Asp - Stock Market Circulars

Consolidated Circular for Non-Neat Frontend (NNF) Facility

Thu, 30 Apr 2026 00:00:00 +0530

Summary

NSE has issued a consolidated circular governing the Non-Neat Frontend (NNF) Facility, which enables trading members to access NSE’s trading system through front-end interfaces developed in-house, procured from an empanelled vendor, or obtained through an Application Service Provider (ASP). The circular consolidates registration requirements, auditor selection norms for mandatory system audits, and the undertaking format members must execute before availing the NNF facility.

Key Points

NNF facility allows trading members to use alternative front-end interfaces to access NSE’s trading system in lieu of NEAT (NSE’s proprietary front-end)
Members must execute a formal undertaking (Annexure I) on non-judicial stamp paper of Rs. 1,000 or state-prevailing value, whichever is higher
The undertaking applies to members using NNF developed in-house, procured from an empanelled vendor, or accessed via an ASP
System audits are mandatory and must be conducted by qualified, independent IT auditors meeting specified selection norms
Auditors must have a minimum of 3 years of IT audit experience with securities market participants
Auditor resources must hold recognized certifications: D.I.S.A. (ICAI), CISA (ISACA), CISM (ISACA), or CISSP (ISC²)
Auditors must have experience with IT audit/governance frameworks such as CobiT
Auditors must be free from conflicts of interest and must not be related (directly or indirectly) to the stock broker, its directors, or promoters
Auditors must have no pending cases related to previously audited companies under SEBI’s jurisdiction that would indicate incompetence or unsuitability

Regulatory Changes

This is a consolidated circular, meaning it brings together previously issued guidelines on the NNF facility into a single reference document. No new regulatory requirements are introduced; the circular restates and formalizes existing norms for auditor eligibility, independence, and the undertaking format for NNF registration.

Compliance Requirements

Trading Members: Must submit a duly stamped undertaking (Annexure I) as part of the NNF registration process, regardless of whether the front-end is developed in-house, from a vendor, or via ASP
Auditor Empanelment: Members must engage IT auditors who satisfy all five auditor selection norms (experience, certifications, framework knowledge, independence, and clean regulatory record)
System Audit Coverage: Audits must cover all major areas specified under the Terms of Reference (ToR) mandated by SEBI/stock exchange
Documentation: The undertaking must be executed on non-judicial stamp paper or franked paper, specifying date and place of execution

Important Dates

No specific new deadlines introduced; requirements apply on an ongoing basis as part of NNF registration and periodic system audit cycles
Stamp duty for undertaking: Rs. 1,000 or state-prevailing value at the time of execution

Impact Assessment

This circular primarily impacts trading members currently using or intending to use non-standard front-end interfaces to access NSE’s trading system. Compliance burden is moderate — members must ensure their chosen IT auditors meet all five selection criteria, which may limit the auditor pool. The consolidated format reduces ambiguity by providing a single authoritative reference. No direct market-wide trading or pricing impact is anticipated. ASP-dependent members should verify their service providers’ audit compliance status.

Periodic Submission of System, Cyber, and VAPT Audit by Application Service Providers (ASPs)

Thu, 30 Apr 2026 00:00:00 +0530

Summary

NSE’s Inspection Department (Circular Ref. No. 22/2026) requires all empaneled Application Service Providers (ASPs) to conduct and submit periodic System Audit, Cyber Security Audit, and Vulnerability Assessment & Penetration Testing (VAPT) audits on a yearly basis. The audits cover the audit period of April 1 to March 31, with preliminary reports due by June 30 and action taken reports (where applicable) due by September 30. This circular consolidates guidelines, auditor selection norms, report formats, and Terms of Reference for all three audit types.

Key Points

All empaneled ASPs must conduct annual System Audit, Cyber Audit, and VAPT assessment covering their NNF (Non-NEAT Frontend) facility and ASP platform security controls.
Preliminary audit reports for all three audit types are due on or before June 30 each year.
Action Taken Reports (ATRs), where applicable, are due on or before September 30 each year.
Audit reports must be approved by the ASP’s Managing Director, Director, CTO, or CISO before submission.
Auditor selection must adhere to prescribed norms: audit firms/LLPs/companies must have 3+ years of experience and at least three Partners/Directors with valid CISA (ISACA), DISA (ICAI), CISM (ISACA), or CISSP (ISC2) certifications.
VAPT assessment formats are aligned with SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF).
Queries and report submissions should be directed to DL-SYSCYB@nse.co.in.

Regulatory Changes

This circular formalizes and consolidates the cybersecurity audit obligations for ASP vendors in alignment with SEBI’s CSCRF. It introduces standardized report formats (Annexures B–E) and Terms of Reference (Annexures F–G) for System and Cyber audits, ensuring structured and uniform compliance across all ASP vendors operating on the NSE platform.

Compliance Requirements

ASP Vendors must:
- Engage qualified auditors meeting the selection norms in Annexure A.
- Conduct annual System Audit using the TOR in Annexure F.
- Conduct annual Cyber Security Audit using the TOR in Annexure G.
- Conduct annual VAPT assessment per SEBI CSCRF guidelines.
- Submit Preliminary Audit Reports in prescribed formats (Annexures B, C, D, E) by June 30.
- Submit Action Taken Reports by September 30 if applicable.
- Obtain approval from MD/Director/CTO/CISO before submitting reports.
Auditor firms must have 3+ years of experience and maintain at least three certified professionals (CISA/DISA/CISM/CISSP).

Important Dates

Audit Period: April 1 to March 31 (annual)
Preliminary Audit Report Deadline: On or before June 30
Action Taken Report (ATR) Deadline: On or before September 30
Circular Date: April 30, 2026

Impact Assessment

This circular primarily affects empaneled ASP vendors providing NNF (Non-NEAT Frontend) services on NSE. The mandatory structured audit regime strengthens cybersecurity resilience across the securities market infrastructure. ASPs must allocate resources for engaging qualified auditors, completing three distinct audits annually, and meeting reporting deadlines. Non-compliance could result in regulatory action from NSE’s Inspection Department. The broader market impact is limited, as this is an operational compliance requirement for technology service providers rather than a change affecting trading rules, listing requirements, or investor-facing regulations.

Test Market Environment - Consolidated Circular 2026

Thu, 30 Apr 2026 00:00:00 +0530

Summary

NSE’s Member Service Department has issued a consolidated circular (Ref No: NSE/MSD/74013, Circular Ref. No: 33/2026) replacing the earlier consolidated circular NSE/MSD/67795 dated April 30, 2025. This circular compiles all subsequent circulars related to the Test Market Environment issued up to March 31, 2026, and encapsulates regulations and instructions from all earlier circulars along with new applicable instructions.

Key Points

The facility is formally referred to as “Test Market Environment”
Annexure 1: Procedure for Application for Test Market Access for Existing Members
Annexure 2: Procedure for Application to Access Test Market EVs, ASPs, FISVs
Annexure 3: Procedure for Application for Test Market Prospective Members
Annexure 4: Important operational instructions
Annexure 5: Interactive & Broadcast Connectivity Parameters for Test Market Environment
Entire annual charges must be collected upfront at the time of application
For mid-year applicants, proportionate charges apply with balance credited toward the next financial year
Annual charge bills are raised in advance at the beginning of each financial year

Regulatory Changes

This circular replaces NSE/MSD/67795 dated April 30, 2025. No information has been rescinded in this consolidation. Any future rescissions will be governed by savings clauses ensuring that actions taken under earlier guidelines remain valid under corresponding provisions of this Master Circular.

Compliance Requirements

Members, EVs, ASPs, and FISVs must clear payments by respective due dates mentioned in bills for annual charges
Non-payment of dues will result in withdrawal of Test Market facility access without further notice
Members participating in the Test Market Environment must remain compliant with all circulars, communications, and instructions issued by the Exchange from time to time
Non-compliance may invite disciplinary action under applicable Exchange Byelaws, Rules, and Regulations
Operational instructions in Annexure 4 must be noted and acted upon

Important Dates

Circular Date: April 30, 2026
Replaces: NSE/MSD/67795 dated April 30, 2025
Compilation covers circulars issued up to: March 31, 2026
Annual charges billed: In advance at the beginning of each financial year

Impact Assessment

This is a routine administrative consolidation with low market impact. It affects only those members, empanelled vendors, ASPs, and FISVs who use or intend to use the NSE Test Market Environment for technology testing purposes. No changes to live trading rules or market structure are introduced. The primary operational impact is on technology teams and compliance officers at member firms who need to ensure timely payment of test market access fees and adherence to updated procedural annexures.