Extension towards Adoption and Implementation of Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)
SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/96
Background
In recent years, the Securities and Exchange Board of India (SEBI) has strengthened its regulatory focus on cybersecurity amid growing digital threats in capital markets. Recognizing the critical need to secure financial infrastructure, SEBI introduced a Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024 for all SEBI-regulated entities (REs). The framework outlines key protocols to safeguard IT systems, protect investor data, and ensure operational continuity in the face of cyber risks.
Key Details
To address implementation challenges highlighted by industry participants, SEBI has now extended the compliance timeline for most entities, offering a two-month grace period to align with the prescribed cyber standards.
Circular Reference: SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/96
Date of Issuance: June 30, 2025
Subject: Extension towards Adoption and Implementation of Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities
Applicability
The circular applies to all SEBI-regulated entities (REs) with the exception of:
Market Infrastructure Institutions (MIIs)
KYC Registration Agencies (KRAs)
Qualified Registrars to an Issue and Share Transfer Agents (QRTAs)
These exempted entities must adhere to the original implementation timeline.
Key Update
The CSCRF compliance deadline for applicable SEBI-regulated entities has been extended by two months, now due by August 31, 2025. This adjustment was made after SEBI received multiple industry requests for more time to ensure effective implementation.
Important Dates
Original Deadline: June 30, 2025
Revised Deadline: August 31, 2025
Circular Issued: June 30, 2025
Effective Date
The circular is effective immediately from the date of issuance, i.e., June 30, 2025.
Key Details
The extension applies only to regulated entities other than MIIs, KRAs, and QRTAs.
All REs must continue to implement CSCRF as per the guidelines issued on August 20, 2024 (Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113).
Stock exchanges and depositories have been directed to notify their members and publish the update.
What Remains Unchanged
Framework requirements under the original August 2024 circular remain intact.
Entities already exempted from the extension must still comply with the original deadline.
The intent and rigor of the framework remain unchanged—only the timeline has shifted.
Why This Matters
This extension reflects SEBI’s responsiveness to practical implementation challenges while reinforcing its commitment to market integrity. By accommodating operational needs without diluting regulatory intent, SEBI strikes a balance between stringent compliance and on-ground feasibility. As cyber threats evolve, ensuring that every market participant is prepared is essential to protecting the financial ecosystem.
SEBI’s Statement
SEBI stated that the extension was granted “to ensure ease of compliance” following multiple industry requests, affirming its goal of facilitating smooth adoption without compromising the underlying security objectives.
Conclusion
SEBI’s decision to extend the CSCRF implementation deadline to August 31, 2025, provides regulated entities with valuable additional time to strengthen cybersecurity infrastructure. The move underlines the regulator’s proactive stance in creating a secure digital environment while being attentive to industry realities. Entities should utilize this extension wisely to ensure full readiness, as cybersecurity remains a non-negotiable pillar of investor protection and market stability.