Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

Technical clarifications on cybersecurity framework covering principles for multi-regulated entities, audit guidelines, and re-categorization of Portfolio Managers and Merchant Bankers.

Summary

SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for all SEBI regulated entities. The circular provides guidance in four key areas: principles for entities under multiple regulators, technical clarifications, re-categorization of Portfolio Managers and Merchant Bankers, and Cyber Security Audit Policy Guidelines from CERT-In.

Key Points

Technical clarifications issued for Cybersecurity and Cyber Resilience Framework (CSCRF)
Covers principles for SEBI REs under multiple regulators’ purview (RBI, SEBI etc.)
Addresses queries received from regulated entities seeking extensions and clarifications
References five previous circulars and FAQs issued between August 2024 and June 2025
Includes re-categorization guidance for Portfolio Managers and Merchant Bankers
Incorporates CERT-In Cyber Security Audit Policy Guidelines

Regulatory Changes

Part-A: New principles established for REs under multiple regulators’ jurisdiction
Part-B: Technical clarifications to existing CSCRF requirements
Part-C: Re-categorisation framework for Portfolio Managers and Merchant Bankers
Part-D: Integration of CERT-In Cyber Security Audit Policy Guidelines
Special provisions for entities regulated by both SEBI and RBI (Custodians, DPs, MBs)

Compliance Requirements

All SEBI regulated entities must comply with updated CSCRF framework
Entities under multiple regulators must follow specific principles outlined in Part-A
Portfolio Managers and Merchant Bankers subject to re-categorization requirements
Compliance with CERT-In audit policy guidelines mandatory
Applicable to: AIFs, BTIs, SCSBs, Clearing Corporations, CIS, CRAs, Custodians, DTs, Depositories, DDPs, DPs, IAs/RAs, KRAs, MBs, MFs/AMCs, Portfolio Managers, RTAs, Stock Brokers, Stock Exchanges, VCFs

Important Dates

Original CSCRF circular: August 20, 2024
Current technical clarifications: August 28, 2025
Previous extensions granted: March 28, 2025 and June 30, 2025
Implementation timeline follows previous extension circulars

Impact Assessment

High impact on all SEBI regulated entities requiring cybersecurity framework compliance
Significant for entities under dual regulation (SEBI-RBI) with clearer guidance on overlapping requirements
Enhanced cybersecurity standards across Indian capital markets ecosystem
Strengthened data protection and IT infrastructure security measures
Improved cyber resilience framework for financial market participants

Impact Justification

Comprehensive cybersecurity framework affecting all SEBI regulated entities with technical clarifications and new compliance requirements

Category	Compliance
Circular ID	`7feabef1b9b366c8`
Impact	High
Severity	High
Tags	cybersecurity compliance sebi-regulated-entities cyber-resilience regulatory-framework cert-in audit-policy
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink