The Securities and Exchange Board of India, through Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/45 dated 28 March 2025, extended the compliance deadline for the Cybersecurity and Cyber Resilience Framework (CSCRF) by three months to 30 June 2025 for most SEBI-regulated entities. Market Infrastructure Institutions, KYC Registration Agencies, and Qualified Registrars to Issue and Share Transfer Agents remain bound by the original timeline.
Background
SEBI introduced the CSCRF through Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024 as a comprehensive cybersecurity governance framework for all regulated entities in the Indian securities market. The framework mandates risk assessments, continuous monitoring, incident response protocols, recovery mechanisms, and governance structures to protect market infrastructure from cyber threats.
The original compliance deadline of 31 March 2025 had been set after the initial deadline was extended from 1 January 2025 following representations from regulated entities. With continued feedback indicating implementation challenges, SEBI granted a further extension through the March 2025 circular.
Key Provisions
The circular provides the following:
Extended deadline: The compliance deadline for CSCRF adoption and implementation is extended to 30 June 2025 for all SEBI-regulated entities except MIIs, KRAs, and QRTAs.
Exclusions from extension: Market Infrastructure Institutions (stock exchanges, clearing corporations, depositories), KYC Registration Agencies, and Qualified Registrars to Issue and Share Transfer Agents are required to comply with the original timeline, given their critical role in market infrastructure.
Scope of compliance: The CSCRF requires regulated entities to implement comprehensive cybersecurity measures including governance frameworks, risk assessment methodologies, security operations centres, incident response plans, and business continuity arrangements.
Proportionality: The framework applies a proportionate approach, with more stringent requirements for entities handling larger volumes of sensitive market data and less prescriptive requirements for smaller intermediaries.
Implications for Practitioners
Compliance officers and technology heads at SEBI-regulated entities should treat the 30 June 2025 deadline as firm and use the additional three months to close gaps in their CSCRF implementation rather than delay further. SEBI's willingness to extend deadlines should not be interpreted as a signal that enforcement will be lenient once the final deadline passes.
Practitioners advising brokers, mutual fund houses, portfolio managers, and other market intermediaries should conduct a gap assessment against the CSCRF requirements. Key areas that typically require the most implementation effort include establishing dedicated security operations centres, implementing continuous vulnerability assessment frameworks, and creating tested incident response playbooks.
For MIIs and other excluded entities that remain on the original timeline, compliance should already be in place. Any shortfall should be remedied immediately, as SEBI is likely to conduct compliance audits of these critical infrastructure entities first.