SEBI CSCRF
Getting Started Guide

SEBI Cybersecurity and Cyber Resilience Framework 2024

Mandatory for all SEBI-regulated entities. Covers stockbrokers, AMCs, depositories, and their technology providers.

Audit Effort3–9 months depending on tier
Key Fact5-tier compliance model, 205-page circular

What Is SEBI CSCRF?

The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) is a comprehensive cybersecurity regulation issued by the Securities and Exchange Board of India in August 2024. It replaced all previous SEBI cybersecurity circulars with a single unified framework covering every SEBI-regulated entity — stockbrokers, depositories, mutual funds, AMCs, portfolio managers, credit rating agencies, AIFs, and their technology service providers.

The framework uses a 5-tier model based on the systemic importance and size of each regulated entity. Tier 1 covers Market Infrastructure Institutions (NSE, BSE, CDSL, NSDL) with the highest obligations. Tier 2 covers Qualified Registered Entities — large stockbrokers, top AMCs. Tiers 3–5 have progressively lighter requirements, with Tier 5 entities able to self-certify for many controls. The key point: no tier is exempt from baseline cybersecurity requirements.

For technology companies serving SEBI-regulated entities — cloud platforms, trading system vendors, risk management software providers — CSCRF creates contractual requirements through the vendor responsibility clause: your client's CSCRF compliance gap is considered your client's finding, not yours. But in practice, clients will demand that their technology vendors demonstrate CSCRF-aligned controls or risk losing the relationship.

Does SEBI CSCRF Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

SEBI Regulated Financial Entities

Stockbrokers, Asset Management Companies (AMCs), depositories, AIFs, and investment advisors operating in India.

Mandatory

Indian FinTech and Trading App Developers

SaaS platforms that integrate with trading systems, broker portals, or handle investor portfolios.

Likely applies

Technology Partners to Indian Banks

Third-party vendors handling data feeds or hosting critical market applications for regulated entities.

Likely applies
You probably don't need SEBI CSCRF if:
  • You operate financial applications outside India and do not serve Indian investment companies.
  • Your company has no integration with Indian stock markets, securities trading, or mutual funds.
  • You are in a pre-pilot research phase and do not connect to production APIs in the financial sector.

Why SEBI CSCRF Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

Active Enforcement Cycles

SEBI CSCRF audit cycles are active. Regulated entities face penalties and trading license reviews for gaps.

6-Hour Breach Reporting

All cybersecurity incidents must be reported to SEBI and CERT-In within 6 hours of identification, requiring active monitoring.

Biannual VAPT Deadlines

Biannual Vulnerability Assessment and Penetration Testing (VAPT) must be run by CERT-In empanelled auditors to maintain licensing.

The Requirements

The core security controls and evidence parameters audited for SEBI CSCRF.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for SEBI CSCRF.

1
Weeks 1–4

Tier Assignment & Gap Audit

Identify your regulatory Tier (1 to 5), map assets, and run a gap audit against the CSCRF circular.

Key Deliverable:Tier definition report, Gap findings sheet
2
Weeks 5–14

Operational Control Build

Implement MFA, configure monitoring systems, set up log retention, and document policies.

Key Deliverable:Access policies, Security Operations SOPs
3
Weeks 15–18

VAPT Audit Run

Engage a CERT-In empanelled auditor to run VAPT, and patch any detected high or medium vulnerabilities.

Key Deliverable:Completed VAPT report, patch evidence files
4
Weeks 19–24

Audit Submission & Filing

Compile the compliance dossier, obtain sign-off from the Cyber Committee, and submit to SEBI portals.

Key Deliverable:Signed SEBI compliance report, auditor cert
With Existing Certifications

8–12 weeks: Leverage existing ISO 27001 controls and policies to cover baseline asset and log management criteria.

Starting from Scratch

16–24 weeks: Starting from scratch requires building a full operational SOC, hiring security staff, and setting up audit windows.

The Mistakes That Delay Most SEBI CSCRF Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Waiting for SEBI to issue another extension

Why it happens:

SEBI has extended CSCRF deadlines three times. Some entities assume extensions will continue. Enforcement is now active.

How to avoid it:

Treat the current compliance state as final. Any further extension is a bonus, not a plan.

Not understanding which tier you're in

Why it happens:

Teams assume they're a lower tier to reduce compliance scope — often incorrectly.

How to avoid it:

Review the CSCRF circular's tier classification criteria carefully. If you're near a tier boundary, get a formal assessment.

Treating ISO 27001 and CSCRF as identical

Why it happens:

ISO 27001 certification is mandatory for Qualified REs — but ISO 27001 alone doesn't satisfy CSCRF. CSCRF adds India-specific requirements: 6-hour incident reporting, biannual VAPT, Cyber Capability Index reporting.

How to avoid it:

Build your ISO 27001 programme to also satisfy CSCRF's additional requirements from day one.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

SEBI CSCRF Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

SEBI CSCRF Checklist

Assess your baseline control posture against SEBI CSCRF criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about SEBI CSCRF compliance and certification processes.