Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)

Introduction

The Securities and Exchange Board of India’s (“SEBI”) circular, issued on April 30, 2025, provides critical clarifications and revisions to the Cybersecurity and Cyber Resilience Framework (“CSCRF”) for SEBI-regulated entities.[1] It outlines updated categorisation thresholds, compliance responsibilities, and exemptions for various market participants including stock brokers, depository participants, investment advisers, and others. Designed to enhance cyber resilience throughout the securities market ecosystem, the circular aims for uniform application of cybersecurity standards specific to the size and operation of each entity.

Understanding the Circular

• Background: SEBI had previously issued a circular on August 20, 2024, detailing the CSCRF for SEBI Regulated Entities (“REs“).[2] Due to multiple queries on implementation and extension, additional clarifications were made through circulars on December 31, 2024[3], and March 28, 2025.[4]
• Revised Categorisation Framework: SEBI has, based on follow-up consultations, revised the thresholds and categorisation for some REs. These categories will be decided at the start of each financial year based on data from the previous financial year and will not change during that year, irrespective of any changes thereafter.
• Stock Brokers: Stock brokers will be categorized on the basis of either registered clients or annual trading volume, whichever leads to a higher classification.
  • Qualified REs: More than 10 lakh clients or trading volume over ₹10,00,000 crore.
  • Mid-size REs: Between 1 lakh–10 lakh clients or trading volume of ₹1,00,000–₹10,00,000 crore.
  • Small-size REs: Between 10,000–1 lakh clients or trading volume of ₹10,000–₹1,00,000 crore.
  • Self-certification REs: Between 1,000–10,000 clients or trading volume of ₹1,000–₹10,000 crore.
  • Stock brokers with less than 1,000 clients and ₹1,000 crore trading volume are exempt from the CSCRF.
• Depository Participants (“DPs”): The category of a DP will be determined by the highest applicable category. For example, a DP also registered as a stockbroker or a bank shall be categorized accordingly, with preference to the more stringent threshold. DPs with less than 100 clients are exempt from using Security Operations Center (“SOC”) services or onboarding to the Market-SOC (“M-SOC”).
• Investment Advisers (“IAs”): Unregistered IAs in any other capacity are exempted from the provisions of CSCRF. IAs registered in any other capacity have to adhere to the highest category under any of their registrations.
• Research Analysts (“RAs”): Likewise, RAs who have no other SEBI registration are exempted from the CSCRF. RAs registered in other capacities need to comply with the highest category out of their applicable registrations. Compliance monitoring of IAs and RAs has been entrusted to BSE Ltd. for five years from July 25, 2024.
• KYC Registration Agencies (“KRAs”): KRAs will be re-categorised as Qualified REs, moving them from the earlier classification under Market Infrastructure Institutions (“MIIs”).
• Portfolio Managers: Portfolio managers are categorised solely based on Assets Under Management (“AUM”):
  • Mid-size REs: AUM above ₹3,000 crore.
  • Self-certification REs: AUM up to ₹3,000 crore.
  • Managers with less than 100 clients and in the self-certification category are exempt from the requirement of joining M-SOC.
• Alternative Investment Funds (“AIFs”) and Venture Capital Funds (“VCFs”): Categorisation shall be done at the manager level, with cumulative corpus of AIF and VCF schemes under management being considered:
  • Mid-size REs: Corpus of ₹10,000 crore and above.
  • Small-size REs: Corpus between ₹3,000–₹10,000 crore.
  • Self-certification REs: Corpus up to ₹3,000 crore.
  • Managers in the self-certification category with fewer than 100 clients are exempt from mandatory M-SOC requirements.
• Merchant Bankers (“MBs”): MBs who engage in issue management activities, like IPOs, FPOs, REITs/InvITs issues, buy-backs, delisting, or open offers under takeover rules, are categorized as Mid-size REs. Remaining MBs will be categorized as Small-size REs.
• Registrar to an Issue and Share Transfer Agents (“RTAs”): RTAs with fewer than 100 clients are exempt from mandatory SOC services or onboarding to M-SOC.
• Entities with Multiple Registrations: In cases where a regulated entity falls under more than one category, it shall comply with the provisions applicable to the highest category it qualifies for.
• Cloud Services Framework (Annexure-J to CSCRF): Organizations that fall under the category of MIIs or Qualified REs are required to compulsorily adopt a specific Hardware Security Module (“HSM”). Mid-size, small-size, and self-certification REs can adopt an alternative to HSM subject to a risk assessment approved by their Board, partners, or proprietor.

Conclusion

The revised SEBI circular is a pragmatic move towards risk-based cybersecurity regulation, recognizing the differential scale and exposure of market players. By calibrating thresholds and relaxing compliance for smaller players while setting more stringent norms for systemically important ones, SEBI strikes a balance between resilience and operational practicability. The multi-layered approach of the framework encourages accountability, simplifies oversight, and opens the door to more responsive cybersecurity practices in India’s fast-changing securities market ecosystem.

[1] https://www.sebi.gov.in/legal/circulars/apr-2025/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93734.html.

[2] https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html.

[3] https://www.sebi.gov.in/legal/circulars/dec-2024/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_90401.html.

[4] https://www.sebi.gov.in/legal/circulars/mar-2025/extension-towards-adoption-and-implementation-of-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93146.html.