SEBI Cybersecurity and Cyber Resilience Framework 2024
Mandatory for all SEBI-regulated entities. Covers stockbrokers, AMCs, depositories, and their technology providers.
What Is SEBI CSCRF?
The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) is a comprehensive cybersecurity regulation issued by the Securities and Exchange Board of India in August 2024. It replaced all previous SEBI cybersecurity circulars with a single unified framework covering every SEBI-regulated entity — stockbrokers, depositories, mutual funds, AMCs, portfolio managers, credit rating agencies, AIFs, and their technology service providers.
The framework uses a 5-tier model based on the systemic importance and size of each regulated entity. Tier 1 covers Market Infrastructure Institutions (NSE, BSE, CDSL, NSDL) with the highest obligations. Tier 2 covers Qualified Registered Entities — large stockbrokers, top AMCs. Tiers 3–5 have progressively lighter requirements, with Tier 5 entities able to self-certify for many controls. The key point: no tier is exempt from baseline cybersecurity requirements.
For technology companies serving SEBI-regulated entities — cloud platforms, trading system vendors, risk management software providers — CSCRF creates contractual requirements through the vendor responsibility clause: your client's CSCRF compliance gap is considered your client's finding, not yours. But in practice, clients will demand that their technology vendors demonstrate CSCRF-aligned controls or risk losing the relationship.
Does SEBI CSCRF Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
SEBI Regulated Financial Entities
Stockbrokers, Asset Management Companies (AMCs), depositories, AIFs, and investment advisors operating in India.
Indian FinTech and Trading App Developers
SaaS platforms that integrate with trading systems, broker portals, or handle investor portfolios.
Technology Partners to Indian Banks
Third-party vendors handling data feeds or hosting critical market applications for regulated entities.
- You operate financial applications outside India and do not serve Indian investment companies.
- Your company has no integration with Indian stock markets, securities trading, or mutual funds.
- You are in a pre-pilot research phase and do not connect to production APIs in the financial sector.
Why SEBI CSCRF Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
Active Enforcement Cycles
SEBI CSCRF audit cycles are active. Regulated entities face penalties and trading license reviews for gaps.
6-Hour Breach Reporting
All cybersecurity incidents must be reported to SEBI and CERT-In within 6 hours of identification, requiring active monitoring.
Biannual VAPT Deadlines
Biannual Vulnerability Assessment and Penetration Testing (VAPT) must be run by CERT-In empanelled auditors to maintain licensing.
The Requirements
The core security controls and evidence parameters audited for SEBI CSCRF.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for SEBI CSCRF.
Tier Assignment & Gap Audit
Identify your regulatory Tier (1 to 5), map assets, and run a gap audit against the CSCRF circular.
Operational Control Build
Implement MFA, configure monitoring systems, set up log retention, and document policies.
VAPT Audit Run
Engage a CERT-In empanelled auditor to run VAPT, and patch any detected high or medium vulnerabilities.
Audit Submission & Filing
Compile the compliance dossier, obtain sign-off from the Cyber Committee, and submit to SEBI portals.
With Existing Certifications
8–12 weeks: Leverage existing ISO 27001 controls and policies to cover baseline asset and log management criteria.
Starting from Scratch
16–24 weeks: Starting from scratch requires building a full operational SOC, hiring security staff, and setting up audit windows.
The Mistakes That Delay Most SEBI CSCRF Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Waiting for SEBI to issue another extension
SEBI has extended CSCRF deadlines three times. Some entities assume extensions will continue. Enforcement is now active.
Treat the current compliance state as final. Any further extension is a bonus, not a plan.
Not understanding which tier you're in
Teams assume they're a lower tier to reduce compliance scope — often incorrectly.
Review the CSCRF circular's tier classification criteria carefully. If you're near a tier boundary, get a formal assessment.
Treating ISO 27001 and CSCRF as identical
ISO 27001 certification is mandatory for Qualified REs — but ISO 27001 alone doesn't satisfy CSCRF. CSCRF adds India-specific requirements: 6-hour incident reporting, biannual VAPT, Cyber Capability Index reporting.
Build your ISO 27001 programme to also satisfy CSCRF's additional requirements from day one.
Rishabh's Take on SEBI CSCRF
Practitioner Voice“SEBI CSCRF is the most operationally demanding Indian cybersecurity framework I work with — not because the controls are technically unusual, but because the 6-hour incident reporting requirement and biannual VAPT obligation require real operational capability, not just documentation. Most organisations I see are policy-compliant but operationally under-prepared. A CERT-In notification in 6 hours from a 2am alert requires your monitoring, escalation, and communication infrastructure to be built before the incident happens, not after. That's where I'd focus first.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
SEBI CSCRF Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
SEBI CSCRF Checklist
Assess your baseline control posture against SEBI CSCRF criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about SEBI CSCRF compliance and certification processes.