Submission of VAPT Report for FY 2025-26: Timelines and Requirements for Trading Members

Published: May 14, 2026

Processed: May 14, 2026

PDF Document

If the PDF doesn't display, click here to view it in a new tab ↗

Description

BSE prescribes VAPT audit submission timelines for FY 2025-26 under SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), with deadlines varying by trading member category.

Summary

BSE has issued detailed timelines for the conduct and submission of Vulnerability Assessment and Penetration Testing (VAPT) reports for FY 2025-26, in compliance with SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) circular dated August 20, 2024. Deadlines differ based on the categorization of trading members — standard REs submit yearly while QSBs and protected systems follow a half-yearly schedule.

Key Points

Applicable to all trading members under SEBI’s CSCRF framework
VAPT must be conducted through CERT-In empanelled auditors
Two submission tracks: yearly (for Self-certification, Small, Mid, and Qualified REs not classified as QSBs) and half-yearly (for QSBs and REs identified as ‘Protected Systems’ or CII by NCIIPC)
VAPT activity for yearly filers shall be initiated after the financial year ends (post March 2026)
Trading members must NOT submit detailed vulnerability reports unless specifically requested by SEBI/Exchanges
Detailed VAPT records must be maintained internally as per prescribed format
Scope covers all critical assets: networking systems, security devices, servers, databases, applications, WAN/LAN-accessible systems, public IP systems, and websites

Regulatory Changes

This circular consolidates and clarifies VAPT timelines pursuant to multiple SEBI clarification circulars:

SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 (original CSCRF framework)
Subsequent clarification circulars dated December 31, 2024; March 28, 2025; April 30, 2025; August 28, 2025
SEBI FAQ dated June 11, 2025
BSE Exchange Circular Notice No. 20250926-63 dated September 26, 2025
SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119 dated August 28, 2025 (Technical Clarifications to CSCRF)

Key change: Trading members are explicitly prohibited from submitting detailed vulnerability reports unless asked by SEBI/Exchanges.

Compliance Requirements

For Self-certification REs, Small-size REs, Mid-size REs, and Qualified REs (not QSBs):

Conduct VAPT through a CERT-In empanelled auditor covering FY April 1, 2025 – March 31, 2026
Submit report post IT Committee approval
If applicable, submit ATR/Revalidation report via the same auditor with closure status after IT Committee approval

For QSBs and REs identified as Protected Systems/CII by NCIIPC:

Milestone	Due Date
Conduct VAPT through CERT-In Auditor	June 30, 2026
Submit report after IT Committee approval	July 31, 2026
Submit ATR/Revalidation report (if applicable)	November 30, 2026

Milestone	Due Date
Conduct VAPT and submit report after IT Committee approval	June 30, 2026
Submit ATR/Revalidation report (if applicable)	September 30, 2026

Category	Compliance
Circular ID	`1bfeda0007b05d7a`
Impact	Medium
Severity	Medium
Tags	vapt cybersecurity cscrf compliance trading-members sebi-circular cyber-resilience cert-in qsb it-security
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink