On Mar. 28, 2025, IND SEBI decided to extend the CSCRF compliance deadline, for all REs except MIIs, KYC registration agencies (KRAs), qualified registrars to an issue and share transfer agents (QRTAs); the new deadline for relevant entities is Jun. 30, 2025.
On Jul. 4, IND SEBI consulted on cyber resilience framework.
IND SEBI consulted on consolidated cybersecurity and cyber resilience framework (CSCRF) for regulated entities, which supersedes previous circulars re cyber security.
Also follows other previous relevant circulars #139940, #50137 as well as #138400.
Framework
Provides a common structure for multiple approaches to prevent cyber-risks/incidents.
Applies to (specified) regulated entities (REs), market infrastructure institutions (MIIs).
Based on 5 concurrent functions, including identify, protect, detect, respond, recover.
REs shall identify critical assets; formulate a cybersecurity and cyber resilience policy.
Implement strong log retention policy, password policy, access policy; use layering offull-disk encryption (FDE) with file-based encryption (FE) for data protection.
Vulnerability assessment and penetration testing (VAPT) to detect vulnerabilities.
Establish appropriate security mechanism for continuous monitoring of security events.
REs shall also formulate an up-to-date cyber crisis management plan (CCMP).
Comprehensive response and recovery plan shall be documented and be triggered for the timely restoration of systems affected by the cyber incident; inform related parties.
Consultation Period
Consultation is open for comments, which should be submitted by Jul. 25, 2023.
Jul. 21, 2023 Deadline Extension
On Jul. 21, 2023, IND SEBI extended the comment period deadline for the consultation paper on consolidated cybersecurity and cyber resilience framework to Aug. 4, 2023.
Comments must be submitted in the specified format either via email or by post.
Aug. 2024 Finalized Circular
On Aug. 20, 2024, IND SEBI finalized circular introducing CSCRF for regulated entities.
This framework supersedes existing SEBI cybersecurity circulars, guidelines, advisories and letters, the list of which is given as part of the framework attached as annexure-1.
A glide-path for adoption of the framework will be provided; for six categories of REs where cybersecurity and cyber resilience circular already exists, by Jan. 1, 2025.
For other REs where CSCRF is being issued for the first time, by Apr. 1, 2025.
Dec. 2024 Implementation Clarification
On Dec. 31, 2024, IND SEBI issued clarifications regarding cybersecurity framework implementation for regulated entities, extending compliance grace period to Mar. 31.
No regulatory action for non-compliance if entities demonstrate meaningful progress.
Postpones compliance deadline to Apr. 1, 2025 for KYC registration agencies and depository participants; data localization provisions under data security standard PR.DS.S2 placed in abeyance, other guidelines to be issued after further consultation.
In Jan. 2025, IND BSE asked regulated entities to onboard to services, see #240347.
Mar. 2025 Deadline Extended
On Mar. 28, 2025, IND SEBI decided to extend the CSCRF compliance deadline, for all REs except MIIs, KYC registration agencies (KRAs), qualified registrars to an issue and share transfer agents (QRTAs); the new deadline for relevant entities is Jun. 30, 2025.
