SEBI had issued the Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024, followed by clarifications, extensions, and FAQs in December 2024, March 2025, April 2025, and June 2025. Based on further industry queries and consultations, SEBI has now issued detailed technical clarifications and additional guidance on implementation of CSCRF for regulated entities (REs).

Part A – Principles for REs under multiple regulators

• Principle of Exclusivity: CSCRF applies only to systems exclusively used for SEBI-regulated activities. Shared infrastructure/networks will fall under SEBI’s scope if not covered by primary regulators.
• Principle of Equivalence: Compliance with equivalent cybersecurity controls of another regulator will be accepted, provided the RE adheres fully to those frameworks.

Part B – Technical Clarifications

• Definition of Critical Systems expanded to include all systems on the same network segment as core/critical systems.
• Zero Trust Security: Broadened to include strategies like segmentation, redundancy, and high availability, with IT Committee approval.
• Mobile App Security: Guidelines are recommendatory, not mandatory.
• Cyber Crisis Management: REs must follow their approved Cyber Crisis Management Plan (CCMP) instead of fixed press-release requirements.
• Security Solutions: Deployment of tools like threat simulation, vulnerability management, decoys is recommended (not prescriptive).
• Cyber Supply Chain: Risk assessment to be done with IT Committee involvement.
• Audit Reports: REs to submit only summaries of VAPT/cyber audit reports; explicit vulnerabilities not to be shared unless asked.
• NCIIPC Principles: Apply only to entities formally identified as Critical Information Infrastructure.
• Market-SOC Onboarding: Small-size and self-certification REs must use Market-SOC unless they have their own SOC, in which case SOC efficacy reports must be submitted.
• Business Continuity/Disaster Recovery: Two-hour RTO and 15-minute RPO reaffirmed, aligned with IOSCO guidelines.
• ISO 27001 Certification: Recommended, not mandatory, for Qualified REs.
• Confidential handling of audit reports by Exchanges/Depositories mandated.

Part C – Re-categorisation of REs

• Portfolio Managers reclassified based on AUM into Qualified, Mid-size, Small-size, and Self-certification categories (thresholds specified).
• Merchant Bankers: All active MBs → Small-size REs; inactive MBs → exempt from CSCRF.

Part D – CERT-In Cyber Audit Policy Guidelines

• SEBI REs must align with the comprehensive Cyber Security Audit Policy Guidelines issued by CERT-In.

Directions

• Stock Exchanges, Depositories, and BSE (specifically for IAs and RAs) must amend bye-laws/rules and disseminate provisions to members.
• Circular issued under SEBI Act, 1992 Section 11(1), effective immediately.