Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI issues technical clarifications on cybersecurity framework implementation for regulated entities under multiple regulatory jurisdictions.

Summary

SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs). The circular addresses implementation challenges for entities under multiple regulatory jurisdictions and provides clarifications across four key areas: principles for multi-regulated entities, technical specifications, re-categorization of certain entities, and cyber security audit guidelines.

Key Points

Technical clarifications issued for CSCRF implementation following various queries from regulated entities
Framework applies to all SEBI regulated entities including AIFs, stock exchanges, mutual funds, custodians, and depositories
Special provisions for entities under multiple regulatory jurisdictions (e.g., banks regulated by both SEBI and RBI)
Clarifications cover four parts: multi-regulator principles, technical specifications, entity re-categorization, and audit guidelines
Previous extensions and clarifications issued in December 2024, March 2025, April 2025, June 2025

Regulatory Changes

Provides specific guidance for SEBI REs that are also regulated by other bodies like RBI
Re-categorization framework for Portfolio Managers and Merchant Bankers
Updated cyber security audit policy guidelines from CERT-In integration
Technical specifications clarified for implementation challenges

Compliance Requirements

All listed SEBI regulated entities must comply with CSCRF requirements
Entities under multiple regulators must follow specific principles outlined in Part-A
Implementation of cybersecurity measures and data protection protocols mandatory
Compliance with cyber security audit requirements as per CERT-In guidelines

Important Dates

Original CSCRF circular issued: August 20, 2024
Previous extensions granted: December 2024, March 2025, April 2025, June 2025
Current clarification circular: August 28, 2025

Impact Assessment

High impact on all SEBI regulated entities requiring cybersecurity infrastructure upgrades
Significant compliance burden for entities under multiple regulatory frameworks
Enhanced data protection and IT infrastructure security across capital markets
Potential operational changes required for banks, custodians, and other dual-regulated entities

Impact Justification

Cybersecurity framework affects all SEBI regulated entities with compliance requirements and implementation deadlines

Category	Compliance
Circular ID	`cf097d3b4b9f83d6`
Impact	High
Severity	High
Tags	cybersecurity cscrf compliance sebi-regulations multi-regulatory technical-clarifications
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink