Description

NSE mandates empaneled ASPs to conduct and submit periodic System, Cyber Security, and VAPT audits annually, with preliminary reports due by June 30 and action taken reports by September 30.

Summary

NSE’s Inspection Department (Circular Ref. No. 22/2026) requires all empaneled Application Service Providers (ASPs) to conduct and submit periodic System Audit, Cyber Security Audit, and Vulnerability Assessment & Penetration Testing (VAPT) audits on a yearly basis. The audits cover the audit period of April 1 to March 31, with preliminary reports due by June 30 and action taken reports (where applicable) due by September 30. This circular consolidates guidelines, auditor selection norms, report formats, and Terms of Reference for all three audit types.

Key Points

  • All empaneled ASPs must conduct annual System Audit, Cyber Audit, and VAPT assessment covering their NNF (Non-NEAT Frontend) facility and ASP platform security controls.
  • Preliminary audit reports for all three audit types are due on or before June 30 each year.
  • Action Taken Reports (ATRs), where applicable, are due on or before September 30 each year.
  • Audit reports must be approved by the ASP’s Managing Director, Director, CTO, or CISO before submission.
  • Auditor selection must adhere to prescribed norms: audit firms/LLPs/companies must have 3+ years of experience and at least three Partners/Directors with valid CISA (ISACA), DISA (ICAI), CISM (ISACA), or CISSP (ISC2) certifications.
  • VAPT assessment formats are aligned with SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF).
  • Queries and report submissions should be directed to DL-SYSCYB@nse.co.in.

Regulatory Changes

This circular formalizes and consolidates the cybersecurity audit obligations for ASP vendors in alignment with SEBI’s CSCRF. It introduces standardized report formats (Annexures B–E) and Terms of Reference (Annexures F–G) for System and Cyber audits, ensuring structured and uniform compliance across all ASP vendors operating on the NSE platform.

Compliance Requirements

  • ASP Vendors must:
    • Engage qualified auditors meeting the selection norms in Annexure A.
    • Conduct annual System Audit using the TOR in Annexure F.
    • Conduct annual Cyber Security Audit using the TOR in Annexure G.
    • Conduct annual VAPT assessment per SEBI CSCRF guidelines.
    • Submit Preliminary Audit Reports in prescribed formats (Annexures B, C, D, E) by June 30.
    • Submit Action Taken Reports by September 30 if applicable.
    • Obtain approval from MD/Director/CTO/CISO before submitting reports.
  • Auditor firms must have 3+ years of experience and maintain at least three certified professionals (CISA/DISA/CISM/CISSP).

Important Dates

  • Audit Period: April 1 to March 31 (annual)
  • Preliminary Audit Report Deadline: On or before June 30
  • Action Taken Report (ATR) Deadline: On or before September 30
  • Circular Date: April 30, 2026

Impact Assessment

This circular primarily affects empaneled ASP vendors providing NNF (Non-NEAT Frontend) services on NSE. The mandatory structured audit regime strengthens cybersecurity resilience across the securities market infrastructure. ASPs must allocate resources for engaging qualified auditors, completing three distinct audits annually, and meeting reporting deadlines. Non-compliance could result in regulatory action from NSE’s Inspection Department. The broader market impact is limited, as this is an operational compliance requirement for technology service providers rather than a change affecting trading rules, listing requirements, or investor-facing regulations.

Impact Justification

Mandatory cybersecurity audit requirements with specific deadlines for all empaneled ASP vendors; directly affects operational compliance of NNF platform providers but does not impact broader market trading or listed securities.