SEBI CSCRF · Quick Reference · As of May 2026

SEBI CSCRF Per-Tier Requirement Cards

Five single-page reference sheets — one per tier. Pin your tier's card to your wall, share it with your IT Committee, or include it in your board pack. Every obligation, cadence, and exemption in one place.

Market Infrastructure Institutions (MIIs)

Stock Exchanges (BSE, NSE, MSEI), Depositories (NSDL, CDSL), Clearing Corporations (NSCCL, ICCL, MCXCCL), QRTAs (≥2 Cr folios).

Obligations

ISO 27001 certification — mandatory

CCI third-party assessment — half-yearly (CSCRF Annexure-K)

IT Committee with external cybersecurity expert — mandatory, quarterly meetings

Operates Market SOC (NSE/BSE) or runs own 24×7 SOC

HSM mandatory under cloud framework

Direct CISO reporting line to MD/CEO; grade ≥ CTO/CIO

RTO 2 hours / RPO 15 minutes (per IOSCO + Mar 2021 SEBI BCP)

SOC functional efficacy review — half-yearly

Third-party managed system review — half-yearly

Risk assessment (threat-based) — half-yearly

Cadences

VAPT	Half-yearly (CII); else annual
Cyber Audit	Half-yearly
Red Team	Half-yearly
Threat Hunt	Quarterly
Drill	Half-yearly

Controls

ISO 27001	Mandatory
CCI	Half-yearly (3P)
M-SOC	Operates M-SOC
HSM	Mandatory
CISO	Direct MD/CEO · ≥CTO/CIO
IT Committee	Mandatory · Quarterly + expert
RTO / RPO	2 hr / 15 min

Exemptions & notes

· RTO/RPO applies to critical systems as defined per CIR/2025/119 (same network segment).

Qualified REs

KRAs (post Apr 2025), Institutional DPs not brokers, Stock Brokers >10L clients OR >₹10L Cr volume, AMCs ≥₹1L Cr AUM, Custodians ≥₹10L Cr AUC.

Obligations

ISO 27001 — recommended (Aug 2025 made voluntary)

CCI self-assessment — annually

IT Committee with external cybersecurity expert — mandatory, quarterly meetings

24×7 SOC (own / group / Market SOC / 3P-managed); half-yearly functional efficacy review

HSM mandatory under cloud framework

Direct CISO reporting line to MD/CEO; grade ≥ CTO/CIO

RTO 2 hours / RPO 15 minutes

Red Teaming — half-yearly · Threat Hunting — quarterly

Cadences

VAPT	Annual (half-yearly if CII)
Cyber Audit	Half-yearly
Red Team	Half-yearly
Threat Hunt	Quarterly
Drill	Half-yearly

Controls

ISO 27001	Recommended
CCI	Annual (self)
M-SOC	Eligible / encouraged
HSM	Mandatory
CISO	Direct MD/CEO · ≥CTO/CIO
IT Committee	Mandatory · Quarterly + expert
RTO / RPO	2 hr / 15 min

Exemptions & notes

· ISO 27001 voluntary per CIR/2025/119. VAPT report: summary only — no explicit vulnerabilities unless SEBI asks.

Mid-size REs

Brokers 1-10L clients OR ₹1-10L Cr vol, AMCs ₹10k-1L Cr AUM, Custodians ₹1-10L Cr AUC, PMs ≥₹10k Cr AUM, AIF+VCF >₹10k Cr corpus, RTAs 1-2 Cr folios.

Obligations

IT Committee with external cybersecurity expert — mandatory, quarterly meetings

24×7 SOC (own / Market SOC / 3P-managed); annual functional efficacy review

HSM — risk-assessed alternative permitted (Board approval required)

Designated CISO or equivalent officer

Annual cyber resilience posture evaluation (EV.ST.S5)

Cadences

VAPT	Annual (commences Q1)
Cyber Audit	Annual (half-yearly if IBT/Algo)
Red Team	—
Threat Hunt	—
Drill	Annual

Controls

ISO 27001	—
CCI	—
M-SOC	Eligible / encouraged
HSM	Risk-assessed alternative
CISO	Designated officer
IT Committee	Mandatory · Quarterly + expert
RTO / RPO	Per CCMP

Exemptions & notes

· No red team or threat hunting requirement. IBT/Algo trading providers: cyber audit becomes half-yearly.

Small-size REs

Brokers >1k-10k clients OR >₹1k-10k Cr vol, Active Merchant Bankers, AMCs <₹10k Cr AUM, PMs ₹3k-10k Cr AUM, AIF+VCF ₹3k-10k Cr corpus, RTAs 10k-1Cr folios.

Obligations

Onboard to Market SOC (NSE/BSE) — MANDATORY, unless RE has own SOC and submits efficacy reports

Designated CISO or equivalent officer

IT Committee optional (otherwise MD/CEO/Board approves CSCRF compliance)

Annual cyber resilience posture evaluation

Cadences

VAPT	Annual
Cyber Audit	Annual (half-yearly if IBT/Algo)
Red Team	—
Threat Hunt	—
Drill	Annual

Controls

ISO 27001	—
CCI	—
M-SOC	Mandatory (own-SOC carve-out)
HSM	Risk-assessed alternative
CISO	Designated officer
IT Committee	Optional
RTO / RPO	Per CCMP

Exemptions & notes

· Own-SOC carve-out: if the RE operates its own SOC and submits annual efficacy reports, M-SOC onboarding is waived. May 2026 AI Advisory item 6c: expedite onboarding.

Self-certification REs

Brokers 1k-10k clients OR ₹1k-10k Cr vol, PMs ≤₹3k Cr AUM, AIF+VCF ≤₹3k Cr corpus, CIS, CRAs, Debenture Trustees with new clients in last 3 FYs.

Obligations

Onboard to Market SOC — MANDATORY, unless RE has own SOC

Designated CISO or equivalent officer

IT Committee optional

Self-certify compliance; MD/CEO/Board/Partners/Proprietor review and approve

Cadences

VAPT	Annual
Cyber Audit	Annual
Red Team	—
Threat Hunt	—
Drill	Annual

Controls

ISO 27001	—
CCI	—
M-SOC	Mandatory (own-SOC carve-out)
HSM	Risk-assessed alternative
CISO	Designated officer
IT Committee	Optional
RTO / RPO	Per CCMP

Exemptions & notes

· Sub-100-client exemptions (M-SOC): DP, PM (Self-cert), AIF+VCF (Self-cert), RTA.

· Stock Broker <1,000 clients AND <₹1,000 Cr volume → exempt from CSCRF entirely.

· Inactive Merchant Bankers → exempt entirely.

· Debenture Trustee with no new issuer in 3 FYs → excluded.

Not sure which tier applies?

Run the SEBI Compliance Wizard

Source & currency. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20-Aug-2024 read with amendments through Aug 2025. Reviewed: 2026-05-06. Verify against latest circulars — informational, not legal advice.