25 June 2026·9 min read·compliance

SEBI CSCRF: What India's Regulated Entities Must Do

SEBI CSCRF mandates VAPT, SOC, cyber audit, and incident reporting for every India capital-market Regulated Entity. Here is exactly what compliance requires.

Bachao.AI Research Team

Cybersecurity Research

See if your business is DPDP Act compliant

Free scan · No credit card required

Check DPDP Compliance

Compliance risk for Indian SMBs

Non-compliance with the DPDP Act 2023 carries penalties up to ₹250 crore. This post explains what's at stake and what action to take.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) is a mandatory compliance framework that consolidates all prior SEBI cybersecurity circulars into a single, graded set of obligations for India's capital-market Regulated Entities. If your organisation is a stock broker, depository participant, asset management company, KRA, or any other SEBI-registered entity, CSCRF applies to you — and non-compliance is a regulatory risk you cannot afford to ignore.

What Is the SEBI CSCRF?

SEBI issued the Cybersecurity and Cyber Resilience Framework in 2023, superseding a patchwork of earlier circulars on IT security, cyber-incident reporting, and SOC requirements that had accumulated over the preceding decade. The goal was to give Regulated Entities (REs) one authoritative, technology-neutral playbook aligned to globally recognised security standards — specifically the NIST Cybersecurity Framework (CSF).

At its core, CSCRF maps every obligation to five cyber-resilience goals:

Anticipate — identify assets, risks, and threats before they materialise
Withstand — implement controls that protect systems even under attack
Contain — limit the blast radius of an incident once it begins
Recover — restore services and data with defined RTO/RPO targets
Evolve — continuously improve posture using lessons learned and threat intelligence

These goals correspond closely to NIST CSF's five functions — Identify, Protect, Detect, Respond, Recover — but are articulated in capital-market language SEBI REs will recognise.

ℹ️

INFO

The authoritative source for CSCRF is the circular published at sebi.gov.in. Always read the latest version; SEBI periodically issues clarifications and updates to the annexures. CERT-In's guidelines at cert-in.org.in inform the incident-reporting obligations within CSCRF.

Who Does CSCRF Apply To?

CSCRF applies to all SEBI Regulated Entities, including but not limited to:

Stock Brokers (full-service and discount)
Depository Participants (DPs)
Asset Management Companies (AMCs) and Mutual Funds
KYC Registration Agencies (KRAs)
Stock Exchanges and Clearing Corporations
Registrars and Transfer Agents (RTAs)
Investment Advisers and Research Analysts (subject to thresholds)
Portfolio Managers
Alternative Investment Funds (AIFs) and Venture Capital Funds

CSCRF uses a graded/threshold-based applicability model: the depth of controls required scales with the RE's size, systemic importance, and operational complexity. SEBI's framework groups REs into categories — Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, and Small REs — with MIIs and Qualified REs facing the most stringent requirements. However, the foundational governance, incident-reporting, and VAPT requirements apply across all categories.

⚠️

WARNING

"We are too small to matter" is not a compliance exemption under CSCRF. Threshold-based grading means lighter controls, not zero controls. Every SEBI RE must assess which tier it falls into and implement the corresponding baseline.

The Control Domains: What CSCRF Actually Requires

CSCRF organises obligations across several interconnected domains. The table below maps the key domain, its core obligation, and the entity-size sensitivity.

Domain	Core Obligation	Size Sensitivity
Governance	Board-level oversight, CISO appointment, policy documentation	All tiers
Asset Management	Inventory of critical systems, data classification	All tiers
VAPT	Periodic Vulnerability Assessment & Penetration Testing by CERT-In empanelled organisation	All tiers; frequency scales with size
SOC	Security Operations Centre — own SOC or market-SOC (third-party)	Mandatory for larger REs; market-SOC option for smaller
Cyber Audit	Annual cyber audit by qualified auditor	All tiers
Incident Reporting	Report to SEBI and CERT-In within prescribed timeframes	All tiers
Third-Party / Vendor Risk	Security assessment of critical technology service providers	Larger tiers
Business Continuity	BCP/DR with defined RTO, periodic drills	All tiers
Awareness & Training	Board-level, staff-level security awareness programmes	All tiers

Governance and Board Oversight

CSCRF places cybersecurity governance firmly at the board level. REs are required to designate a CISO (or equivalent), ensure board-level reviews of the cyber-risk posture at defined intervals, and maintain a cyber-risk policy approved at the highest governance tier. This is not a checkbox — SEBI expects evidence of active board engagement, not just a signed policy document gathering dust.

VAPT: The Most Operationally Demanding Obligation

Vulnerability Assessment and Penetration Testing (VAPT) is one of the most actionable and recurring requirements under CSCRF. The framework mandates that VAPT be conducted by an organisation empanelled by CERT-In — India's national cybersecurity agency. The cadence (annual, semi-annual, or more frequent) depends on the RE's tier and the nature of its internet-facing and critical systems.

VAPT scope under CSCRF typically covers:

Internet-facing applications and APIs
Internal network and infrastructure
Trading systems and client-facing portals
Cloud and data-centre environments

The VAPT report must be retained and, in some cases, submitted to SEBI. Findings must be remediated within defined timelines; repeat findings in successive audits are a red flag during regulatory inspection.

Bachao.AI helps REs automate vulnerability discovery and evidence collection as part of VAPT readiness. Since CSCRF mandates the final certification by a CERT-In empanelled organisation, Bachao.AI's free VAPT scan is positioned as pre-audit intelligence — helping security teams identify and fix issues before the formal empanelled audit begins. The empanelled audit itself is delivered through a CERT-In empanelled partner. Dhisattva AI Pvt Ltd (the company behind Bachao.AI) is a DPIIT Recognised Startup.

Security Operations Centre (SOC)

Larger REs must establish and operate a SOC capable of 24x7 monitoring, threat detection, and incident triage. CSCRF recognises that not every RE can afford its own SOC infrastructure and explicitly permits the use of a market-SOC — a third-party SOC service offered by authorised providers. Smaller REs may use the market-SOC option to meet this obligation without standing up dedicated infrastructure.

Incident Reporting: Dual Obligation to SEBI and CERT-In

A cyber incident at a SEBI RE triggers a dual reporting obligation:

Report to SEBI within the timeframes specified in the CSCRF circular (initial report, detailed report, closure report)
Report to CERT-In in accordance with CERT-In's own incident-reporting directions (which mandate initial reporting within six hours of detection for prescribed incident categories)

Failure to report — or delayed reporting — is treated as a separate compliance failure from the incident itself. REs must have documented incident-response playbooks that include the reporting workflow to both bodies.

🚨

DANGER

A cyber incident that is not reported within SEBI's prescribed window can result in independent regulatory action — separate from any action taken over the underlying security failure. Build your incident-response playbook before you need it.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Compliance Decision Flow for a Regulated Entity

The diagram below shows how a Regulated Entity determines its applicability category and the control domains it must then implement, culminating in SEBI submission.

graph TD
    A[SEBI Regulated Entity] --> B{Determine Category
by size and
systemic importance}
    B --> C[MII
Exchanges and
Clearing Corps]
    B --> D[Qualified RE
Large Brokers
AMCs and DPs]
    B --> E[Mid-size or Small RE
market-SOC eligible]

    C --> F[Full CSCRF Controls
Own SOC mandatory]
    D --> G[Full CSCRF Controls
Own or market-SOC]
    E --> H[Baseline Controls
market-SOC permitted]

    F --> I[Governance
and Board Oversight]
    G --> I
    H --> I

    I --> J[VAPT by CERT-In
Empanelled Org]
    J --> K[SOC Monitoring
24x7]
    K --> L[Cyber Audit
Annual]
    L --> M[Incident Reporting
SEBI and CERT-In]
    M --> N[Evidence Package
Submission to SEBI]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style L fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style M fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style N fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Distribution of CSCRF Cyber-Resilience Goal Coverage

The five NIST-aligned goals are not evenly weighted in practice. Anticipate (Identify) and Withstand (Protect) together account for the largest share of prescribed controls in the CSCRF annexures, reflecting SEBI's emphasis on proactive risk management over reactive response. The chart below is an illustrative representation of relative control emphasis as distributed across the five goals in the framework.

pie
    title CSCRF Control Emphasis by Cyber-Resilience Goal
    "Anticipate - Identify" : 30
    "Withstand - Protect" : 28
    "Contain - Detect and Respond" : 22
    "Recover" : 12
    "Evolve - Improve" : 8

Key Statistics

6 hoursCERT-In mandatory initial reporting window for prescribed cyber incidents (CERT-In Directions 2022)

5Cyber-resilience goals in CSCRF mapped to NIST CSF functions — Anticipate Withstand Contain Recover Evolve (SEBI CSCRF 2023)

The Cyber Audit Requirement

Beyond VAPT, CSCRF mandates a broader cyber audit at least annually. The cyber audit covers governance, policy implementation, access controls, change management, vendor risk, and business continuity arrangements. The auditor must be independent and qualified; SEBI may specify categories of accepted auditors. Findings are graded by severity, and REs must submit a compliance certificate along with the audit report.

🛡️

SECURITY

Cyber audits under CSCRF are not the same as ISO 27001 audits, though ISO 27001 certification is widely treated as evidence of a mature control environment and can significantly reduce audit preparation effort. REs with ISO 27001 certification are not automatically exempt from CSCRF cyber audits, but the overlap in control requirements means the marginal effort is lower.

ISO 27001 and CSCRF: Complementary, Not Redundant

CSCRF does not mandate ISO 27001 certification, but the two frameworks share substantial common ground — asset management, risk assessment, access control, incident management, business continuity, and supplier security. REs pursuing ISO 27001 will find that CSCRF compliance becomes considerably more tractable once the ISMS is in place. Conversely, REs building CSCRF compliance from scratch are effectively building the operational foundation for ISO 27001.

A Practical Compliance Roadmap

Phase	Action	Timeline
1 — Gap Assessment	Map current controls against CSCRF domains; identify tier	Month 1
2 — Governance	Board approval of cyber-risk policy; CISO designation	Month 1–2
3 — Asset Inventory	Critical system and data classification exercise	Month 2–3
4 — Pre-Audit VAPT	Automated vulnerability scan + manual testing to find gaps	Month 3–4
5 — Empanelled VAPT	Formal VAPT by CERT-In empanelled organisation	Month 4–5
6 — SOC Setup	Establish own SOC or contract market-SOC	Month 3–6
7 — IR Playbook	Draft and test incident-response and SEBI/CERT-In reporting workflow	Month 4–5
8 — Cyber Audit	Annual audit; submission to SEBI	Month 6+ (annually)
9 — Continuous	Patch management, threat intel, training, evolve loop	Ongoing

What Happens If You Are Not Compliant?

SEBI has broad enforcement powers over REs, including the ability to issue directions, impose restrictions on operations, and initiate adjudication proceedings. CSCRF non-compliance — particularly failure to conduct mandatory VAPT, failure to establish SOC capability, or failure to report incidents — can surface during SEBI inspections or following a breach. The reputational and operational cost of a significant cyber incident at a capital-market entity is also severe: investor trust, market integrity, and client data are all at stake.

The framework is not a static audit — it is designed to evolve with the threat landscape. SEBI has signalled that CSCRF will be periodically updated, and REs that treat it as a one-time exercise rather than a continuous programme will find themselves out of step with each revision.

🎯Key Takeaway

SEBI CSCRF is not a recommendation — it is a mandatory, graded compliance framework for every India capital-market Regulated Entity. The highest-risk gaps to close first are: VAPT by a CERT-In empanelled organisation, SOC coverage (own or market-SOC), and a tested incident-reporting workflow that covers both SEBI and CERT-In within prescribed timelines.

External References

SEBI CSCRF Circular: https://www.sebi.gov.in — search "Cybersecurity and Cyber Resilience Framework"
CERT-In Incident Reporting Directions: https://www.cert-in.org.in
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework

For a broader view of how automated vulnerability scanning fits into your compliance programme, visit the Bachao.AI blog.

Frequently Asked Questions

What is SEBI CSCRF and who must comply?

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) is a mandatory compliance circular that consolidates all prior SEBI cybersecurity directives. It applies to every SEBI Regulated Entity — stock brokers, depository participants, AMCs, KRAs, exchanges, RTAs, portfolio managers, AIFs, and more. Compliance is not optional; the framework is graded by entity size but baseline obligations apply to all tiers.

Does CSCRF require VAPT, and who can conduct it?

Yes. CSCRF mandates periodic Vulnerability Assessment and Penetration Testing. The VAPT must be conducted by an organisation empanelled by CERT-In, India's national cybersecurity agency. The frequency and scope depend on the RE's tier and the criticality of its systems. Findings must be remediated and evidence retained for regulatory review.

What is a market-SOC under CSCRF?

A market-SOC is a third-party Security Operations Centre authorised to provide 24x7 monitoring services to SEBI Regulated Entities that cannot establish their own SOC infrastructure. CSCRF explicitly permits smaller REs to use a market-SOC to meet the SOC obligation, reducing the capital investment required for continuous security monitoring.

What are the incident-reporting timelines under CSCRF?

REs must report cyber incidents to SEBI within the timelines specified in the CSCRF circular (typically an initial report followed by a detailed report and closure report). Separately, CERT-In's directions require initial reporting within six hours of detection for prescribed incident categories. Both obligations must be met; delayed reporting is treated as an independent compliance failure.

How does CSCRF relate to ISO 27001?

CSCRF does not mandate ISO 27001 certification, but the two frameworks share significant overlap in control domains — risk management, access control, incident response, business continuity, and supplier security. ISO 27001-certified REs have a head start on CSCRF compliance, but the formal CSCRF cyber audit and CERT-In-empanelled VAPT remain separate requirements that ISO 27001 does not substitute.

Where can I find the official SEBI CSCRF circular?

The authoritative text is available at sebi.gov.in. Search for "Cybersecurity and Cyber Resilience Framework" to locate the most recent version of the circular and any subsequent amendments or FAQs. Always verify you are reading the current version, as SEBI periodically issues updates to the annexures and applicability thresholds.