The Principle of Exclusivity and Equivalence Under SEBI CSCRF: A Guide for Multi-Regulator Entities

Many regulated entities in India are registered under more than one regulator. An NBFC-cum-stock-broker is regulated by both RBI and SEBI. A bank acting as a depository participant is regulated by RBI (banking), SEBI (DP), and potentially IRDAI if it distributes insurance. A fintech platform processing UPI payments and broking trades answers to NPCI, RBI, and SEBI simultaneously.

For these entities, the CSCRF master circular (August 2024) was silent on the overlap. The August 2025 technical clarifications (CIR/2025/119) fixed that — introducing two principles that every multi-regulator entity's compliance team should understand.

This piece explains both principles, how to apply them, and what evidence to produce for your IT committee and auditor.

The problem CIR/2025/119 solved

Before the August 2025 clarifications, a bank operating a DP business faced an uncomfortable question: does CSCRF apply to the bank's shared network infrastructure? If yes, the bank needed to run a SEBI-scoped VAPT on infrastructure already audited under RBI's Cybersecurity Framework. If no, there was no regulatory text to cite — leaving auditors and IT committees to interpret.

CIR/2025/119 §Part-A resolved this by codifying two principles. They are short — a few paragraphs each in the circular — but they materially restructure compliance for every multi-regulator RE.

Principle of Exclusivity

"The CSCRF covers only the SEBI-regulated activities of the RE. Shared infrastructure that is already covered by another regulator's cybersecurity framework shall be audited under that regulator's framework — not duplicated under CSCRF."

In plain terms: if a system, network, or application is already subject to cybersecurity obligations under, say, RBI's Master Direction on Information Technology (2016/2024), you do not need to run a second CSCRF audit on it. The primary regulator's framework governs that infrastructure. CSCRF governs the SEBI-regulated portion.

Example. A bank's core banking system processes broking transactions alongside banking transactions. The core banking system is subject to RBI's cybersecurity audit. Under Exclusivity, it is not subject to a second CSCRF VAPT — even though it touches SEBI-regulated broker-dealer activity. The broking-specific application layer (the trading platform, the order-management system) is the CSCRF scope boundary.

What to document: For each shared system, note the primary regulatory framework, the audit cadence, and the date of the last audit. This mapping — system → primary regulator → last audit date → evidence — is what your CSCRF auditor will ask for.

Principle of Equivalence

"If a CSCRF control has a substantively equivalent counterpart in another regulatory framework that the RE is already complying with, the RE may submit a mapping demonstrating equivalence. No duplicate audit is required."

This principle is about control-level mapping, not system-level boundaries. If RBI's framework requires an annual VAPT conducted by a CERT-In empanelled auditor — which is substantively identical to CSCRF's VAPT requirement — the RE can submit the RBI VAPT report as satisfying the CSCRF VAPT obligation. No second VAPT needed.

What qualifies as substantively equivalent. SEBI has not published an equivalence checklist, but the following factors matter:

• The other framework's control objective matches CSCRF's control objective.
• The auditor is CERT-In empanelled (or the other regulator requires an equivalent empanelment).
• The cadence matches or exceeds CSCRF's minimum cadence (e.g., half-yearly VAPT under RBI satisfies annual CSCRF VAPT).
• The report covers the SEBI-regulated system scope.

What to produce: An equivalence-mapping document — a table with columns: CSCRF control ID, CSCRF requirement, other regulator's control ID, other regulator's requirement, evidence of equivalence, and last audit date. Have your IT committee ratify it.

Multi-category rule still applies

CSCRF §2 item 23 (reaffirmed in CIR/2025/60 §4) says: when an RE is registered under more than one SEBI category, the highest tier applies.

This is a separate rule from Exclusivity/Equivalence. The multi-category rule determines which SEBI tier you fall into; Exclusivity/Equivalence determines which regulator's audit applies to which system. Both apply simultaneously.

Example: an entity registered as both a Stock Broker (Mid-size) and a DP (always QRE) is classified as QRE — but the broker-specific brokerage systems may be audited under SEBI, while shared infrastructure already covered by another regulator's framework follows Exclusivity.

Banker to an Issue / SCSB: a special case

BTIs and SCSBs registered with SEBI have a specific carve-out in the master circular: they submit an RBI cybersecurity compliance certificate to SEBI in lieu of a separate CSCRF compliance submission. This pre-dates the Aug 2025 Principles and is effectively an earlier, narrower form of Exclusivity.

If you are a BTI/SCSB that is also listed, you must additionally intimate the Stock Exchanges of your RBI compliance status.

Practical steps for multi-regulator entities

1. Inventory your regulatory relationships. List every registration: SEBI categories, RBI licences, IRDAI registrations, NPCI memberships. Identify overlaps.

2. Map systems to regulators. For each system (network, application, database), determine which regulator's framework is the primary audit authority.

3. Build the equivalence map. For each CSCRF control, check your other regulator's framework for a counterpart. If one exists, document it. If the counterpart is weaker (e.g., annual VAPT vs half-yearly), you may still need a CSCRF-scoped audit to bridge the gap.

4. Have the IT committee ratify. The equivalence mapping is not an operational document — it is audit evidence. Your IT committee should formally review and approve it.

5. Submit with your CSCRF compliance report. Attach the ratified equivalence mapping. Reference the Exclusivity principle for shared systems. Your auditor will cross-check.

How Security Brigade helps

We have been CERT-In empanelled since 2008 and help multi-regulator entities build their Exclusivity and Equivalence documentation — system-to-regulator maps, control-equivalence matrices, and IT-committee-ready submissions. Use our SEBI Compliance Wizard to determine your CSCRF tier (the multi-category rule is built in), then talk to us about scoping the shared-infrastructure boundary.

FAQ

Can I use my RBI VAPT report for my SEBI CSCRF submission?

If the VAPT covers the SEBI-regulated system scope, was conducted by a CERT-In empanelled auditor, and the cadence meets or exceeds CSCRF's minimum — yes, under the Principle of Equivalence. Document the equivalence mapping and have your IT committee approve it.

What if the other regulator's framework is weaker than CSCRF?

Equivalence requires substantively equivalent controls. If your other regulator's framework has a lower cadence or narrower scope, you need a CSCRF-scoped audit to bridge the gap — at minimum, covering the delta between the two frameworks.

Does Exclusivity mean my shared datacenter doesn't need a CSCRF audit?

If the datacenter is already covered by another regulator's cybersecurity framework and does not exclusively serve SEBI-regulated activity, yes — under Exclusivity, the primary regulator's audit applies. However, if the datacenter hosts critical SEBI systems (e.g., the trading platform), those systems must still be included in CSCRF's scope.

What if no equivalence mapping exists between my regulators' frameworks?

Build one. The Aug 2025 clarification explicitly expects REs to prepare and submit equivalence documentation. Your auditor and IT committee need it. A CSCRF compliance advisory engagement can produce this mapping in 1–2 weeks.

Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md. Verify any specific obligation against the latest SEBI circular before action — this analysis is informational and not legal advice.