Report an IncidentTalk to Sales

SEBI CSCRF Explained: A Complete Compliance Guide for Regulated Entities

Author: Kartik Raval
Reviewed By: Nilesh Yadav
Updated on: July 6, 2026
Reading Time: 15 Min
Published: 
July 6, 2026

Cybersecurity expectations in India’s securities market are evolving rapidly, with SEBI’s CSCRF introducing a unified resilience-driven compliance structure. Understanding how this framework operates, who it applies to, and what it requires is essential for regulated entities. This article breaks down the complete CSCRF framework, tiers, controls, and compliance approach. 

Key Takeaways

  • SEBI CSCRF replaces multiple legacy cybersecurity circulars with a unified cyber resilience framework: It establishes a common set of governance, security, resilience, and reporting requirements across India's securities market.
  • Compliance requirements vary across SEBI-regulated entities based on classification and tier: Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs are subject to different levels of cybersecurity and resilience obligations.
  • The framework is built on NIST CSF 2.0 and follows six cybersecurity functions: Govern, Identify, Protect, Detect, Respond, and Recover, which provide the foundation for managing cyber risk and maintaining operational resilience.
  • Cybersecurity controls, testing requirements, and reporting obligations increase by tier: Depending on classification, entities may need to implement controls such as SOC/M-SOC monitoring, cyber audits, VAPT, threat hunting, red teaming, incident reporting, and Cyber Capability Index (CCI) assessments.
  • CSCRF compliance requires continuous governance and validation: Organisations must determine their classification, address control gaps, implement applicable requirements, and regularly verify compliance through audits, assessments, drills, and resilience testing.

What Is the SEBI CSCRF and Why Does It Matter?

The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) is a regulatory framework that establishes a common cybersecurity baseline for entities operating in India's securities market. Introduced in response to evolving cyber threats and increasing digital dependence, it brings governance, risk management, incident response, recovery, and third-party security requirements under a single framework to strengthen market-wide cyber resilience.

The Shift From the 2015/2018 Guidelines to a Unified Framework

For years, cybersecurity compliance in the securities ecosystem was governed through multiple SEBI circulars issued at different points in time. While these requirements improved security controls, they also created a fragmented compliance landscape. CSCRF was introduced to replace this approach with a single, structured framework that applies consistent resilience principles across regulated entities.

The framework introduces several structural changes that distinguish it from the earlier regulatory approach:

  • Consolidated Requirements: Brings together cybersecurity obligations that were previously distributed across multiple SEBI circulars and directives.
  • Unified Compliance Structure: Establishes a common framework instead of maintaining separate cybersecurity rule sets for different categories of regulated entities.
  • Risk-Based Implementation: Applies compliance requirements based on the size, function, and criticality of the regulated entity.
  • Integrated Resilience Model: Combines governance, security operations, cyber resilience, incident response, and recovery requirements within a single framework.
  • Standardised Oversight: Defines consistent expectations for audits, assessments, reporting, and regulatory supervision.
  • Reduced Regulatory Complexity: Eliminates overlaps, inconsistencies, and legacy requirements that existed across earlier cybersecurity directives.

Core Objective: Cyber Resilience Built on NIST CSF 2.0

SEBI designed CSCRF around the NIST Cybersecurity Framework (CSF) 2.0 to create a structured and internationally recognised approach to cyber resilience. Rather than focusing solely on preventing attacks, the framework requires regulated entities to identify risks, protect critical systems, detect threats, respond effectively, and recover from incidents with minimal disruption to market operations. 

The framework applies the NIST CSF 2.0 lifecycle through the following functions:

  • Govern: Establishes cybersecurity governance, accountability, policies, and board-level oversight.
  • Identify: Requires organisations to identify critical assets, business processes, dependencies, and cyber risks.
  • Protect: Implements safeguards such as access controls, security awareness, data protection, and technology controls.
  • Detect: Enables continuous monitoring and timely identification of cybersecurity events and anomalies.
  • Respond: Defines incident response processes for containment, investigation, communication, and remediation.
  • Recover: Focuses on restoring operations, maintaining business continuity, and strengthening resilience after an incident.

Who Must Comply With SEBI CSCRF?

SEBI CSCRF applies to regulated entities that have been classified under the framework's applicability model. Compliance requirements are not uniform across all entities. Instead, obligations are assigned based on the entity's classification, operational role, and significance within the securities market ecosystem.

Regulated Entities Covered

The framework applies to regulated entities that fall within the categories defined by SEBI under CSCRF. These entities are grouped according to their size, criticality, and market impact, with compliance obligations tailored to each classification.

  • Market Infrastructure Institutions: Entities that perform critical market functions, such as stock exchanges, clearing corporations, and depositories.
  • Qualified Regulated Entities (Qualified REs): Entities designated by SEBI as having higher cybersecurity and resilience obligations based on prescribed criteria.
  • Mid-size Regulated Entities (Mid-size REs): Entities subject to a defined set of cybersecurity controls and resilience requirements under the framework.
  • Self-Certification Regulated Entities (Self-Certification REs): Entities required to comply with applicable CSCRF requirements through self-certification mechanisms prescribed by SEBI.

Entities That Are Exempt or Conditionally Covered

CSCRF follows a risk-based approach rather than a one-size-fits-all compliance model. As a result, applicability and implementation requirements vary across entity classifications.

  • Classification-Based Applicability: Not all CSCRF requirements apply to every regulated entity.
  • Tiered Compliance Obligations: Control requirements, assessments, and reporting expectations differ by entity category.
  • Proportional Implementation: Compliance obligations increase with the entity's operational complexity and market significance.
  • Conditional Requirements: Certain controls or assessments apply only where specifically mandated for a particular classification.
  • SEBI-Defined Scope: Applicability, exemptions, and implementation requirements are determined by SEBI's CSCRF classification and associated regulatory provisions.

What Are the Five Tiers Under SEBI CSCRF?

SEBI classifies regulated entities into five tiers under CSCRF to ensure cybersecurity and cyber resilience requirements are applied according to the entity's regulatory classification. Each tier represents a different level of oversight, with compliance expectations increasing as an entity's role and significance within the securities market increase.

After determining that an entity falls within the scope of CSCRF, SEBI places it into one of the following categories:

Tier Description Regulatory Intensity
MII Critical market infrastructure entities, including stock exchanges, clearing corporations, and depositories Highest
Qualified RE Regulated entities classified under SEBI's highest non-MII category Very High
Mid-size RE Regulated entities assigned to the intermediate compliance category Moderate
Small-size RE Regulated entities subject to baseline CSCRF requirements Basic
Self-certification RE Regulated entities permitted to demonstrate compliance through self-certification Lowest

How Do You Determine Which CSCRF Tier Applies to You?

SEBI determines a regulated entity's CSCRF tier by comparing prescribed business, operational, or asset-based metrics against classification thresholds defined for that specific entity type. The applicable criteria vary across regulated entities and may include factors such as active clients, trading volume, assets under management (AUM), assets under custody (AUC), or corpus size.

The classification methodology differs across regulated entities, with stock brokers and asset-based entities assessed using different parameters.

The Two-Parameter Rule for Stock Brokers (Clients vs. Trading Volume)

For stock brokers, classification is determined using both the number of active clients and annual trading volume. Rather than relying on a single metric, SEBI evaluates both factors to ensure the assigned category reflects the broker's actual market footprint.

The classification process follows these principles:

  • Active Client Thresholds: Brokers are assessed based on the number of active clients serviced during the prescribed period.
  • Trading Volume Thresholds: Annual trading turnover is separately evaluated against SEBI's classification criteria.
  • Independent Assessment: Client count and trading volume are assessed independently.
  • Higher Category Prevails: If the two parameters place a broker in different categories, the higher category becomes the final CSCRF classification.
  • Annual Applicability: Once determined, the classification generally remains applicable for the relevant financial year.

AUM, AUC, and Corpus Thresholds for AMCs, Custodians, AIFs, and PMs

For asset-based entities, SEBI uses financial and custody metrics instead of client or trading activity thresholds. The applicable metric depends on the nature of the regulated activity being performed.

The framework uses the following measures:

  • Asset Management Companies: Categorised using Assets Under Management.
  • Portfolio Managers (PMs): Categorised using Assets Under Management maintained under portfolio management services.
  • Custodians: Categorised using Assets Under Custody, reflecting the value of assets held on behalf of clients.
  • Alternative Investment Funds (AIFs): Categorised using corpus-based thresholds prescribed under CSCRF.
  • Threshold-Based Assignment: The applicable CSCRF tier is determined by comparing these values against the category thresholds specified by SEBI for each entity type.

How Is the CSCRF Framework Structured?

CSCRF is structured as a layered framework that combines cyber resilience outcomes, cybersecurity functions, implementation requirements, and assessment mechanisms. Rather than prescribing isolated security controls, it provides a complete operating model that helps regulated entities manage cyber risk throughout the incident lifecycle, from governance and prevention to recovery and continuous improvement.

The 5 Cyber Resilience Goals and 6 Cybersecurity Functions

At the highest level, CSCRF is built around five resilience goals that define what a regulated entity should be able to achieve before, during, and after a cyber incident. These goals are supported by six cybersecurity functions adopted from NIST CSF 2.0, which provide the operational structure for achieving those outcomes.

Cyber Resilience Goals

  • Anticipate cyber threats and vulnerabilities before they cause disruption.
  • Withstand attacks while maintaining critical business operations.
  • Contain incidents to limit their operational and business impact.
  • Recover systems and services within acceptable recovery objectives.
  • Evolve cybersecurity capabilities through continuous improvement.

Cybersecurity Functions

  • Govern
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The Four Parts of the CSCRF Document

To translate these principles into actionable requirements, SEBI organised CSCRF into four interconnected sections. Each section serves a distinct purpose, moving from strategic objectives to implementation and assessment.

Part Purpose
Part I Defines the cyber resilience goals, cybersecurity functions, and overall framework structure.
Part II Specifies the cybersecurity and cyber resilience requirements regulated entities must implement.
Part III Maps requirements to different categories of regulated entities through an applicability matrix.
Part IV Introduces the Cyber Capability Index used to measure and assess cybersecurity maturity.

What Does Each Tier Actually Have to Do?

Each CSCRF tier comes with a different set of cybersecurity, governance, testing, and resilience requirements. In general, entities in higher tiers are expected to implement more advanced controls, undergo more rigorous assessments, and demonstrate greater cyber resilience than entities in lower tiers. 

The following matrix provides a high-level view of how key CSCRF requirements are applied across the five tiers.

Requirement MII Qualified RE Mid-size RE Small-size RE Self-certification RE
Vulnerability Assessment & Penetration Testing (VAPT) ✓ ✓ ✓ ✓ Limited / Applicable Controls
Cyber Audit ✓ ✓ ✓ ✓ Self-Certification Based
Red Teaming ✓ ✓ — — —
Threat Hunting ✓ ✓ Limited — —
Cyber Drills / Exercises ✓ ✓ ✓ Limited —
Cyber Capability Index ✓ ✓ ✓ Applicable Simplified Assessment
ISO 27001 Certification ✓ Tier-Specific Tier-Specific — —
IT / Information Security Committee ✓ ✓ Applicable — —
Managed Security Operations Centre (M-SOC) ✓ ✓ Shared / Applicable Model — —
Recovery Time Objective (RTO) & Recovery Point Objective (RPO) ✓ ✓ ✓ Applicable Basic Recovery Requirements

What Are the Mandatory Technical Controls and Reporting Requirements?

CSCRF requires regulated entities to implement technical controls that strengthen cyber resilience and establish reporting processes that support regulatory oversight. These requirements address security monitoring, access management, data protection, software supply chain visibility, and incident reporting.

Key Controls: SOC/M-SOC, HSM, SBOM, IAM, DLP, and Encryption

Cyber resilience under CSCRF depends on a combination of monitoring, access control, data protection, and software governance measures. Security Operations Centres (SOC/M-SOC) provide continuous visibility into security events, while Identity and Access Management (IAM) helps ensure that only authorised users can access critical systems and data.

Additional safeguards focus on protecting sensitive information and reducing technology risks. Hardware Security Modules (HSMs) secure cryptographic keys, encryption protects data at rest and in transit, and Data Loss Prevention (DLP) controls help prevent unauthorised data exposure. Software Bills of Materials (SBOMs) improve visibility into software components and dependencies, supporting vulnerability and supply chain risk management.

Reporting and Submission: Audit Formats and Incident Timelines (SEBI, CERT-In, NCIIPC)

Regulated entities are expected to maintain documented evidence of cybersecurity activities through audits, assessments, remediation records, and compliance submissions. These records allow regulators to verify that security controls are operating as intended and that identified gaps are being addressed.

Incident reporting is equally important. Depending on the nature and severity of an event, notifications may need to be submitted to SEBI and, where applicable, to CERT-In or NCIIPC within prescribed timelines. Timely reporting supports coordinated response efforts and helps minimise the impact of cyber incidents across the securities ecosystem.

Many of the cybersecurity activities associated with CSCRF require ongoing testing, monitoring, and operational maturity rather than one-time implementation. While the framework defines the resilience outcomes expected from regulated entities, organisations often rely on specialised security partners to help assess, validate, and strengthen their cybersecurity capabilities over time. Eventus Security provides services such as VAPT, red teaming, threat hunting, MDR, SOC, and incident response support that can help organisations enhance their overall security posture and operational resilience. 

What Are the CSCRF Deadlines and Consequences of Non-Compliance?

SEBI introduced CSCRF through a phased implementation approach, allowing regulated entities time to transition from legacy cybersecurity circulars to a unified cyber resilience framework. Since its release, the regulator has issued multiple clarifications and deadline extensions to support adoption across different categories of regulated entities.

Compliance Timeline and Key Regulatory Updates

The rollout of CSCRF has progressed through several regulatory updates:

  • 20 August 2024: SEBI issued the Cybersecurity and Cyber Resilience Framework, replacing multiple legacy cybersecurity circulars with a unified framework.
  • 31 December 2024: SEBI released implementation clarifications and provided regulatory forbearance for certain requirements.
  • 28 March 2025: Compliance timelines were extended from 31 March 2025 to 30 June 2025 for most regulated entities, excluding Market Infrastructure Institutions, KYC Registration Agencies (KRAs), and Qualified Registrars to Issue and Share Transfer Agents (QRTAs).
  • 30 April 2025: Additional clarifications were issued to address implementation and applicability questions.
  • 30 June 2025: SEBI further extended the compliance deadline from 30 June 2025 to 31 August 2025 for most regulated entities.
  • 31 August 2025: Revised implementation deadline applicable to the majority of regulated entities covered by the extension circular.

Consequences of Non-Compliance

CSCRF does not prescribe a separate penalty schedule. However, failure to comply with applicable requirements may result in regulatory action under SEBI's existing supervisory and enforcement powers.

Potential consequences include:

  • Regulatory observations identified during inspections, audits, or supervisory reviews.
  • Corrective action directives require identified deficiencies to be remediated within specified timelines.
  • Enhanced regulatory scrutiny for entities with recurring or unresolved compliance gaps.
  • Additional inspections or reviews to verify remediation efforts and ongoing compliance.
  • Enforcement proceedings where material non-compliance remains unresolved.
  • Monetary penalties or other regulatory measures under the applicable provisions of the SEBI Act, 1992, and related securities regulations, depending on the nature and severity of the violation.

How Should You Approach CSCRF Compliance? 

CSCRF compliance should be approached by first identifying your regulatory classification, mapping applicable requirements, addressing control gaps, operationalising recurring compliance activities, and validating implementation through mandatory assessments and resilience testing.

Step 1: Determine Your CSCRF Classification

Identify whether your organisation falls under the MII, Qualified RE, Mid-size RE, Small-size RE, or Self-certification RE category. This classification determines which controls, assessments, reporting obligations, and resilience requirements apply to your organisation.

Step 2: Perform a CSCRF Gap Assessment

Assess your existing governance structure, cybersecurity controls, monitoring capabilities, incident response processes, third-party risk practices, and recovery measures against the requirements applicable to your assigned category. The goal is to identify gaps that must be remediated before compliance can be achieved.

Step 3: Build a Compliance Calendar

Create a structured schedule for recurring obligations such as cyber audits, VAPT exercises, cyber drills, reporting activities, training programmes, and periodic reviews. This ensures compliance activities are completed consistently rather than being addressed only before assessments.

Step 4: Implement Required Controls

Deploy and strengthen the controls required for your classification, including areas such as SOC/M-SOC monitoring, IAM, encryption, DLP, SBOM management, third-party risk management, incident response, and recovery planning, where applicable.

Step 5: Validate Through Audits and Testing

Verify that implemented controls are operating effectively through cyber audits, VAPT, threat-hunting exercises, red teaming, cyber drills, Cyber Capability Index assessments, and other assurance activities applicable to your category. Any findings should be documented, remediated, and tracked to closure.

Strengthening CSCRF Cyber Resilience with Eventus Security

CSCRF compliance requires regulated entities to continuously validate their security posture through testing, monitoring, and response readiness. Eventus Security supports organisations in strengthening cyber resilience by evaluating controls, identifying gaps, and improving detection and response capabilities aligned with real-world threats.

How Eventus Security Supports CSCRF Cyber Resilience:

  • Vulnerability Assessment & Penetration Testing: Identifies security weaknesses across applications, networks, cloud, and infrastructure to help organisations remediate vulnerabilities and meet CSCRF security expectations.
  • Red Team Exercises: Simulate real-world attack paths to test detection, response, and containment effectiveness across technical controls and operational processes.
  • Managed Detection & Response (MDR) / SOC Support: Provides continuous monitoring and incident response capabilities to improve threat visibility and strengthen security operations maturity.
  • Incident Response & Security Validation: Supports organisations in responding to security incidents and validating whether implemented controls are effective against evolving threats.

Contact Eventus Security now to discuss your CSCRF cybersecurity testing and resilience requirements!

FAQs

1. Does SEBI CSCRF replace the earlier cybersecurity circulars?

Yes. CSCRF consolidates and supersedes multiple cybersecurity and cyber resilience circulars that SEBI had issued for different categories of regulated entities over the years. It introduces a unified, risk-based framework with standardised requirements while replacing the fragmented compliance approach followed under the earlier circulars.

2. Is the Cyber Capability Index mandatory for every regulated entity?

No. The Cyber Capability Index is not mandatory for every regulated entity. Its applicability depends on the entity's CSCRF classification. For example, Market Infrastructure Institutions are required to undergo third-party CCI assessments, while Qualified Regulated Entities perform annual self-assessments. Lower-tier entities are subject to different compliance expectations.

3. Can cybersecurity functions be outsourced under CSCRF?

Yes. CSCRF permits the outsourcing of certain cybersecurity functions, such as Security Operations Centre (SOC) services or Managed SOC operations. However, accountability for cybersecurity governance and regulatory compliance remains with the regulated entity, even when services are provided by third-party vendors.

4. How often should CSCRF requirements be reviewed or updated?

CSCRF compliance is an ongoing process rather than a one-time exercise. Regulated entities are expected to periodically review cybersecurity controls, risk assessments, asset inventories, incident response capabilities, audit findings, and resilience measures to ensure they remain aligned with evolving threats and updated regulatory expectations.

Kartik Raval
Kartik is a seasoned cybersecurity professional with over 13 years of experience, currently leading SOC Engineering as Practice Head. He brings deep expertise in SOC engineering and operations, as well as SIEM, SOAR, EDR, and XDR technologies, with a strong track record of delivering scalable and effective cybersecurity solutions. He also contributes to driving organizational innovation, streamlining processes, and enhancing overall cybersecurity posture.

Report an Incident

Report an Incident - Blog

free consultation

Our team of expert is available 24x7 to help any organization experiencing an active breach.

More Topics

crossmenuchevron-down
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram