The International Financial Services Centres Authority (IFSCA) has issued a circular on March 10, 2026, amending the earlier Cyber Security and Cyber Resilience Guidelines for Regulated Entities in IFSCs.

The amendment aims to address practical challenges faced by regulated entities (REs) while complying with the cybersecurity framework issued in 2025. The authority has now introduced temporary exemptions and compliance relaxations for certain categories of entities operating within the International Financial Services Centre (IFSC).

Background of the Cyber Security Circular

In March 2025, IFSCA introduced a comprehensive Cyber Security and Cyber Resilience framework for regulated entities operating in IFSCs. The framework required entities to implement strong cybersecurity governance, appoint security officers, and conduct regular cybersecurity audits.

Following feedback from industry participants regarding operational challenges, the regulator has now revised specific provisions to ease compliance for smaller or structurally dependent entities.

Three-Year Exemption for Certain Regulated Entities

IFSCA has granted a three-year exemption from certain cybersecurity requirements to the following categories of regulated entities:

• Branches of regulated Indian or foreign entities

• Entities that provide services only to their group entities, such as Global In-House Centres (GICs)

• Regulated entities with fewer than 10 employees

This exemption aims to reduce compliance burdens on entities that already rely on cybersecurity frameworks implemented by their parent organizations.

Compliance Conditions During the Exemption Period

Even though these entities are exempt from the full cybersecurity framework, they must still comply with several minimum safeguards:

1. The regulated entity must adopt the cybersecurity framework and information security policy of its parent entity.

2. The Chief Information Security Officer (CISO) of the parent entity will act as the Designated Officer for the IFSC entity.

3. The parent entity must be regulated by a competent regulator or government authority in its home jurisdiction.

4. The Designated Officer must certify annually that necessary cybersecurity systems and processes are in place.

5. The certification must be submitted to IFSCA within 90 days after the end of each financial year.

6. The regulated entity must submit an annual cybersecurity audit report to IFSCA.

These safeguards ensure that cybersecurity governance remains in place even during the exemption period.

Additional Entities Eligible for Exemption

The circular also introduces a new category of entities eligible for the three-year exemption:

• Foreign universities established in IFSC

• Newly incorporated standalone entities in IFSC without a parent organisation

• Credit Rating Agencies

However, these entities must still implement adequate cybersecurity measures proportionate to their risk exposure and submit an annual certification confirming the same to IFSCA.

Regulatory Authority and Effective Date

The circular has been issued under Sections 12 and 13 of the International Financial Services Centres Authority Act, 2019, which empower IFSCA to regulate financial services in IFSCs.

The amendments come into effect immediately.

Implications for IFSC Regulated Entities

The amendment provides regulatory flexibility while maintaining cybersecurity oversight. It recognizes that smaller entities, branches, and group service providers often rely on the cybersecurity infrastructure of their parent organizations.

By allowing temporary exemptions with conditional safeguards, IFSCA aims to:

• Reduce compliance burdens for smaller entities

• Align cybersecurity responsibilities with parent organizations

• Ensure continued cybersecurity governance within IFSCs

Source

IFSCA Circular dated March 10, 2026 – Amendment to the Guidelines on Cyber Security and Cyber Resilience for Regulated Entities in IFSCs.