The Securities and Exchange Board of India, on 30 June 2025, extended the compliance deadline for implementation of the Cybersecurity and Cyber Resilience Framework by an additional two months to 31 August 2025 for most categories of SEBI Regulated Entities. The extension applies to all REs except Market Infrastructure Institutions, KYC Registration Agencies, and Qualified Registrars to an Issue and Share Transfer Agents, which were required to comply by the original deadline of 30 March 2025.
Background
SEBI introduced the Cybersecurity and Cyber Resilience Framework through circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024. The CSCRF mandates comprehensive cybersecurity measures including risk assessments, continuous monitoring, incident response protocols, recovery mechanisms, and governance structures for all entities regulated by SEBI.
The original compliance deadline had already been extended once in March 2025, from 31 March to 30 June 2025, acknowledging the operational challenges faced by smaller regulated entities in implementing the framework's extensive requirements. The June 2025 extension to August 2025 represents the second such deferral, reflecting ongoing industry feedback about implementation complexity.
Key Provisions
The extension circular establishes the following:
Revised deadline: All SEBI Regulated Entities, except MIIs, KRAs, and QRTAs, must achieve full compliance with the CSCRF by 31 August 2025.
Excluded entities: Market Infrastructure Institutions (stock exchanges, depositories, clearing corporations), KYC Registration Agencies, and Qualified Registrars to an Issue and Share Transfer Agents are not covered by this extension. These entities were classified as higher-risk and were required to comply by the original 30 March 2025 deadline.
Framework scope unchanged: The extension does not modify any substantive requirement of the CSCRF. All security controls, governance structures, incident response protocols, and reporting obligations remain as prescribed in the original August 2024 circular.
No further assurance of extension: SEBI has not indicated whether additional extensions will be granted, signalling that the August 2025 deadline should be treated as firm by regulated entities.
Implications for Practitioners
The repeated extensions of the CSCRF deadline suggest that a significant number of regulated entities are struggling with implementation. Brokers, mutual fund distributors, portfolio managers, and other intermediaries that have not yet achieved compliance should treat the August 2025 deadline with urgency, as SEBI's enforcement approach to cybersecurity non-compliance has been increasingly stringent.
Compliance officers at regulated entities should prioritise the most resource-intensive CSCRF requirements — particularly the establishment of a Security Operations Centre, implementation of continuous monitoring tools, and documentation of incident response playbooks. These elements typically require the longest lead times.
For legal advisors, the extension creates a window to assist clients in conducting gap assessments and preparing compliance documentation. However, entities should be cautioned against assuming further extensions. SEBI's decision to exclude MIIs and QRTAs from the extension demonstrates that the regulator is serious about cybersecurity implementation and is applying a tiered enforcement approach based on systemic risk.