SEBI CSCRF · Brokers & DPs · As of May 2026
SEBI CSCRF for Stock Brokers & Depository Participants
The two-parameter rule, DP classification, per-tier obligations, and how Security Brigade delivers CSCRF compliance for brokers and DPs across every tier.
Stock Broker — Two-Parameter Classification
Per CIR/2025/60 §2.1. The higher of (active clients OR annual trading volume) determines the tier. QSBs per Feb 2023 circular are auto-classified as Qualified REs.
| Tier | Active Clients (per UCC) | OR Annual Trading Volume | Key Obligations |
|---|---|---|---|
| Qualified RE | >10,00,000 (10L) | >₹10,00,000 Cr | Half-yearly cyber audit + red team · Quarterly threat hunt · CCI self-assessment · Direct CISO · HSM mandatory · RTO 2hr/RPO 15min |
| Mid-size | 1,00,000 – 10,00,000 | ₹1,00,000 – 10,00,000 Cr | Annual VAPT + cyber audit · IT Committee mandatory (quarterly + external expert) · HSM risk-assessed · Annual drill |
| Small-size | 10,000 – 1,00,000 | ₹10,000 – 1,00,000 Cr | Annual VAPT + cyber audit · M-SOC mandatory (own-SOC carve-out) · IT Committee optional · Designated CISO |
| Self-cert | 1,000 – 10,000 | ₹1,000 – 10,000 Cr | Annual VAPT + cyber audit · M-SOC mandatory · Board/MD approval · Self-certify compliance |
| Excluded | <1,000 | <₹1,000 Cr | Both thresholds must be below 1,000 for exclusion. Exempt from CSCRF entirely. |
Depository Participants
DP — also a Stock Broker
Classified using the broker two-parameter rule. Client count and trading volume determine tier — no separate DP classification.
CSCRF reference
CIR/2025/60 §2.2 — DP also registered as Stock Broker follows broker classification.
DP — NOT a Stock Broker
Always classified as Qualified RE. Sub-100-client exemption from SOC/M-SOC applies. No broker parameters involved.
CSCRF reference
CIR/2025/60 §2.2 — DPs not registered as Stock Brokers are always Qualified REs.
Designated Depository Participant (DDP)
Categorisation = highest of DP and Custodian tiers. Defaults to QRE. Refine if the entity also operates as a broker or has a tier-driving custodian footprint.
Sub-100-client exemption
DPs with fewer than 100 clients are exempt from SOC services and Market SOC onboarding. Document client count for audit evidence.
CIR/2025/60 §2.2
How Security Brigade delivers CSCRF for brokers and DPs
CSCRF Gap Assessment
Map your current posture against your tier's obligations. Classify using the two-parameter rule. Identify gaps across all 5 NIST CSF pillars. Deliverable: gap report + prioritised remediation plan.
VAPT + Cyber Audit
CERT-In empanelled VAPT and cyber audit at your tier's cadence. B-52 AI-powered testing platform. Summary-only submission per Aug 2025. Trading-platform, mobile-app, and API coverage.
Red Teaming + Threat Hunting
Half-yearly red team (MII + QRE). Quarterly threat hunting. Multi-stage attack-chain simulation covering your order-management, risk-management, and settlement systems.
M-SOC Onboarding Advisory
4-week pre-onboarding sequence. Log-source inventory (12 categories). SIEM integration. SOAR playbook design. Mandatory for Small-size + Self-cert; expedited per AI Advisory item 6c.
ISO 27001 + CCI
ISO 27001 implementation advisory (mandatory for MII, recommended for QRE). CCI self-assessment support (MII + QRE). Annex-A control mapping and evidence compilation.
AI Advisory Readiness
All 10 Annexure-A directives mapped to your control set. AI-augmented VAPT. SBOM generation. IT Committee AI plan submission package. 90-day readiness roadmap.
Ready to scope your broker or DP CSCRF compliance?
Security Brigade InfoSec Pvt. Ltd. · CERT-In Empanelled since 2008 · 6,700+ engagements · Mumbai · London · New York · Singapore · www.securitybrigade.com · [email protected]
CSCRF current as of 2026-05-06. Verify obligations against latest SEBI circulars. This datasheet is a sales overview — not legal advice.