Overview
The Securities and Exchange Board of India (SEBI) issued this circular to provide revised guidelines and clarifications for the implementation of its Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities (REs). The update is based on feedback from stakeholders following earlier circulars issued in August and December 2024, and March 2025. The main objective is to enhance cyber resilience while accommodating the operational diversity and scale of different market participants.
Categorization of Regulated Entities
A central focus of the circular is the updated categorization criteria for various REs, which will determine their compliance obligations under CSCRF. Categorization is fixed at the beginning of each financial year based on previous year’s data and is validated during compliance submissions.
- Stock Brokers
They are divided into four categories—Qualified, Mid-size, Small-size, and Self-certification REs—based on two parameters:
- Number of registered clients
- Annual trading volume
Stock brokers with fewer than 1,000 clients and trading volume below ₹1,000 crore are exempt.
- Depository Participants (DPs)
DPs are categorized based on the highest applicable classification. For example, DPs registered as both brokers and banks will be considered Qualified REs. DPs with fewer than 100 clients are exempt from Security Operations Centre (SOC) requirements.
- Investment Advisers (IAs) and Research Analysts (RAs)
Those not registered in other SEBI-regulated capacities are exempt. If registered in other capacities, they must comply with the strictest applicable category. Additionally, BSE Ltd. has been designated as the compliance reporting authority for both IAs and RAs for a five-year period from July 2024.
- KRAs and Portfolio Managers
- KYC Registration Agencies (KRAs) are re-categorized as Qualified REs.
- Portfolio Managers are classified based on Assets Under Management (AUM). Those with less than ₹3,000 crore AUM and under 100 clients are exempt from M-SOC requirements.
- AIFs and VCFs
Categorization is applied at the manager level, with thresholds based on the total corpus managed across all schemes. Managers with less than ₹3,000 crore corpus and under 100 clients are exempt from Market-SOC.
- Merchant Bankers
Those involved in issue management activities are categorized as Mid-size REs, while all others fall under Small-size REs.
Additional Provisions
- If an RE is registered under multiple categories, the strictest classification applies.
- Hardware Security Module (HSM) implementation is mandatory for MIIs and Qualified REs. Others may use alternatives with approved risk assessments.
- SEBI reiterates that compliance actions must be completed by June 30, 2025.
- Cyber audits from FY 2025–26 onward must align with the August 2024 CSCRF circular and its clarifications.
Enforcement and Compliance
Stock exchanges, depositories, and the BSE are directed to revise their regulations accordingly and notify their members. BSE must also ensure dissemination of the circular among IAs and RAs.
This circular underlines SEBI’s commitment to tailoring cyber resilience mandates based on risk and scale while maintaining robust protection standards across the securities market ecosystem.
