The Securities and Exchange Board of India's comprehensive algorithmic trading framework became fully mandatory for all stock brokers on April 1, 2026, marking the most significant regulatory overhaul of automated trading in India's capital markets. Every order generated by an algorithm must now carry a unique exchange-assigned Strategy ID, functioning as a digital fingerprint that enables regulators to trace market anomalies to specific trading code.
Background
SEBI issued the foundational circular for the retail algorithmic trading framework on February 4, 2025, establishing a phased "glide path" toward full compliance. Brokers began registering retail algo products with exchanges from October 2025. From January 5, 2026, non-compliant brokers were barred from onboarding new retail API clients. The April 1, 2026, deadline extends enforcement to all existing users and algo participants.
The regulation responds to the rapid growth of algorithmic trading in Indian markets, which according to exchange data accounts for approximately 50-60% of total trading volumes on NSE and BSE. The absence of a comprehensive regulatory framework had created systemic risks, including flash crash potential and market manipulation vulnerabilities.
Key Provisions
The framework establishes the following mandatory requirements:
Unique Strategy Identification: Every algorithmic order must carry an exchange-provided Algo-ID, enabling end-to-end audit trails from order generation to execution.
Principal-Agent structure: Brokers are designated as "Principals" responsible for every algo on their platform. Algo Providers (third-party developers and SaaS firms) act as "Agents" and must partner with a registered broker — direct exchange connections are prohibited.
Static IP mandate: All API-connected users, regardless of trading volume, must operate from registered static IP addresses.
Authentication standards: OAuth-based authentication is now the only permitted login method for API sessions. Two-factor authentication is mandatory for every session.
Black Box vs White Box classification: Algorithms where the underlying logic is hidden from the user ("Black Box" strategies) require mandatory SEBI Research Analyst registration by the provider.
Threshold for registration: Strategies generating more than 10 orders per second per exchange require formal registration through the broker. Below this threshold, registration is not required, but all other compliance obligations apply.
Cybersecurity requirements: Mandatory Vulnerability Assessment and Penetration Testing (VAPT) before going live, with ongoing compliance monitoring.
Implications for Practitioners
The framework fundamentally restructures the relationship between brokers, algo providers, and retail traders. Capital market lawyers advising fintech companies and algo providers must ensure their clients have compliant Principal-Agent arrangements with registered brokers before April 1.
For brokers, the compliance cost is substantial. The static IP mandate, OAuth migration, and VAPT requirements represent significant technology infrastructure investments. Smaller brokers without dedicated technology teams face particular challenges in meeting these requirements.
The Black Box classification and Research Analyst registration requirement effectively creates a new licensing gate for the rapidly growing algo advisory industry. Providers offering strategy-as-a-service products must either obtain RA registration or restructure their offerings as transparent White Box strategies.
Practitioners should also note the extraterritorial implications: offshore algo providers serving Indian clients through Indian broker platforms must comply with the entire framework, creating new compliance obligations for cross-border fintech arrangements.
Frequently Asked Questions
Can algo providers connect directly to Indian stock exchanges without partnering with a broker?
No. Under SEBI's framework, Algo Providers are classified as "Agents" and must partner with a SEBI-registered stock broker (the "Principal") to route orders to exchanges. Direct exchange connections by non-broker entities are prohibited. The broker bears ultimate responsibility for all algorithmic activity on its platform.
What cybersecurity certifications are required under the new framework?
Brokers running retail algorithmic trading platforms must complete mandatory Vulnerability Assessment and Penetration Testing (VAPT) before going live and maintain ongoing cybersecurity compliance. The VAPT must be conducted by a CERT-In empanelled auditor, and brokers without these certifications cannot onboard new API clients.