What Changed in the April 2025 SEBI CSCRF Amendment

On 30 April 2025, SEBI issued circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60 — the most consequential amendment to the Cybersecurity and Cyber Resilience Framework (CSCRF) since the master circular was published in August 2024. In a single 34-page document, SEBI rewrote stock-broker classification rules, recategorised KRAs, clubbed AIFs and VCFs at the manager level, simplified Portfolio Manager thresholds, added sub-100-client exemptions, introduced the HSM mandate, and shifted IA/RA reporting to BSE Ltd.

If your entity type was classified under the old Aug 2024 model, your tier may have changed. This piece walks through every change.

This analysis reflects the CSCRF as it stands on 2026-05-06 — master circular read with all 6 amendments and the May 2026 AI Advisory.

What the circular says

Circular CIR/2025/60 is titled "Clarifications on the Implementation of the Cybersecurity and Cyber Resilience Framework" but the word "clarifications" undersells it. Seven of its provisions are material changes to entity classification — not clarifications at all. It was issued under the same statutory authority as the master CSCRF (Section 11(1) of the SEBI Act, 1992) and is binding.

The circular also extended the compliance deadline for all REs except MIIs and QRTAs to 30 June 2025 (subsequently extended again to 31 August 2025 by CIR/2025/96). All compliance deadlines have since passed — obligations are currently binding.

Stock broker classification: the two-parameter rule

Per CIR/2025/60 §2.1, stock broker tier classification was rewritten. The original Aug 2024 master classified brokers purely by number of active clients. The April 2025 amendment replaced this with a two-parameter rule:

Tier	Clients (active, per UCC)	OR Annual trading volume (INR Cr)
Qualified RE	>10,00,000 (10L)	>₹10,00,000 Cr
Mid-size	>1,00,000 – 10,00,000	>₹1,00,000 – 10,00,000 Cr
Small-size	>10,000 – 1,00,000	>₹10,000 – 1,00,000 Cr
Self-cert	>1,000 – 10,000	>₹1,000 – 10,000 Cr
Excluded entirely	<1,000 clients AND <₹1,000 Cr volume

The key rule: the higher of the two parameters determines the tier. A broker with 50,000 clients (Small-size by clients) but ₹1,50,000 Cr annual trading volume (Mid-size by volume) is classified as Mid-size. Both parameters must independently be below 1,000 for the entity to be excluded from CSCRF entirely.

This is the single most impactful change in the April 2025 circular. Many brokers were re-tiered overnight — some moved up (into QRE), some moved down — purely because their trading volume told a different story than their client count.

QSBs (Qualified Stock Brokers) identified under the Feb 2023 SEBI circular (CIR/2023/24) are auto-classified as Qualified REs, as confirmed by the master CSCRF footnote 14.

KRA reclassification: from MII to Qualified RE

Per CIR/2025/60 §2.5, KYC Registration Agencies (KRAs) were recategorised from Market Infrastructure Institution (MII) tier to Qualified RE (QRE) tier.

This is a downgrade in regulatory intensity — MIIs carry the highest compliance burden under CSCRF (half-yearly VAPT for CII, half-yearly third-party CCI assessment, mandatory ISO 27001, Market SOC operation), while QREs have a lower but still substantial obligation set (annual VAPT, self-assessment CCI, ISO 27001 recommended but not mandatory per Aug 2025).

For KRAs, the practical effect is:

• VAPT: now once a year (was twice a year)
• CCI: now self-assessment annually (was third-party half-yearly)
• ISO 27001: recommended, not mandatory (per Aug 2025)
• M-SOC: eligible (not operating)
• Red Team and Threat Hunting obligations remain (half-yearly and quarterly respectively for QREs)

KRAs still carry significant obligations — they are Qualified REs, not exempt. But the move out of MII removes the highest-intensity requirements.

AIFs and VCFs: combined at the manager level

Per CIR/2025/60 §2.7, Alternative Investment Funds (AIFs) and Venture Capital Funds (VCFs) are now categorised at the manager level, not the individual fund level. The corpus of all AIFs, VCFs, and schemes managed by the same entity are summed to determine the tier:

Tier	Combined corpus (INR Cr)
Mid-size	>₹10,000 Cr
Small-size	>₹3,000 – ₹10,000 Cr
Self-cert	≤₹3,000 Cr

No QRE category exists for AIF+VCF managers. A manager with <100 clients in the Self-cert tier is exempt from mandatory M-SOC onboarding.

For multi-fund managers, this is significant — five funds of ₹500 Cr each now aggregate to ₹2,500 Cr at the manager level (Small-size), where previously each individual fund at ₹500 Cr would have been Self-cert.

Portfolio Manager: simplified to single AUM threshold

The original Aug 2024 master classified Portfolio Managers across multiple parameters. CIR/2025/60 §2.6 simplified this to a single AUM threshold:

Tier	AUM (INR Cr)
Mid-size	≥₹3,000 Cr
Small-size	>₹1,000 – <₹3,000 Cr
Self-cert	≤₹1,000 Cr

(Note: this was further revised by the Aug 2025 technical clarifications — see our companion post.)

Self-cert PMs with <100 clients are exempt from M-SOC onboarding.

Other April 2025 changes

Depository Participants. DPs also registered as Stock Brokers now use the broker two-parameter rule for classification. DPs not registered as brokers are always Qualified REs. DPs with <100 clients are exempt from SOC/M-SOC requirements. (CIR/2025/60 §2.2)

IA/RA reporting authority. Investment Advisers and Research Analysts now report CSCRF compliance to BSE Ltd (via BSE-IAASB / BSE-RAASB) — not SEBI directly — for a period of 5 years from 25 July 2024. (CIR/2025/60 §2.8)

Sub-100-client exemptions. Several entity types with <100 clients received SOC and M-SOC exemptions: DP, PM (Self-cert), AIF+VCF (Self-cert), and RTA.

HSM mandate. Hardware Security Modules became mandatory for MIIs and Qualified REs. Lower tiers may use risk-assessed alternatives with board approval.

Where this goes beyond the Aug 2024 master

Item	Aug 2024 master	Apr 2025 amendment
Broker classification	Active clients only	Clients OR trading volume (higher wins)
KRA tier	MII	Qualified RE
AIF/VCF classification	Per-fund	Manager-level combined corpus
PM classification	Multi-parameter	Single AUM threshold
IA/RA reporting	SEBI	BSE Ltd (5 years)
HSM	Not mentioned	Mandatory for MII + QRE
<100-client exemptions	None	DP, PM, AIF+VCF, RTA

A pragmatic roadmap

If you are an RE affected by the April 2025 changes:

1. Reclassify your tier. If you are a stock broker, recalculate using the two-parameter rule. If you are an AIF/VCF manager, sum corpus across all funds and schemes. Our SEBI Compliance Wizard runs the classification in 2 minutes.

2. Check for exemptions. If you have <100 clients and are a DP, PM (Self-cert), AIF+VCF manager (Self-cert), or RTA, confirm your SOC/M-SOC exemption applies.

3. IA/RA firms: redirect reporting to BSE Ltd. If you have been filing CSCRF compliance with SEBI, switch to BSE-IAASB/BSE-RAASB.

4. KRAs: update your compliance programme. Move from MII obligations (half-yearly VAPT, third-party CCI) to QRE obligations (annual VAPT, self-assessment CCI, ISO 27001 recommended).

5. MIIs and QREs: implement HSM. If you haven't already deployed Hardware Security Modules, this is a binding requirement.

How Security Brigade helps

We have been CERT-In empanelled since 2008 and have delivered 6,700+ security assessments across the BFSI sector. We help REs reclassify their tier under the new rules, scope and deliver VAPT and cyber audits, build IT-committee evidence packs, and deploy HSM-compliant architecture. Use our free SEBI Compliance Wizard to see your current classification in 8–10 questions.

FAQ

Does the two-parameter rule mean my broker classification could change even if my client count hasn't?

Yes — the higher of clients OR trading volume determines the tier. A broker with a stable client base that sees a spike in trading volume could move up a tier based on volume alone.

Are KRAs now exempt from CSCRF?

No. KRAs are recategorised from MII to Qualified RE — they still have binding obligations (annual VAPT, twice-yearly cyber audit, half-yearly red team, quarterly threat hunting, IT committee). The obligations are simply less intense than MII-tier.

What is the effective date for the HSM mandate?

HSM became mandatory for MIIs and QREs with the April 2025 circular (CIR/2025/60). The original compliance deadline for most REs was 30 June 2025, extended to 31 August 2025 — both dates have passed. HSM deployment is a current obligation.

Can a broker with 900 clients and ₹900 Cr volume be excluded from CSCRF?

Yes. Both parameters independently must be below their respective 1,000 thresholds for the "excluded entirely" exemption to apply.

Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md. Verify any specific obligation against the latest SEBI circular before action — this analysis is informational and not legal advice.