
SEBI CSCRF Compliance: A Complete Guide for Regulated Entities (2026)
SEBI CSCRF explained — who must comply, the 5 regulated-entity categories, mandatory SOC/M-SOC, VAPT, SBOM, the Cyber Capability Index, incident reporting and a practical 2026 compliance roadmap.
India's securities market has moved from a patchwork of individual cybersecurity circulars to a single, consolidated, risk-graded mandate. The Cybersecurity and Cyber Resilience Framework (CSCRF), issued by the Securities and Exchange Board of India (SEBI), is now the definitive rulebook for every SEBI-regulated entity — from national exchanges to individual research analysts.
Released on 20 August 2024, the CSCRF supersedes and consolidates SEBI's earlier, entity-specific cybersecurity guidelines into one framework built on a modern, outcomes-based model. Crucially, it is proportionate: obligations scale with the size and systemic importance of the entity, so a large depository and a small investment adviser are held to different — but clearly defined — standards.
This guide is the practical map for compliance teams, CISOs, and boards of SEBI-Regulated Entities (REs). We cover exactly who must comply, how entities are categorised, the framework's structure, the specific mandatory controls (SOC, VAPT, SBOM, the Cyber Capability Index, incident reporting), and a step-by-step roadmap to get audit-ready.
What Is SEBI CSCRF? — The 30-Second Answer
The Cybersecurity and Cyber Resilience Framework (CSCRF) is SEBI's consolidated, mandatory framework governing how regulated entities in the Indian securities market protect their systems and data — and how quickly they can withstand, contain, and recover from a cyber incident.
It replaces the older, siloed circulars (which addressed exchanges, brokers, depositories, mutual funds, etc. separately) with a single framework, applied proportionately across five categories of entity.
The shift is philosophical: from a static checklist of "cybersecurity" controls to cyber resilience — the ability to keep operating, and recover fast, when (not if) an attack lands.
- 01 CSCRF is mandatory and consolidates SEBI's older, entity-specific cyber circulars into one proportionate framework.
- 02 Your obligations depend on your category — determine it first (MII, Qualified, Mid-size, Small-size, or Self-certification RE).
- 03 Non-negotiable pillars: SOC/M-SOC monitoring, CERT-In-empanelled VAPT, SBOM, incident reporting, and board-level governance.
- 04 MIIs and Qualified REs must measure maturity via the Cyber Capability Index (CCI).
- 05 Treat it as a continuous resilience programme, not a one-time audit — remediation, re-validation, and drills are expected.
Why SEBI Introduced CSCRF: From Circulars to Consolidation
For nearly a decade, SEBI regulated cybersecurity through a series of separate circulars — one framework for stock exchanges and depositories, another for stock brokers and depository participants, others for mutual funds, KRAs, and so on. As the securities market digitised, this created three problems: inconsistency (different entities held to different standards), gaps (newer intermediary types had little or no guidance), and fragmentation (entities regulated under multiple heads faced overlapping, sometimes conflicting, requirements).
The CSCRF answers all three. It is a single, unified framework covering the entire universe of SEBI-Regulated Entities, applied through a graded, risk-proportionate model so that obligations match the size and systemic importance of each entity. It also modernises the substance — moving from static "cybersecurity" controls to measurable cyber resilience, aligned with the NIST Cybersecurity Framework and reinforced by the CERT-In directions that apply across all Indian organisations.
SEBI CSCRF Implementation Timeline
Unlike flat regulatory deadlines, SEBI structured the CSCRF rollout in a graded, phased fashion to give entities space to stand up complex operations like SOCs and secure coding practices.
Who Must Comply? The Five Categories of Regulated Entity
The CSCRF applies to a very broad set of SEBI-Regulated Entities (REs) — including stock exchanges, clearing corporations, depositories, stock brokers, depository participants, mutual funds and AMCs, KYC Registration Agencies (KRAs), Registrars & Transfer Agents (RTAs), merchant bankers, portfolio managers, investment advisers, research analysts, and AIFs, among others.
Rather than a one-size-fits-all rulebook, SEBI grades entities into five categories, with obligations increasing with systemic importance and scale:
First action for every RE: determine your category. Thresholds (based on factors such as number of clients, assets, and trading volumes) decide which obligations apply — and getting this wrong means either over-spending or under-complying. If you are unsure, a scoped GRC assessment or a virtual CISO engagement is the fastest way to establish it defensibly.
Obligations at a Glance — What Each Category Must Do
The proportionate model means the same control area applies to everyone, but the depth scales with category. This simplified view shows how obligations intensify from Self-certification REs up to MIIs:
| Requirement | Small / Self-cert | Mid-size | Qualified | MII |
|---|---|---|---|---|
| SOC monitoring | M-SOC / managed | M-SOC / managed | Own or managed | Own, 24×7 |
| VAPT (CERT-In empanelled) | Yes | Yes | Yes | Yes + scenario tests |
| Cyber audit | Periodic | Periodic | Periodic | More frequent |
| Cyber Capability Index (CCI) | — | — | Self-assessment | 3rd-party + self |
| Red teaming | — | — | Recommended | Required |
| SBOM (critical systems) | Yes | Yes | Yes | Yes |
| Incident reporting | Yes | Yes | Yes | Yes |
Indicative summary for orientation only — the authoritative, granular obligations for each category are defined in the CSCRF circular. Confirm specifics for your category.
How the Framework Is Structured
CSCRF is built on a modern, NIST-aligned model rather than a flat control list. It organises requirements around five cyber-resilience goals and six cybersecurity functions.
The five cyber-resilience goals:
The six cybersecurity functions (NIST CSF-aligned):
The Mandatory Controls That Matter Most
CSCRF is detailed, but a handful of requirements consistently define whether an RE is truly compliant — and these are where most gaps appear.
1. A Security Operations Center — own or Market-SOC (M-SOC)
Continuous security monitoring is central to CSCRF. Every RE must have access to a Security Operations Center — either its own, a group SOC, or the Market SOC (M-SOC) facility offered through the MIIs for smaller entities that cannot justify a standalone SOC. The SOC must provide real-time monitoring, log correlation, and detection mapped to the RE's assets. For most mid-size and smaller REs, a managed SOC or SOC-as-a-Service is the pragmatic route to this obligation. See our guide on why SOCs are becoming mandatory across Indian regulators.
2. VAPT by CERT-In empanelled auditors
REs must conduct periodic Vulnerability Assessment and Penetration Testing (VAPT) of critical systems, carried out by CERT-In empanelled organisations. Findings must be remediated and re-validated within defined timelines, with reports submitted to the relevant authority. MIIs face the highest bar, including scenario-based cyber-resilience testing and red teaming. Adayptus delivers CSCRF-aligned security testing across web applications and APIs — and if you're weighing depth of assurance, our Red Team vs Penetration Testing guide explains when each applies.
3. Software Bill of Materials (SBOM)
In a notable modernisation, CSCRF requires a Software Bill of Materials (SBOM) for critical and core systems — a machine-readable inventory of every software component and dependency. This is the securities-market answer to supply-chain attacks like Log4Shell. If SBOM is new to your team, start with our SBOM explainer, then operationalise it with SBOM creation and analysis and secure code review.
4. The Cyber Capability Index (CCI)
CSCRF introduces the Cyber Capability Index (CCI) — a scoring mechanism to measure and monitor an entity's cyber-resilience maturity. MIIs and Qualified REs must assess their CCI periodically; for MIIs this includes independent third-party assessment alongside regular self-assessment. The CCI turns "we have controls" into a defensible, trended maturity score the board and regulator can track over time — conceptually similar to the maturity scoring in a structured GRC programme.
5. Incident reporting & root-cause analysis
Cyber incidents must be reported to CERT-In (within the 6-hour window under the CERT-In directions) and to SEBI within the specified timelines, followed by root-cause analysis and, where relevant, forensic investigation. A tested incident-response capability — in-house or via a retainer backed by digital forensics & incident response — is what makes these deadlines achievable rather than aspirational. Our CERT-In 2026 blueprint analysis covers the reporting expectations in depth.
6. Governance, standards & the essentials
Beyond the Basics: The Requirements Teams Overlook
The controls above are the headline obligations. CSCRF also codifies several areas that are easy to miss but frequently examined.
Data localisation & protection
CSCRF includes provisions on storing regulatory data within India and protecting it across its lifecycle — classification, encryption at rest and in transit, controlled access, secure disposal, and defined retention. REs relying on cloud or overseas SaaS must confirm where regulated data physically resides and ensure it aligns with the framework's data-storage expectations. This is also where CSCRF intersects with the broader Indian data-protection direction.
Third-party & supply-chain risk
Outsourcing does not outsource accountability. CSCRF expects REs to assess and monitor the cyber risk of vendors, service providers, and IT partners — from onboarding due diligence to contractual security clauses, right-to-audit, and ongoing monitoring. Given how much of the securities-market stack runs on shared vendors, a single compromised provider can cascade across many REs, which is precisely why the SBOM and supply-chain provisions exist.
Cloud & API security
As REs adopt cloud and expose trading, KYC, and reporting functions through APIs, CSCRF's Protect and Detect expectations extend to these surfaces: secure configuration, identity and access management, encryption, and monitoring of cloud workloads, plus authentication, authorisation, and rate-limiting on APIs. Our API penetration testing and cloud security assessments map directly to these controls; for the wider cloud picture, see Cloud Security for Fintech & NBFCs.
Cyber audit & compliance reporting
Beyond VAPT, REs must undergo periodic cyber security audits assessing the design and operating effectiveness of controls against CSCRF, with reports submitted to the relevant authority — typically routed through the respective MII (for example, brokers report via the stock exchanges). Audit frequency and depth scale with category. The practical implication: maintain evidence continuously — policies, logs, VAPT closure records, drill reports, CCI results — so audit is a compilation exercise, not a scramble.
Governance: board, committee & CISO
CSCRF places cyber resilience firmly at board level. Expectations include a board-approved cybersecurity & cyber-resilience policy, oversight through the board or a technology/risk committee, a designated CISO with real authority, defined roles and responsibilities, periodic reporting to leadership, and cyber-awareness training for staff. Where an RE lacks a full-time security leader, a virtual CISO can supply the governance, documentation, and board reporting the framework requires.
Common Compliance Gaps
1. Misjudging your category
Getting the RE category wrong cascades into either wasted spend or a serious compliance shortfall. Establish it first, with evidence for the thresholds used.
2. Treating VAPT as a once-a-year checkbox
CSCRF expects remediation and re-validation, not just a report. Findings that stay open past their timeline are a finding in themselves.
3. Buying tools without a SOC to run them
A SIEM licence is not a SOC. Continuous monitoring needs tuned detections and analysts — which is exactly why the M-SOC and managed-SOC routes exist.
4. No SBOM for critical systems
Many REs have never inventoried their software dependencies. SBOM is now an explicit expectation, not an optional maturity nicety.
5. Governance on paper only
A policy no one operationalises, or a CISO with no authority, fails audit. CSCRF wants demonstrable board oversight and a functioning programme.
CSCRF vs RBI vs CERT-In vs ISO 27001 — How They Fit Together
Many organisations sit under more than one regime. Understanding how CSCRF relates to the others prevents duplicated effort and lets you build one control set that satisfies several masters.
| Framework | Applies to | Nature | Focus |
|---|---|---|---|
| SEBI CSCRF | Securities-market REs | Mandatory | Cyber resilience, graded by entity |
| RBI directions | Banks, NBFCs, PSOs | Mandatory | IT governance & controls for banking |
| CERT-In directions | All Indian orgs | Mandatory | Incident reporting (6-hr), logs |
| ISO 27001 | Any organisation | Voluntary standard | ISMS best practice (referenced by CSCRF) |
The good news: they overlap heavily. An ISO 27001-based ISMS gives you most of CSCRF's Govern/Identify/Protect controls; CERT-In reporting is CSCRF's incident-reporting mechanism; and RBI-regulated groups will find much of their existing programme reusable. Build once, map to many — a unified GRC programme is the efficient path when multiple regimes apply.
Consequences of Non-Compliance
CSCRF is issued under SEBI's statutory powers, so non-compliance is an enforcement matter, not a best-practice miss. Depending on severity and entity type, consequences can include regulatory scrutiny and directions, monetary penalties, adverse findings in inspection, and — for serious lapses — restrictions on operations. Beyond the regulator, a breach at an RE carries investor-trust, market-integrity, and reputational costs that shadow the compliance spend. The practical takeaway: the cost of a credible CSCRF programme is materially lower than the cost of explaining to SEBI why you didn't have one.
A Practical Roadmap to CSCRF Compliance
CSCRF Compliance Checklist
A condensed, function-mapped checklist to pressure-test your programme. If you can't evidence a line, it's a gap.
- ✔ RE category determined, verified and documented
- ✔ Board-approved cybersecurity & resilience policy in place
- ✔ Designated CISO with independent oversight authority appointed
- ✔ Asset inventories mapped and data classification completed
- ✔ Third-party/vendor cybersecurity risk registers active
- ✔ Least-privilege access controls and mandatory MFA live
- ✔ End-to-end database and communications encryption active
- ✔ Secure SDLC workflows and SBOM inventories for critical systems
- ✔ Regulatory data stored and replicated per localization mandates
- ✔ Hardened cloud workload and API endpoint configurations
- ✔ 24x7 SOC or shared M-SOC log monitoring active
- ✔ Immutable audit trail and security log storage retained for 1 year
- ✔ Incident response plans and playbooks formalized
- ✔ Dynamic reporting paths for CERT-In (6-hour) and SEBI alerts
- ✔ Root-cause analysis and forensic readiness workflows defined
- ✔ BCP/DR strategies and localized restoration drill schedules set
- ✔ Periodic VAPT audits conducted by CERT-In empanelled agencies
- ✔ Security findings remediated, re-validated, and closed dynamically
- ✔ CCI score tracked and reported (MIIs/Qualified REs)
- ✔ Annual cyber drills simulated and lessons learned integrated
Key Terms & Glossary
Operationalising CSCRF: How Adayptus Partners with You
Adayptus supports REs across the full CSCRF lifecycle: category determination and gap assessment, continuous monitoring via managed SOC / SOC-as-a-Service, CERT-In-aligned VAPT for web and API systems, red teaming for MIIs, SBOM and secure code review, threat modeling, incident response and retainers, and ISO 27001 implementation. When leadership bandwidth is the constraint, our virtual CISO service provides the governance and board reporting CSCRF expects. For a wider view of India's regulatory direction, see our RBI Master Direction guide and Cloud Security for Fintech & NBFCs.
Frequently Asked Questions
Q What is SEBI CSCRF?
CSCRF stands for the Cybersecurity and Cyber Resilience Framework, issued by SEBI on 20 August 2024. It is a consolidated, mandatory framework that governs how SEBI-regulated entities protect their systems and data and how they withstand, contain, and recover from cyber incidents. It replaces earlier entity-specific cybersecurity circulars with one proportionate, NIST-aligned framework.
Q Who does SEBI CSCRF apply to?
It applies broadly to SEBI-regulated entities — including stock exchanges, clearing corporations, depositories, stock brokers, depository participants, mutual funds and AMCs, KRAs, RTAs, merchant bankers, portfolio managers, investment advisers, research analysts, and AIFs. Entities are graded into five categories (MIIs, Qualified, Mid-size, Small-size, and Self-certification REs), with obligations scaled to size and systemic importance.
Q What is the Cyber Capability Index (CCI)?
The Cyber Capability Index is a scoring mechanism introduced by CSCRF to measure and monitor an entity's cyber-resilience maturity over time. Market Infrastructure Institutions and Qualified REs must assess their CCI periodically; for MIIs this includes independent third-party assessment in addition to self-assessment. It gives boards and the regulator a trended, comparable maturity score.
Q Do small SEBI-regulated entities need their own SOC?
Not necessarily their own. CSCRF requires SOC-based monitoring, but smaller entities can meet this through the Market SOC (M-SOC) facility offered via the market infrastructure institutions, or through a third-party managed SOC / SOC-as-a-Service. The obligation is continuous monitoring and detection — not necessarily building an in-house SOC from scratch.
Q Does CSCRF require CERT-In empanelled auditors for VAPT?
Yes. CSCRF requires periodic VAPT of critical systems conducted by CERT-In empanelled organisations, with findings remediated and re-validated within defined timelines and reports submitted to the relevant authority. Adayptus delivers CSCRF-aligned VAPT across web, API, and infrastructure, plus red teaming and resilience testing for higher-tier entities.
Q How can Adayptus help with CSCRF compliance?
Adayptus supports the full CSCRF lifecycle: RE-category determination and gap assessment, managed SOC / SOC-as-a-Service for continuous monitoring, CERT-In-aligned VAPT and red teaming, SBOM creation and secure code review, incident response and retainers, ISO 27001 implementation, and virtual CISO services for governance and board reporting. The engagement is scaled to your category so you meet obligations without over-building.
Q When did SEBI CSCRF come into effect?
CSCRF was published on 20 August 2024 with phased adoption. Entities already covered by earlier SEBI cyber circulars were expected to transition first, and newly-covered entity types were given more time. SEBI subsequently issued clarifications and extended certain compliance dates into 2025. Because effective dates differ by category and have been revised, confirm the current deadline for your specific category against SEBI's latest circular.
Q What is M-SOC (Market SOC)?
Market SOC (M-SOC) is a shared Security Operations Center facility offered through the market infrastructure institutions so that smaller regulated entities can meet CSCRF's continuous-monitoring obligation without building their own SOC. Entities can also use a third-party managed SOC or SOC-as-a-Service; the requirement is effective monitoring and detection, not a specific ownership model.
Q Is ISO 27001 mandatory under CSCRF?
CSCRF is built on ISO 27001-aligned controls, and higher-tier entities such as MIIs are expected to hold ISO 27001 certification. Even where formal certification is not explicitly required for a category, an ISO 27001-based ISMS is the most efficient way to satisfy much of CSCRF's Govern, Identify, and Protect requirements, because the control sets overlap heavily.

Peyush Baranwal
Senior Delivery Manager — Cyber Security, Adayptus
Peyush Baranwal is a Senior Delivery Manager at Adayptus Consulting with 11+ years of experience designing, implementing, and managing enterprise security programmes. His core expertise spans Vulnerability Assessment & Penetration Testing (VAPT), Application Security, and Security Operations — leading web, mobile, API, and infrastructure security assessments for CISOs and security teams across BFSI, healthcare, and SaaS. He focuses on measurable risk reduction, governance maturity, and operationalising detection-and-response capability. Outside work, Peyush is a passionate biker and part-time photographer.
Connect on LinkedInExecutive Intelligence Briefing
Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.
On This Page
- What Is SEBI CSCRF?
- Why SEBI Introduced CSCRF: From Circulars to Consolidation
- SEBI CSCRF Implementation Timeline
- Who Must Comply? The Five Categories of Regulated Entity
- Obligations at a Glance — What Each Category Must Do
- How the Framework Is Structured
- The Mandatory Controls That Matter Most
- Beyond the Basics: The Requirements Teams Overlook
- Common Compliance Gaps
- CSCRF vs RBI vs CERT-In vs ISO 27001 — How They Fit Together
- Consequences of Non-Compliance
- A Practical Roadmap to CSCRF Compliance
- CSCRF Compliance Checklist
- Key Terms & Glossary
- Operationalising CSCRF: How Adayptus Partners with You
- Frequently Asked Questions


