Cyber Security and Cyber Resilience Audit of Trading Members

Published: April 22, 2026

Processed: April 22, 2026

NSE Compliance cyber-security cyber-resilience

PDF Document

If the PDF doesn't display, click here to view it in a new tab ↗

Description

NSE prescribes timelines for submission of Cyber Security and Cyber Resilience Audit Reports by trading members under SEBI's CSCRF framework, with deadlines of June 30, 2026 for preliminary reports and September 30, 2026 for corrective action reports.

Summary

NSE has issued guidelines for the implementation of SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) for trading members. The circular prescribes specific timelines for conducting and submitting Cyber Audit Reports on a half-yearly or yearly basis, referencing SEBI Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, and subsequent clarifications.

Key Points

Cyber audit must cover 100% of critical systems and 25% of non-critical systems (sample basis) with rationale documented in the audit report
No audit cycle shall be left unaudited due to category changes at the start of a financial year; unaudited periods must be included in the current audit cycle
Trading members holding multiple SEBI registrations (Custody, AIF, RA/IA, PMS, Merchant Bankers, etc.) must self-categorize per CSCRF criteria
Categorization must be reviewed and approved by the Board of Directors, Designated Director, Proprietor, Partner, or technical advisory committee annually
Auditors must validate whether the trading member’s self-categorization aligns with SEBI CSCRF framework during the audit
Audit report submission is complete only after management comments are provided
Auditors must provide compliance status for each TOR item as Compliant / Non-Compliant / Not Applicable, with justification for any Not Applicable items

Regulatory Changes

This circular operationalizes SEBI’s CSCRF framework (August 20, 2024) for trading members, incorporating subsequent clarification circulars dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and FAQ dated June 11, 2025. NSE has established specific timelines in consultation with SEBI for the audit cycle covering April 2025 to March 2026.

Compliance Requirements

Qualified REs and Mid-size / Small-size REs providing IBT or Algo trading: Submit half-yearly audit report (October 2025 – March 2026 period) by June 30, 2026; submit Corrective Action Taken Report (ATR) by September 30, 2026
Rest of REs (excluding Self-certification REs): Submit yearly audit report (April 2025 – March 2026 period) by June 30, 2026; submit ATR by September 30, 2026
All trading members must ensure auditor selection norms and guidelines are adhered to
Management comments must accompany the audit report submission to the Exchange

Important Dates

June 30, 2026: Deadline for submission of Preliminary Cyber Audit Report (both half-yearly and yearly categories)
September 30, 2026: Deadline for submission of Corrective Action Taken Report (ATR), if applicable
Audit Period (Half-Yearly): October 2025 – March 2026
Audit Period (Yearly): April 2025 – March 2026

Impact Assessment

This circular has high operational impact on all NSE trading members. Firms must allocate resources to engage qualified cyber auditors, conduct comprehensive audits of critical systems, and ensure timely submission of reports with management commentary. Members with multiple SEBI registrations face added complexity in self-categorization. Non-compliance with audit timelines or inadequate audit coverage could attract regulatory scrutiny. The requirement for board-level approval of categorization elevates this to a governance-level obligation.

Category	Compliance
Circular ID	`5f8def94ac93401d`
Impact	High
Severity	High
Tags	cyber-security cyber-resilience audit cscrf trading-members compliance sebi inspection
Source	NSE
Links	PDF Document ↗ Original Source ↗ Permalink