Quarterly Cyber Incident Reporting under Cyber Security & Cyber Resilience Framework for Regulated Entities

Description

NSE mandates trading members to report cyber incidents for Q4 2025 by January 15, 2026 through member portal under SEBI's Cyber Security & Cyber Resilience framework.

Summary

NSE has issued a circular requiring all trading members (Regulated Entities) to submit their Quarterly Cyber Incident Report for the quarter ending December 31, 2025, through the member portal by January 15, 2026. This requirement is pursuant to SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, and Exchange circular NSE/INSP/63502 dated August 21, 2024, establishing the Cyber Security & Cyber Resilience framework for SEBI Regulated Entities.

Key Points

• Trading members must report cyber incidents for Q4 2025 (October-December 2025) by January 15, 2026
• Submission path: ENIT > ENIT-NEW-TRADE > Trade > Incident Report > Quarterly Report Submission
• Both nil reports and actual incident reports must be submitted through the online portal
• Digital signature requirement has been waived to facilitate ease of submission
• Separate procedure exists for immediate cyber incident reporting (refer NSE/INSP/66040 dated January 08, 2025)
• Non-submission or delayed submission will result in disciplinary action as per Annexure 1.2 of Exchange Circular NSE/INSP/70746 dated October 10, 2025
• Admin must assign “ENIT New trade” role to designated officer for submission access

Regulatory Changes

This circular implements the ongoing Cyber Security & Cyber Resilience framework for Regulated Entities established by SEBI. The framework requires:

• Mandatory quarterly reporting of all cyber incidents by trading members
• Standardized reporting format through NSE member portal
• Two-tier reporting system: immediate incident reporting for critical events and quarterly consolidated reporting
• Disciplinary framework for non-compliance with reporting obligations

Compliance Requirements

For Trading Members/Regulated Entities:

1. Role Assignment: Admin must assign “ENIT NEW TRADE” role to designated officer in Member Portal
2. Quarterly Reporting: Submit cyber incident report for quarter ending December 31, 2025
3. Reporting Process:
   • Login to member portal with authorized credentials
   • Navigate to ENIT > ENIT-NEW-TRADE > Trade > Incident Report > Quarterly Report Submission
   • Enter designated officer details
   • Indicate whether any breach was observed (Yes/No)
   • For nil incidents: Check “Nil Submission” checkbox
   • For actual incidents: Fill incident details, generate PDF, upload and submit
4. Documentation: System auto-generates PDF report for upload (no digital signature required)
5. Support: Contact DL-SYSCYB@nse.co.in for queries or technical support

Regional Office Contacts:

• Ahmedabad: inspectionahm@nse.co.in | 079-49008632
• Chennai: inspection_cro@nse.co.in | 044-66309915/17
• Delhi: delhi_inspection@nse.co.in | 011-23459127/38/46
• Kolkata: inspection_kolkata@nse.co.in | 033-40400411/405
• Mumbai: compliance_wro@nse.co.in | 022-26598200/61928200
• Central Help Desk: compliance_assistance@nse.co.in

Important Dates

• Reporting Period: Quarter ending December 31, 2025 (Q4 2025)
• Submission Deadline: January 15, 2026
• Circular Issue Date: January 01, 2026
• Reference Circulars:
  • SEBI circular: August 20, 2024
  • NSE circular NSE/INSP/63502: August 21, 2024
  • NSE circular NSE/INSP/66040: January 08, 2025 (SOP for immediate incidents)
  • NSE circular NSE/INSP/70746: October 10, 2025 (disciplinary framework)

Impact Assessment

Operational Impact:

High Compliance Burden: All trading members must implement processes to track, document, and report cyber incidents on a quarterly basis. This requires dedicated cybersecurity personnel and incident tracking systems.

Immediate Action Required: With the January 15, 2026 deadline, trading members have only 14 days from circular issuance to submit their Q4 2025 reports, requiring immediate mobilization of compliance teams.

Disciplinary Risk: Non-submission or delayed submission triggers disciplinary action as prescribed in Exchange Circular NSE/INSP/70746, creating compliance risk for trading members.

Market Impact:

Enhanced Cybersecurity Posture: The mandatory reporting framework improves overall market cybersecurity by ensuring systematic tracking and reporting of incidents across all regulated entities.

Transparency and Oversight: SEBI and NSE gain comprehensive visibility into cybersecurity threats affecting trading members, enabling better risk assessment and mitigation strategies.

Regulatory Alignment: Aligns Indian securities market with global best practices for cyber incident reporting and resilience.

Technology Impact:

Portal Modernization: The simplified submission process through ENIT-NEW-TRADE portal with waived digital signature requirements reduces technical barriers to compliance.

Standardized Reporting: Auto-populated forms and standardized PDF generation ensure consistent data quality for regulatory analysis.

Impact Justification

Mandatory cyber incident reporting with disciplinary action for non-compliance; critical cybersecurity framework affecting all trading members