Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Published: August 28, 2025

Processed: August 29, 2025

PDF Document

If the PDF doesn't display, click here to view it in a new tab ↗

Description

SEBI issues technical clarifications on cybersecurity framework implementation for regulated entities under multiple regulatory jurisdictions.

Summary

SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for all SEBI regulated entities, addressing queries received since the original framework was published in August 2024. The clarifications cover principles for entities under multiple regulators, technical implementation details, re-categorization of certain entities, and cyber security audit policy guidelines.

Key Points

Technical clarifications issued for CSCRF implementation across all SEBI regulated entities
Addresses concerns of entities regulated by multiple authorities (SEBI, RBI, etc.)
Provides guidance on compliance for banks that are also SEBI regulated entities
Covers AIFs, clearing corporations, custodians, depositories, mutual funds, stock brokers, and other market participants
References previous circulars and FAQs issued between August 2024 and June 2025

Regulatory Changes

Clarifies implementation approach for entities under multiple regulatory jurisdictions
Re-categorizes Portfolio Managers and Merchant Bankers for framework applicability
Incorporates CERT-In cyber security audit policy guidelines
Provides technical implementation guidance based on industry feedback

Compliance Requirements

All listed SEBI regulated entities must implement the cybersecurity framework
Entities under multiple regulators need to follow specific principles for compliance coordination
Portfolio Managers and Merchant Bankers subject to revised categorization requirements
Compliance with CERT-In audit policy guidelines mandatory

Important Dates

Original CSCRF issued: August 20, 2024
Multiple extensions and clarifications issued between December 2024 and June 2025
Current clarification dated: August 28, 2025

Impact Assessment

High impact on all SEBI regulated entities requiring cybersecurity framework implementation
Significant operational changes needed for data protection and IT infrastructure security
Additional compliance burden for entities regulated by multiple authorities
Industry-wide standardization of cybersecurity practices across capital markets

Category	Compliance
Circular ID	`3ae5d9ab02c1610d`
Impact	High
Severity	High
Tags	cybersecurity compliance sebi regulatory-framework data-protection it-infrastructure
Source	NSE
Links	PDF Document ↗ Original Source ↗ Permalink