SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
On this page (8)
- What is CSCRF?
- The 5-tier model
- The amendment trail: what changed
- April 2025 amendments (circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60)
- August 2025 technical clarifications (circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119)
- What your tier requires
- New for 2026: the AI advisory cross-reference
- Practical next steps for FY 2026-27
The Securities and Exchange Board of India (SEBI) Cybersecurity and Cyber Resilience Framework (CSCRF) — the most comprehensive cybersecurity regulation ever issued by an Indian financial regulator — is now in its second operational year. If you’re here, you likely want to know one thing: what does my entity have to do, and by when?
This guide answers that. It covers the 5-tier architecture, the full entity-type classification table, the amendment trail from Aug 2024 through Aug 2025, the obligations that differ by tier, and the practical steps every compliance officer, CISO, and IT-committee chair should take heading into FY 2026-27.
What is CSCRF?
On 20 August 2024, SEBI issued circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 — a 205-page master document that replaces the earlier "Broad Guidelines on Cyber Security and Cyber Resilience" (2015/2018) with a structured, audit-grade framework. It applies to 22 types of SEBI-regulated entities — stock exchanges, clearing corporations, depositories, brokers, AMCs, custodians, KRAs, RTAs, merchant bankers, portfolio managers, AIFs, VCFs, and more.
CSCRF is built on two global standards:
- NIST CSF 2.0 (National Institute of Standards and Technology — Cybersecurity Framework) — for the control catalogue, governance, and risk-management structure.
- EV.ST (Evaluation Standard for Security Testing) — for the VAPT / Audit / Red Team / Threat Hunt methodology that SEBI mandates.
The framework organises every SEBI-regulated entity into five tiers based on size, systemic importance, and volume of market-facing operations. Your tier determines everything — what you test, how often, who tests it, and who you report to.
The 5-tier model
| Tier | Who | Regulatory intensity |
|---|---|---|
| MII (Market Infrastructure Institution) | Stock Exchanges (BSE, NSE, MSEI), Depositories (NSDL, CDSL), Clearing Corporations (NSCCL, ICCL, MCXCCL), QRTAs (≥2 Cr folios) | Highest — operate the plumbing of the securities market |
| Qualified RE (QRE) | KRAs (post Apr 2025), Institutional DPs not registered as Stock Brokers, Stock Brokers >10L clients OR >₹10L Cr trading volume, AMCs ≥₹1L Cr AUM, Custodians ≥₹10L Cr AUC | Heavy — systemic importance demands MII-grade obligations on most controls |
| Mid-size RE | Brokers 1–10L clients OR ₹1–10L Cr volume, AMCs ₹10k–1L Cr AUM, Custodians ₹1–10L Cr AUC, PMs ≥₹10k Cr AUM, AIF+VCF >₹10k Cr corpus, RTAs 1–2 Cr folios | Moderate — annual VAPT + cyber audit, IT committee mandatory |
| Small-size RE | Brokers >1k–10k clients OR >₹1k–10k Cr volume, Active Merchant Bankers, AMCs <₹10k Cr, smaller PMs/AIFs/VCFs/RTAs | Light — annual obligations, fewer audit requirements |
| Self-cert RE | CIS, CRA, Debenture Trustees, PMs ≤₹3000 Cr, AIF+VCF ≤₹3000 Cr, IA/RA (exempt unless in higher other category) | Minimal — self-certify compliance, board/MD approval replaces IT committee |
Excluded entirely: Stock Brokers with <1,000 clients AND <₹1,000 Cr trading volume, Inactive Merchant Bankers, Debenture Trustees with no new issuer in 3 FYs, Individual IAs, RAs, FPIs, FVCIs, LPCCs, QDPs, REITs, InvITs, Vault Managers.
The amendment trail: what changed
SEBI has issued three substantive amendments since the master circular — two change the obligations; one is deadline plumbing.
April 2025 amendments (circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60)
This amendment made five changes that directly affect tier classification:
Stock broker thresholds rewritten. The original AUM-only rule was replaced with a two-parameter rule — number of active clients OR annual trading volume (not AUM). The higher of the two parameters determines the tier. This is the single most consequential revision — it moved many brokers into or out of Qualified RE status.
KRAs recategorised. Key Registration Authorities were demoted from MII to Qualified RE. This is a significant compliance lift — KRAs now carry VAPT, cyber audit, and IT-committee obligations they didn't have before.
AIFs and VCFs clubbed at the manager level. The sum of corpus across all AIFs, VCFs, and schemes managed by the same entity determines the tier — not individual fund size.
Portfolio Managers simplified. The original multi-parameter PM classification was collapsed to a single AUM threshold (Self-cert ≤₹3000 Cr / Small-size >₹3000–<₹10,000 Cr / Mid-size ≥₹10,000 Cr). Aug 2025 further revised this to three tiers.
HSM mandate introduced. Hardware Security Modules became mandatory for MIIs and Qualified REs — part of the cloud framework that SEBI wove into CSCRF.
August 2025 technical clarifications (circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119)
This clarification round is notable not for what it added but for what it walked back:
| Issue | Master (Aug 2024) | Aug 2025 clarification |
|---|---|---|
| ISO 27001 for QREs | Mandatory within 1 year | Encouraged / recommended (not mandatory) |
| Mobile App Security | Mandatory | Recommendatory |
| BAS/CART deployment | "Shall deploy" | Recommended in consultation with IT Committee |
| Critical systems definition | "All ancillary systems" | Narrowed to "any other system on the same network segment" |
| NCIIPC adoption (GV.PO-11) | Applicable to all | Only REs identified as CII by NCIIPC |
| VAPT/Cyber audit report submission | Full report | Summary only — no explicit vulnerabilities unless asked |
| Data Localisation (PR.DS.S2) | Effective | IN ABEYANCE since Dec 2024 |
The Aug 2025 clarifications also introduced the Principle of Exclusivity and Equivalence for entities regulated by multiple bodies (e.g., an NBFC-cum-stock-broker regulated by both RBI and SEBI) — if the other regulator's framework is equivalent, CSCRF compliance may be deemed satisfied.
What your tier requires
Every tier has a specific set of obligations. Here is the reference table (sourced from CSCRF §4, read with the Apr 2025 and Aug 2025 amendments):
| Obligation | MII | Qualified RE | Mid-size | Small-size | Self-cert |
|---|---|---|---|---|---|
| VAPT (CERT-In auditor) | Twice a year (CII / Protected Systems) | Once a year | Once a year | Once a year | Once a year |
| Cyber Audit (separate from VAPT) | Twice a year | Twice a year | Once a year | Once a year | Once a year |
| Red Teaming | Half-yearly | Half-yearly | — | — | — |
| Threat Hunting | Quarterly | Quarterly | — | — | — |
| Cyber Drill | Half-yearly | Half-yearly | Annually | Annually | Annually |
| CCI Assessment | Half-yearly (third-party) | Annually (self) | — | — | — |
| ISO 27001 | Mandatory | Recommended | — | — | — |
| IT Committee | Quarterly + cyber expert | Quarterly + cyber expert | Quarterly + cyber expert | Optional | Optional |
| HSM | Mandatory | Mandatory | Risk-assessed | Risk-assessed | Risk-assessed |
| M-SOC | Operates M-SOC | Eligible / encouraged | Eligible / encouraged | Mandatory (with own-SOC exception) | Mandatory (same) |
| RTO / RPO | 2 hr / 15 min | 2 hr / 15 min | Per CCMP | Per CCMP | Per CCMP |
Incident reporting is uniform: 6 hours to SEBI Incident Reporting portal + [email protected] AND CERT-In (per CERT-In Directions, April 2022).
New for 2026: the AI advisory cross-reference
On 5 May 2026, SEBI issued circular HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026 — the AI Vulnerability Detection Advisory. It must be read in conjunction with CSCRF. The advisory adds 10 Annexure-A directives, including:
- Item 2: "Use AI-based VA tools where possible"
- Item 6c: "All eligible REs shall expedite M-SOC onboarding"
- Item 9: "SBOM for all critical applications including open source stack"
- Item 10: "Prepare a long-term plan for AI in detection and autonomous / agentic mitigation"
For CSCRF compliance officers, this means your existing VAPT programme should now include an AI VA tooling evaluation, your risk register should include AI-augmented attacker scenarios, and your IT committee should formally discuss the advisory — all of which become audit evidence in your next CSCRF cycle.
Practical next steps for FY 2026-27
Confirm your tier. Use the two-parameter rule for brokers. Check if KRAs were recategorised. Validate multi-category entities apply the highest tier. If you're unsure, our SEBI Compliance Wizard does the classification in 5 minutes.
Map your calendar. VAPT, cyber audit, red teaming, threat hunting, cyber drills, CCI — each has its own cadence. Build the full year's compliance calendar against your board cycle and vendor lead times. Our Compliance Calendar 2026-27 is a free printable reference.
Evaluate AI VA tooling. Annexure-A item 2 says use AI-based VA tools "where possible." Whether you adopt or reject, document the rationale — it becomes audit evidence.
Prepare the Annexure-A item 10 plan. The IT committee must ratify a long-term AI strategy for detection and autonomous mitigation. Our AI Defence Roadmap Template gives you the structure.
Onboard to M-SOC. Item 6c says "shall expedite" — it's binding language for eligible REs. Our M-SOC Onboarding Readiness Guide maps the 4-week pre-kickoff sequence.
Generate your SBOM. Item 9 mandates Software Bill of Materials for all critical applications — the first SBOM mandate in Indian sectoral regulation. If you haven't operationalised this yet, start now.
Security Brigade has been CERT-In empanelled since 2008 and has delivered 6,700+ assessments across the BFSI sector. We help REs classify their tier, build compliance calendars, run VAPT and cyber audits, and produce IT-committee evidence packs. CSCRF is our everyday work — not a one-off advisory.
Source circulars: SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 (20 Aug 2024), read with amendments dated 30-Apr-2025 and 28-Aug-2025, and the AI advisory dated 5-May-2026. Always cross-check directive language with the source PDFs before audit submission.
About the authors
Founder & Chief Technology Officer
Founded Security Brigade in 2006 with the thesis that security assessment quality should be structural, not dependent on individual testers. 16+ years building platforms, teams, and methodologies that make enterprise security consistent.
Offensive Security Research · Security Brigade
A rotating byline for collaborative analysis pieces from Security Brigade's offensive security and threat-research practice.
Continue reading
All articles →SEBI's May 2026 AI Vulnerability Detection Advisory: What Every Regulated Entity Must Do Now
SEBI just issued an advisory on AI tools like Claude Mythos that find vulnerabilities at speed and scale. 10 directives, 19 regulated-entity categories, and a 90-day path to readiness — decoded.
RBI Cybersecurity Framework: A 2026 Compliance Guide
What the RBI Cybersecurity Framework actually requires of banks, NBFCs, and payment system providers in 2026 — translated from circular language into an action plan.
How to Choose a CERT-In Empanelled Security Auditor
CERT-In empanelment narrows the candidate list, but it does not pick a winner. Here is what to actually evaluate when shortlisting auditors for a regulated engagement.