Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI issues technical clarifications and guidance for cybersecurity framework implementation across all regulated entities including those under multiple regulatory purviews.

Summary

SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) originally published in August 2024. This circular addresses queries from regulated entities and provides guidance for entities operating under multiple regulatory jurisdictions, technical implementation details, re-categorization of certain entities, and cyber security audit policy guidelines.

Key Points

Technical clarifications issued in four parts: multi-regulator principles, technical clarifications, re-categorization guidelines, and CERT-In audit policy
Addresses entities regulated by multiple bodies (SEBI, RBI, etc.) including custodians, depository participants, and merchant bankers
Follows previous clarifications and extensions issued between December 2024 and June 2025
Comprehensive framework covers all SEBI regulated entities including AIFs, brokers, exchanges, mutual funds, and depositories

Regulatory Changes

Part-A establishes principles for entities under multiple regulators’ purview
Part-B provides technical implementation clarifications
Part-C re-categorizes Portfolio Managers and Merchant Bankers
Part-D incorporates CERT-In cyber security audit policy guidelines
Framework applies to entities that may be primarily regulated by other bodies like RBI but have SEBI regulated activities

Compliance Requirements

All SEBI regulated entities must implement the cybersecurity framework with these technical clarifications
Entities under multiple regulatory jurisdictions must follow specific guidance for compliance coordination
Implementation must consider data protection and IT infrastructure security measures
Compliance with cyber security audit requirements as per CERT-In guidelines

Important Dates

Original framework issued: August 20, 2024
Current clarifications issued: August 28, 2025
Previous extensions granted: March 28, 2025 and June 30, 2025
Timeline for implementation follows previously extended deadlines

Impact Assessment

High impact on all SEBI regulated entities requiring cybersecurity framework adoption
Significant compliance burden for entities operating under multiple regulatory frameworks
Enhanced data protection and IT infrastructure security across the securities market ecosystem
Streamlined approach for entities with overlapping regulatory requirements

Impact Justification

Comprehensive cybersecurity framework affects all SEBI regulated entities with technical clarifications for implementation

Category	Compliance
Circular ID	`b5cf4b19b83a8899`
Impact	High
Severity	High
Tags	cybersecurity compliance regulatory-framework data-protection IT-infrastructure multi-regulator-entities
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink