CSCRF FY 2026-27 · All 5 Tiers · Print-Ready
SEBI CSCRF
compliance calendar 2026-27.
Every CSCRF obligation across all 5 tiers, at a glance. VAPT / Cyber Audit / Red Teaming / Threat Hunting / Cyber Drills / CCI / ISO 27001 / M-SOC / IT Committee / HSM / Incident Reporting / RTO-RPO. Use it to plan your annual compliance calendar and avoid last-cycle surprises.
5
Tiers Covered
22
Entity Types
12
Obligation Areas
FY 26-27
Current Cycle
How to use this calendar
Map your tier. Plan your year. Avoid last-cycle surprises.
- Identify your tier — if you're unsure, use the SEBI Compliance Wizard for a 5-minute classification.
- Locate your tier column in the table below. Each row shows the cadence that applies to your entity type.
- Plot the events on your actual calendar — this reference tells you "what" and "how often." Your internal audit calendar, board cycle, and vendor procurement lead times determine "when."
- Build vendor lead time into the schedule. CERT-In empanelled auditors, CCI assessors, and red-team providers book 6-12 weeks out. The calendar below shows obligation frequency — not the date you should start procurement.
- Print it. This page is formatted for A4 print or Save-as-PDF via your browser. Pin it to your compliance wall.
SEBI CSCRF Compliance Calendar — FY 2026-27
SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 (20 Aug 2024) · Read with amendments dated 30-Apr-2025 + 28-Aug-2025 · Last reviewed: 2026-05-06
| Requirement | MII | Qualified RE | Mid-size RE | Small-size RE | Self-cert RE |
|---|---|---|---|---|---|
| VAPT | Twice a year (CII / Protected Systems) | Once a year | Once a year | Once a year | Once a year |
| VAPT: Vulnerability Assessment & Penetration Testing — CERT-In empanelled auditor mandatory. (Source: CSCRF §4 Annexure-A, Table C) | |||||
| Cyber Audit | Twice a year | Twice a year | Once a year (IBT/Algo REs) / Once a year (rest) | Once a year (IBT/Algo REs) / Once a year (rest) | Once a year |
| Cyber Audit: Independent cyber audit — separate from VAPT. Covers control effectiveness, ISMS, and compliance posture. (Source: CSCRF §4 Annexure-A, Table D) | |||||
| Red Teaming | Half-yearly | Half-yearly | — | — | — |
| Red Teaming: Adversary-simulation testing — scope covers people, process, and technology. Real-world TTPs against live infrastructure. (Source: CSCRF §4, item 8) | |||||
| Threat Hunting | Quarterly | Quarterly | — | — | — |
| Threat Hunting: Proactive, hypothesis-driven hunt for undetected threats across the environment. Led by SOC with SIEM + EDR telemetry. (Source: CSCRF §4, item 9) | |||||
| Cyber Drill | Half-yearly | Half-yearly | Annually | Annually | Annually |
| Cyber Drill: Scenario-based drill testing IR playbooks, escalation chains, and recovery procedures. Must include at least one tabletop and one technical drill. (Source: CSCRF §4, item 12) | |||||
| CCI Assessment | Half-yearly (third-party assessment) | Annually (self-assessment) | — | — | — |
| CCI Assessment: Cyber Capability Index — measures maturity across people, process, technology, and governance domains. (Source: Apr 2025 clarifications, Annexure Item N) | |||||
| ISO 27001 | Mandatory — maintain certification | Recommended / encouraged (non-mandatory since Aug 2025) | — | — | — |
| ISO 27001: Information Security Management System certification. Aug 2025 technical clarifications made this voluntary for QREs. (Source: CSCRF §4 + Aug 2025 technical clarifications) | |||||
| IT Committee Meeting | Quarterly + 1 external cyber expert (mandatory) | Quarterly + 1 external cyber expert (mandatory) | Quarterly + 1 external cyber expert (mandatory) | Optional — otherwise MD/CEO/Board approves compliance | Optional |
| IT Committee Meeting: Quarterly meeting of the IT/Cyber Committee with documented minutes. RE must have at least one external cyber expert on the committee. (Source: CSCRF §2, item 31 + CSCRF §4, item 1) | |||||
| M-SOC Onboarding | Operates M-SOC (NSE/BSE; NSDL/CDSL optional) | Eligible / encouraged — MIIs run member workshops | Eligible / encouraged | Mandatory (unless own SOC — then leverage existing + file efficacy report) | Mandatory (same own-SOC exception) |
| M-SOC Onboarding: Market SOC — NSE and BSE operate ecosystem-level monitoring. REs feed security telemetry; M-SOC provides centralised threat detection. (Source: CSCRF §4, item 6 + Apr 2025 clarifications) | |||||
| HSM Deployment | Mandatory | Mandatory | Risk-assessed alternative permitted | Risk-assessed alternative permitted | Risk-assessed alternative permitted |
| HSM Deployment: Hardware Security Modules for cryptographic key management in cloud and on-premise environments. (Source: SEBI Cloud Framework + Apr 2025 clarifications) | |||||
| Incident Reporting | 6 hours to SEBI Incident Reporting portal + [email protected] AND CERT-In | 6 hours (same) | 6 hours (same) | 6 hours (same) | 6 hours (same) |
| Incident Reporting: Mandatory reporting of cybersecurity incidents to SEBI portal + CERT-In within statutory timelines. (Source: CSCRF §4, item 13 + CERT-In Directions 2022) | |||||
| RTO / RPO Compliance | RTO 2 hr / RPO 15 min (per IOSCO + SEBI BCP/DR Mar 2021) | RTO 2 hr / RPO 15 min (same) | Per approved CCMP | Per approved CCMP | Per approved CCMP |
| RTO / RPO Compliance: Recovery Time Objective and Recovery Point Objective — business continuity and disaster recovery metrics. (Source: CSCRF §4, item 16 + Mar 2021 BCP/DR circular) | |||||
Critical deadlines + compliance notes
- FY 2025-26 compliance deadlines: all REs (except MIIs/KRAs/QRTAs) had final compliance deadline 31-Aug-2025 (per Jun 2025 extension).
- FY 2026-27: annual compliance cycle runs Apr 2026–Mar 2027. VAPT and Cyber Audit reports are typically due by 30-Sep of the following FY.
- CERT-In incident reporting is continuous — 6-hour clock starts at detection, not at shift change. Incident response readiness is not a calendar event.
- Data Localisation (PR.DS.S2) remains IN ABEYANCE since Dec 2024 — do NOT budget compliance effort or calendar time against it until SEBI notifies otherwise.
Exemptions + soft mandates (Apr 2025)
| Entity type | Exemption / soft mandate |
|---|---|
| Stock Broker (<1,000 clients AND <₹1,000 Cr volume) | Exempt from CSCRF entirely |
| DP (<100 clients) | Exempt from SOC / M-SOC |
| PM / AIF+VCF Manager (<100 clients, Self-cert) | Exempt from M-SOC |
| RTA (<100 clients) | Exempt from SOC / M-SOC |
| RTA (<10,000 folios) | Excluded from CSCRF entirely |
| Inactive Merchant Banker | Exempt from CSCRF entirely |
| FPI / FVCI / LPCC / QDP / REIT / InvIT / Vault Manager / Individual IA | Excluded from CSCRF entirely |
Still mapping your compliance calendar?
Two-week scoped engagement: we review your entity classification, map obligations against the CSCRF tier model, and produce a fiscal-year compliance calendar aligned to your board cycle. Fixed scope, pricing on request.