Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI issues technical clarifications and guidance on cybersecurity framework implementation for regulated entities under multiple regulatory jurisdictions.

Summary

SEBI has issued comprehensive technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for all regulated entities. The circular addresses implementation guidance for entities under multiple regulatory jurisdictions and provides specific clarifications based on stakeholder queries.

Key Points

Technical clarifications issued in four parts: principles for multi-regulator entities, technical clarifications, re-categorization of Portfolio Managers and Merchant Bankers, and CERT-In cyber security audit guidelines
Addresses challenges faced by SEBI regulated entities that are also regulated by other bodies like RBI
References previous circulars and FAQs issued since the original framework in August 2024
Covers all categories of SEBI regulated entities including AIFs, stock exchanges, mutual funds, depositories, and market intermediaries

Regulatory Changes

Part-A establishes principles for SEBI REs under multiple regulators’ purview
Part-B provides technical clarifications to existing framework requirements
Part-C involves re-categorization of Portfolio Managers and Merchant Bankers
Part-D incorporates Cyber Security Audit Policy Guidelines from CERT-In

Compliance Requirements

All SEBI regulated entities must comply with cybersecurity framework requirements
Entities under multiple regulatory jurisdictions need to follow specific principles outlined in Part-A
Implementation must align with technical clarifications provided for existing framework provisions
Compliance with CERT-In cyber security audit guidelines is mandatory

Important Dates

Original framework issued: August 20, 2024
Current clarifications dated: August 28, 2025
Previous extensions granted: March 28, 2025 and June 30, 2025
Implementation timeline follows previous extension circulars

Impact Assessment

High impact on operational processes of all SEBI regulated entities
Particular significance for entities regulated by multiple authorities (banks, custodians, DPs)
Enhanced cybersecurity measures will strengthen market infrastructure resilience
Technical clarifications provide clearer implementation pathway reducing compliance uncertainty

Impact Justification

Critical cybersecurity framework affecting all SEBI regulated entities with technical clarifications for implementation

Category	Compliance
Circular ID	`7e7d3a4f1fa48d15`
Impact	High
Severity	High
Tags	cybersecurity cyber-resilience sebi-framework regulatory-compliance technical-clarifications multi-regulator-entities
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink