Description

NSE extends the deadline for trading members to submit their Cyber Security and Cyber Resilience Audit reports for the half-yearly period ending September 2025.

Summary

NSE has extended the timeline for trading members to submit their Cyber Security and Cyber Resilience Audit reports. The extension applies to Qualified REs and Mid-size REs/Small size REs providing IBT or Algo Trading facility for the half-yearly audit period ending September 30, 2025. The preliminary audit report deadline has been extended to January 31, 2026, and the Action Taken Report (if applicable) to April 30, 2026.

Key Points

  • Extension granted following representations from market participants
  • Revision made in consultation with SEBI
  • Applies to trading members falling under Qualified REs and Mid-size REs/Small size REs providing IBT or Algo Trading facility
  • References original circular NSE/INSP/71214 dated November 10, 2025
  • SEBI-CSCRF framework mandates half-yearly cyber security audits

Regulatory Changes

No new regulatory requirements introduced. This circular only extends existing compliance timelines as per SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF).

Compliance Requirements

  • Eligible Members: Qualified REs and Mid-size REs/Small size REs providing IBT or Algo Trading facility must conduct Cyber Security & Cyber Resilience Audit on half-yearly basis
  • Audit Period: April 2025 to September 2025
  • Submission Requirements:
    • Preliminary Audit Report to be submitted to NSE
    • Action Taken Report (if applicable) to follow

Important Dates

  • Audit Period: Half Yearly (April 25 - September 25)
  • Preliminary Audit Report Due: January 31, 2026 (revised)
  • Action Taken Report Due: April 30, 2026 (revised, if applicable)

Impact Assessment

Operational Impact: Positive for trading members as it provides additional time to complete and submit cyber security audit reports. This extension acknowledges the complexity and resource requirements of conducting comprehensive cyber security audits.

Market Impact: Minimal direct market impact. The extension facilitates better compliance by giving members adequate time to complete thorough security assessments without rushing.

Compliance Impact: Reduces immediate compliance pressure on trading members while maintaining regulatory oversight of cyber security standards in the trading ecosystem.

Impact Justification

Important compliance deadline extension for trading members conducting cyber security audits, but provides additional time rather than imposing new requirements