Published: June 11, 2025
Implementation Extension 2: June 30, 2025
Current Technical Clarifications: August 28, 2025

Impact Assessment

The framework represents a significant regulatory shift requiring substantial investment in cybersecurity infrastructure across all SEBI regulated entities. Multi-regulated entities face additional complexity in ensuring compliance with potentially overlapping requirements. The comprehensive nature of the framework affects operational processes, technology systems, and governance structures across the entire securities market ecosystem.

Impact Justification

Mandatory cybersecurity framework affects all SEBI regulated entities with specific compliance requirements and audit obligations

Category	Compliance
Circular ID	`243fd6c3b402e782`
Impact	High
Severity	High
Tags	cybersecurity cyber-resilience sebi-framework regulated-entities compliance data-protection it-infrastructure
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink