Description
NSE prescribes timelines for Vulnerability Assessment and Penetration Testing (VAPT) report submission by trading members for FY 2025-26, in compliance with SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF).
Summary
NSE has issued updated timelines for the conduct and submission of VAPT (Vulnerability Assessment and Penetration Testing) reports by trading members for FY 2025-26, in accordance with SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) circular dated August 20, 2024. Two separate submission tracks apply depending on the RE’s categorization.
Key Points
- All trading members must conduct VAPT through a Cert-in empanelled auditor and submit reports within prescribed timelines.
- Two tracks: yearly submission for most REs and half-yearly submission for QSBs and REs classified as ‘Protected Systems’ or CII by NCIIPC.
- REs must NOT submit detailed vulnerability reports unless explicitly requested by SEBI or the Exchange.
- Trading members must maintain detailed VAPT records internally as per SEBI circular format.
- No audit cycle should be left unaudited; any unaudited period due to categorization changes must be included in the current audit cycle.
- VAPT scope must cover all critical assets: networking systems, security devices, servers, databases, applications, WAN/LAN systems, public IP-accessible systems, and websites.
Regulatory Changes
- References SEBI CSCRF circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 and subsequent clarifications (December 31, 2024; March 28, 2025; April 30, 2025; August 28, 2025).
- Incorporates SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119 dated August 28, 2025, which restricts submission of explicit vulnerability details.
- Updated VAPT audit report formats, declaration templates, and assessment details aligned to SEBI CSCRF are prescribed via Annexure-2.
- VAPT testing scope and methodology must follow Annexure-L of the SEBI CSCRF circular (reproduced as Annexure-1).
Compliance Requirements
Track 1 – Yearly (Self-certification, Small, Mid, and Qualified REs excluding QSBs):
- Conduct VAPT through a Cert-in auditor covering FY April 1, 2025 – March 31, 2026.
- Obtain IT Committee approval and submit report to NSE by July 31, 2026.
- Submit ATR/Revalidation report (if applicable) by November 30, 2026.
Track 2 – Half-Yearly (QSBs and REs classified as Protected Systems/CII by NCIIPC):
- VAPT covers half-yearly period October 1, 2025 – March 31, 2026.
- Obtain IT Committee approval and submit report to NSE by June 30, 2026.
- Submit ATR/Revalidation report (if applicable) by September 30, 2026.
General Requirements:
- Maintain detailed VAPT records as per Point 7 of Annexure-A of SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113.
- Do NOT submit explicit vulnerability details to NSE/SEBI unless specifically requested.
Important Dates
| Milestone | Track 1 (Yearly) | Track 2 (Half-Yearly / QSBs & Protected REs) |
|---|---|---|
| VAPT Conduct Period | April 1, 2025 – March 31, 2026 | October 1, 2025 – March 31, 2026 |
| VAPT Conduct Deadline | June 30, 2026 | June 30, 2026 |
| Report Submission Deadline | July 31, 2026 | June 30, 2026 |
| ATR/Revalidation Submission | November 30, 2026 | September 30, 2026 |
Impact Assessment
This circular has moderate operational impact on all NSE trading members, particularly their IT and compliance functions. Firms must ensure a Cert-in empanelled auditor is engaged well in advance of the June 2026 conduct deadline. QSBs and systemically important entities face the tightest timeline with report submission and VAPT conduct both due by June 30, 2026. Non-compliance could attract regulatory scrutiny under the CSCRF framework. There is no direct market or pricing impact, but failure to comply may affect a trading member’s standing with the Exchange.
Impact Justification
Mandatory compliance requirement for all trading members under SEBI CSCRF with specific deadlines; operationally significant for IT/compliance teams but does not directly affect market trading or pricing.