SEBI CSCRF for KRAs & QRTAs: The April 2025 Demotion & What It Means
KYC Registration Agencies were reclassified from MII to Qualified RE in April 2025. QRTAs (≥2 Cr folios) remain at MII tier. What changed, what stayed, and what KRAs and QRTAs must do now.
On this page (6)
Two entity types in the CSCRF framework are defined by their relationship to investor data: KYC Registration Agencies (KRAs), which maintain the centralised KYC database for every securities-market participant, and Qualified Registrars and Share Transfer Agents (QRTAs), which service the largest folio bases in the market.
The April 2025 amendment (CIR/2025/60) reshaped both: KRAs were demoted from MII to Qualified RE, while QRTAs retained their MII-tier classification. This piece explains both.
KRAs: from MII to Qualified RE
Under the original Aug 2024 master circular, KRAs were classified at par with Market Infrastructure Institutions (MIIs) — the highest tier, alongside Stock Exchanges, Depositories, and Clearing Corporations. This meant KRAs carried the full MII compliance burden: half-yearly VAPT (for CII/Protected Systems), half-yearly third-party CCI assessment, mandatory ISO 27001, operation of Market SOC, direct CISO reporting to MD/CEO, and quarterly IT Committee meetings with an external cyber expert.
Per CIR/2025/60 §2.5, KRAs were recategorised to Qualified RE.
What changed for KRAs
| Obligation | As MII (pre-Apr 2025) | As QRE (current) |
|---|---|---|
| VAPT | Half-yearly (CII) | Annual (half-yearly if CII) |
| Cyber Audit | Half-yearly | Half-yearly |
| Red Teaming | Half-yearly | Half-yearly |
| Threat Hunting | Quarterly | Quarterly |
| CCI Assessment | Half-yearly (third-party) | Annually (self-assessment) |
| ISO 27001 | Mandatory | Recommended (voluntary per Aug 2025) |
| M-SOC | Operates (NSE/BSE) | Eligible/encouraged |
| CISO | Direct MD/CEO; ≥CTO/CIO | Direct MD/CEO; ≥CTO/CIO |
| RTO / RPO | 2 hr / 15 min | 2 hr / 15 min |
The key reductions: VAPT drops from half-yearly to annual (unless CII-designated), CCI moves from third-party assessment to self-assessment, ISO 27001 becomes voluntary, and the M-SOC operating requirement becomes eligibility.
The items that did NOT change: half-yearly cyber audit, half-yearly red teaming, quarterly threat hunting, CISO reporting line, IT Committee, and RTO/RPO remain at the same standard as MIIs. The KRA demotion was partial — significant obligations remain.
What this means in practice
KRAs should update their compliance programme to reflect the QRE tier. Specifically:
- VAPT is now annual (unless the KRA is designated CII/Protected System by NCIIPC).
- CCI is now a self-assessment — no third-party assessor required. Submit annually.
- ISO 27001 is voluntary — if the KRA already has certification, maintain it. If not, the mandate is gone.
- M-SOC — the KRA no longer operates M-SOC (that obligation stays with NSE/BSE). The KRA is eligible to onboard but not required.
QRTAs: still MII tier
Qualified RTAs — RTAs servicing ≥2 crore (20 million) folios — remain at MII tier. No amendment changed their classification. QRTAs carry the full MII compliance burden:
- VAPT: half-yearly (CII/Protected Systems)
- Cyber Audit: half-yearly
- Red Teaming: half-yearly
- Threat Hunting: quarterly
- CCI: half-yearly third-party assessment
- ISO 27001: mandatory
- M-SOC: operates (NSE/BSE)
- CISO: direct MD/CEO reporting line; grade ≥ CTO/CIO
- IT Committee: quarterly + external cyber expert
- RTO: 2 hours / RPO: 15 minutes
The ≥2 Cr folio threshold is the bright line. An RTA servicing 1.9 Cr folios is Mid-size; an RTA servicing 2.0 Cr folios is MII-tier.
Practical steps
For KRAs:
- Update your compliance documentation to reflect QRE tier — VAPT cadence, CCI self-assessment format, ISO 27001 voluntary status.
- If you maintained ISO 27001 under the old mandate, decide whether to continue (recommended but not required).
- The half-yearly cyber audit and red teaming obligations remain — these are your heaviest operational lifts.
For QRTAs:
- Reconfirm your folio count at the start of each financial year. If you drop below 2 Cr folios, you reclassify to Mid-size.
- The full MII burden applies. Prepare the half-yearly cadence calendar and board cycle alignment.
FAQ
Why were KRAs demoted?
SEBI did not publish a stated rationale. The likely driver: KRAs operate a centralised database rather than market plumbing (trading, clearing, settlement), and the operational risk profile is different from that of Exchanges or Clearing Corporations.
Can a KRA still be MII-tier if it has other registrations?
The multi-category rule (CSCRF §2 item 23) applies: the highest tier across all registrations governs. If a KRA is also registered as, say, a Depository, the Depository's MII classification would apply — overriding the KRA's QRE classification.
What happens if an RTA crosses 2 Cr folios mid-year?
Per CSCRF §2, classification is decided at the start of the financial year. If the RTA crosses 2 Cr folios mid-year, the MII classification activates at the start of the next financial year.
Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md.
About the authors
Founder & Chief Technology Officer
Founded Security Brigade in 2006 with the thesis that security assessment quality should be structural, not dependent on individual testers. 16+ years building platforms, teams, and methodologies that make enterprise security consistent.
Offensive Security Research · Security Brigade
A rotating byline for collaborative analysis pieces from Security Brigade's offensive security and threat-research practice.
Continue reading
All articles →SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
OWASP Mobile Top 10 (2024): The Definitive Guide for Indian Mobile App Teams
A reference walkthrough of every risk in the OWASP Mobile Top 10 (2024 release) — what each risk means in plain English, how attackers exploit it on Android and iOS, what your engineering team should fix, and how a CERT-In empanelled pentest validates the fix.
SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.