Formats for Submission of System Audit and VAPT Reports for CaaS Vendors

Description

NSE mandates standardised formats for System Audit and Vulnerability Assessment and Penetration Testing (VAPT) reports for vendors providing Colocation as a Service (CaaS) facility, effective from audit period October 1, 2025 to March 31, 2026.

Summary

NSE’s Member Service Department (Circular Ref. No: 13/2026) has mandated that vendors providing Colocation as a Service (CaaS) facility must submit System Audit reports and Vulnerability Assessment and Penetration Testing (VAPT) reports in newly standardised formats. This builds on the earlier circular NSE/MSD/67650 dated April 23, 2025, which introduced the half-yearly submission requirement.

Key Points

CaaS vendors must now use standardised formats for System Audit Preliminary reports, Action Taken Reports (ATR), and VAPT Summary reports.
Annexure-1 provides the format for System Audit Preliminary report and ATR.
Annexure-2 prescribes Auditor Selection Norms for System Audit and VAPT reports.
Annexure-3 and Annexure-4 cover the VAPT assessment scope and VAPT Summary report format.
Annexure-5 details penalties and disciplinary actions for non/delayed submission and non-closure of vulnerabilities.
Reports must be approved by the Managing Director, CTO, CISO, or Standing Committee on Technology (SCOT) or equivalent Technology/Cyber Security Committee before submission.

Regulatory Changes

Standardised reporting formats are now mandatory for CaaS vendors, replacing any previously used ad-hoc formats.
Prescribed Auditor Selection Norms are introduced for both System Audit and VAPT reports.
Penal and disciplinary actions are formalised for non-submission, delayed submission, and non-closure of vulnerabilities/observations.

Compliance Requirements

Submit System Audit Preliminary Report for April 1–September 30 by November 30; ATR (if applicable) by February 28.
Submit System Audit Preliminary Report for October 1–March 31 by May 31; ATR (if applicable) by August 31.
Submit VAPT Report for April 1–September 30 by December 31; ATR (if applicable) by March 31.
Submit VAPT Report for October 1–March 31 by June 30; ATR (if applicable) by September 30.
All reports must be in the standardised formats provided in the annexures.
Reports require approval from MD/CTO/CISO/SCOT or equivalent committee before submission.
Submit reports to the Exchange via email at msm@nse.co.in.

Important Dates

Effective Audit Period: October 1, 2025 to March 31, 2026 (and onwards).
System Audit Report (Oct–Mar period): Preliminary report due by May 31, 2026; ATR due by August 31, 2026.
VAPT Report (Oct–Mar period): Due by June 30, 2026; ATR due by September 30, 2026.
Circular date: March 05, 2026.

Impact Assessment

This circular primarily affects CaaS vendors operating at NSE’s colocation facility. The introduction of standardised formats and auditor selection norms increases regulatory rigour around cybersecurity compliance for colocation providers. Vendors must ensure their internal governance structures (MD/CTO/CISO/SCOT approval) are in place before submitting reports. Non-compliance carries penal and disciplinary consequences as detailed in Annexure-5. There is no direct impact on listed securities or general market participants, but the measure strengthens the cybersecurity posture of NSE’s colocation infrastructure.

Impact Justification

Operational compliance circular affecting CaaS vendors at NSE with standardised audit reporting formats; no direct market or stock price impact but significant for colocation service providers regarding cybersecurity obligations.

Category	Compliance
Circular ID	`4431f3566597c936`
Impact	Medium
Severity	Medium
Tags	caas colocation system-audit vapt cybersecurity compliance vendor-reporting penetration-testing
Source	NSE
Links	PDF Document ↗ Original Source ↗ Permalink