SEBI CSCRF Compliance: A Complete Guide for Regulated Entities (2026) background
Back to Journal
Regulatory Compliance

SEBI CSCRF Compliance: A Complete Guide for Regulated Entities (2026)

Peyush Baranwal
July 9, 2026
21 min read

SEBI CSCRF explained — who must comply, the 5 regulated-entity categories, mandatory SOC/M-SOC, VAPT, SBOM, the Cyber Capability Index, incident reporting and a practical 2026 compliance roadmap.

India's securities market has moved from a patchwork of individual cybersecurity circulars to a single, consolidated, risk-graded mandate. The Cybersecurity and Cyber Resilience Framework (CSCRF), issued by the Securities and Exchange Board of India (SEBI), is now the definitive rulebook for every SEBI-regulated entity — from national exchanges to individual research analysts.

Released on 20 August 2024, the CSCRF supersedes and consolidates SEBI's earlier, entity-specific cybersecurity guidelines into one framework built on a modern, outcomes-based model. Crucially, it is proportionate: obligations scale with the size and systemic importance of the entity, so a large depository and a small investment adviser are held to different — but clearly defined — standards.

This guide is the practical map for compliance teams, CISOs, and boards of SEBI-Regulated Entities (REs). We cover exactly who must comply, how entities are categorised, the framework's structure, the specific mandatory controls (SOC, VAPT, SBOM, the Cyber Capability Index, incident reporting), and a step-by-step roadmap to get audit-ready.

Aug 2024
CSCRF Circular Issued
5 Classes
Regulated Entity categories
6 Functions
NIST CSF Aligned Operations
M-SOC
Mandatory SOC / M-SOC Monitoring

What Is SEBI CSCRF? — The 30-Second Answer

The Cybersecurity and Cyber Resilience Framework (CSCRF) is SEBI's consolidated, mandatory framework governing how regulated entities in the Indian securities market protect their systems and data — and how quickly they can withstand, contain, and recover from a cyber incident.

It replaces the older, siloed circulars (which addressed exchanges, brokers, depositories, mutual funds, etc. separately) with a single framework, applied proportionately across five categories of entity.

The shift is philosophical: from a static checklist of "cybersecurity" controls to cyber resilience — the ability to keep operating, and recover fast, when (not if) an attack lands.

Key Takeaways
  • 01 CSCRF is mandatory and consolidates SEBI's older, entity-specific cyber circulars into one proportionate framework.
  • 02 Your obligations depend on your category — determine it first (MII, Qualified, Mid-size, Small-size, or Self-certification RE).
  • 03 Non-negotiable pillars: SOC/M-SOC monitoring, CERT-In-empanelled VAPT, SBOM, incident reporting, and board-level governance.
  • 04 MIIs and Qualified REs must measure maturity via the Cyber Capability Index (CCI).
  • 05 Treat it as a continuous resilience programme, not a one-time audit — remediation, re-validation, and drills are expected.

Why SEBI Introduced CSCRF: From Circulars to Consolidation

For nearly a decade, SEBI regulated cybersecurity through a series of separate circulars — one framework for stock exchanges and depositories, another for stock brokers and depository participants, others for mutual funds, KRAs, and so on. As the securities market digitised, this created three problems: inconsistency (different entities held to different standards), gaps (newer intermediary types had little or no guidance), and fragmentation (entities regulated under multiple heads faced overlapping, sometimes conflicting, requirements).

The CSCRF answers all three. It is a single, unified framework covering the entire universe of SEBI-Regulated Entities, applied through a graded, risk-proportionate model so that obligations match the size and systemic importance of each entity. It also modernises the substance — moving from static "cybersecurity" controls to measurable cyber resilience, aligned with the NIST Cybersecurity Framework and reinforced by the CERT-In directions that apply across all Indian organisations.

SEBI CSCRF Implementation Timeline

Unlike flat regulatory deadlines, SEBI structured the CSCRF rollout in a graded, phased fashion to give entities space to stand up complex operations like SOCs and secure coding practices.

20 Aug 2024
CSCRF Framework Notification. SEBI officially publishes the Cybersecurity and Cyber Resilience Framework (CSCRF), consolidating all legacy circulars and setting the five-tier taxonomy.
Dec 2024 - Mid 2025
Phase 1 Transition. Core Market Infrastructure Institutions (MIIs) and Tier-1 Qualified Regulated Entities migrate existing control frameworks to match CSCRF parameters.
Late 2025
Deadline Extensions & Clarifications. SEBI provides grace periods and specific compliance extensions for smaller and newly-covered entities (such as AIFs and research analysts) to implement SOC and SBOM capabilities.
2026 & Beyond
Continuous Governance & Audits. Ongoing cycle of annual audits, continuous security monitoring, mandatory CERT-In empanelled VAPT checks, and trended Cyber Capability Index (CCI) reports.

Who Must Comply? The Five Categories of Regulated Entity

The CSCRF applies to a very broad set of SEBI-Regulated Entities (REs) — including stock exchanges, clearing corporations, depositories, stock brokers, depository participants, mutual funds and AMCs, KYC Registration Agencies (KRAs), Registrars & Transfer Agents (RTAs), merchant bankers, portfolio managers, investment advisers, research analysts, and AIFs, among others.

Rather than a one-size-fits-all rulebook, SEBI grades entities into five categories, with obligations increasing with systemic importance and scale:

Market Infrastructure Institutions (MIIs)
Stock exchanges, clearing corporations, and depositories. Held to the absolute highest tier — mandatory 24x7 SOC operations, third-party audited CCI, scenario resilience drills, and active red teaming.
Qualified REs
High-volume stock brokers, depository participants, and mutual funds above client/asset thresholds. Must stand up continuous SOCs and run periodic CCI self-assessments.
Mid-size REs
Mid-tier brokers, merchant bankers, and portfolio managers. Obligated to maintain continuous security monitoring (often via Market SOC or a third-party MSSP) and run CERT-In VAPTs.
Small-size REs
Smaller brokerages and advisory firms. Held to essential cyber resilience controls including VAPT, incident reporting, and mandatory M-SOC integration.
Self-certification REs
Small boutique advisers and analysts. Baseline cybersecurity controls and data encryption, validated through annual self-certification filings to the regulator.

First action for every RE: determine your category. Thresholds (based on factors such as number of clients, assets, and trading volumes) decide which obligations apply — and getting this wrong means either over-spending or under-complying. If you are unsure, a scoped GRC assessment or a virtual CISO engagement is the fastest way to establish it defensibly.

Obligations at a Glance — What Each Category Must Do

The proportionate model means the same control area applies to everyone, but the depth scales with category. This simplified view shows how obligations intensify from Self-certification REs up to MIIs:

Requirement Small / Self-cert Mid-size Qualified MII
SOC monitoringM-SOC / managedM-SOC / managedOwn or managedOwn, 24×7
VAPT (CERT-In empanelled)YesYesYesYes + scenario tests
Cyber auditPeriodicPeriodicPeriodicMore frequent
Cyber Capability Index (CCI)Self-assessment3rd-party + self
Red teamingRecommendedRequired
SBOM (critical systems)YesYesYesYes
Incident reportingYesYesYesYes

Indicative summary for orientation only — the authoritative, granular obligations for each category are defined in the CSCRF circular. Confirm specifics for your category.

How the Framework Is Structured

CSCRF is built on a modern, NIST-aligned model rather than a flat control list. It organises requirements around five cyber-resilience goals and six cybersecurity functions.

The five cyber-resilience goals:

Anticipate
Foresee threats
Withstand
Absorb attacks
Contain
Limit spread
Recover
Restore fast
Evolve
Learn & adapt

The six cybersecurity functions (NIST CSF-aligned):

Govern Board oversight, CISO leadership, cybersecurity policy, and structured cyber risk management.
Identify Hardware and software asset inventory, critical systems identification, data classification, and third-party risk register.
Protect Access control, multi-factor authentication, database encryption, data localization, and secure application development.
Detect Security Operations Center (SOC) monitoring, SIEM log correlation, and continuous vulnerability validation.
Respond Incident response planning, 6-hour CERT-In breach notifications, root-cause analyses, and digital forensics.
Recover Tested backup restoration, Business Continuity Planning (BCP), and disaster recovery drills.

The Mandatory Controls That Matter Most

CSCRF is detailed, but a handful of requirements consistently define whether an RE is truly compliant — and these are where most gaps appear.

1. A Security Operations Center — own or Market-SOC (M-SOC)

Continuous security monitoring is central to CSCRF. Every RE must have access to a Security Operations Center — either its own, a group SOC, or the Market SOC (M-SOC) facility offered through the MIIs for smaller entities that cannot justify a standalone SOC. The SOC must provide real-time monitoring, log correlation, and detection mapped to the RE's assets. For most mid-size and smaller REs, a managed SOC or SOC-as-a-Service is the pragmatic route to this obligation. See our guide on why SOCs are becoming mandatory across Indian regulators.

2. VAPT by CERT-In empanelled auditors

REs must conduct periodic Vulnerability Assessment and Penetration Testing (VAPT) of critical systems, carried out by CERT-In empanelled organisations. Findings must be remediated and re-validated within defined timelines, with reports submitted to the relevant authority. MIIs face the highest bar, including scenario-based cyber-resilience testing and red teaming. Adayptus delivers CSCRF-aligned security testing across web applications and APIs — and if you're weighing depth of assurance, our Red Team vs Penetration Testing guide explains when each applies.

3. Software Bill of Materials (SBOM)

In a notable modernisation, CSCRF requires a Software Bill of Materials (SBOM) for critical and core systems — a machine-readable inventory of every software component and dependency. This is the securities-market answer to supply-chain attacks like Log4Shell. If SBOM is new to your team, start with our SBOM explainer, then operationalise it with SBOM creation and analysis and secure code review.

4. The Cyber Capability Index (CCI)

CSCRF introduces the Cyber Capability Index (CCI) — a scoring mechanism to measure and monitor an entity's cyber-resilience maturity. MIIs and Qualified REs must assess their CCI periodically; for MIIs this includes independent third-party assessment alongside regular self-assessment. The CCI turns "we have controls" into a defensible, trended maturity score the board and regulator can track over time — conceptually similar to the maturity scoring in a structured GRC programme.

5. Incident reporting & root-cause analysis

Cyber incidents must be reported to CERT-In (within the 6-hour window under the CERT-In directions) and to SEBI within the specified timelines, followed by root-cause analysis and, where relevant, forensic investigation. A tested incident-response capability — in-house or via a retainer backed by digital forensics & incident response — is what makes these deadlines achievable rather than aspirational. Our CERT-In 2026 blueprint analysis covers the reporting expectations in depth.

6. Governance, standards & the essentials

Board-approved cybersecurity policy & designated CISO
ISO 27001-aligned controls (ISO 27001 for MIIs)
Data classification & protection; defined data-localisation
Strong access control, least privilege & MFA
Encryption of data at rest & in transit
Audit-trail & log retention with integrity protection
Backups, BCP/DR with tested recovery objectives
Security-by-design & secure SDLC for applications

Beyond the Basics: The Requirements Teams Overlook

The controls above are the headline obligations. CSCRF also codifies several areas that are easy to miss but frequently examined.

Data localisation & protection

CSCRF includes provisions on storing regulatory data within India and protecting it across its lifecycle — classification, encryption at rest and in transit, controlled access, secure disposal, and defined retention. REs relying on cloud or overseas SaaS must confirm where regulated data physically resides and ensure it aligns with the framework's data-storage expectations. This is also where CSCRF intersects with the broader Indian data-protection direction.

Third-party & supply-chain risk

Outsourcing does not outsource accountability. CSCRF expects REs to assess and monitor the cyber risk of vendors, service providers, and IT partners — from onboarding due diligence to contractual security clauses, right-to-audit, and ongoing monitoring. Given how much of the securities-market stack runs on shared vendors, a single compromised provider can cascade across many REs, which is precisely why the SBOM and supply-chain provisions exist.

Cloud & API security

As REs adopt cloud and expose trading, KYC, and reporting functions through APIs, CSCRF's Protect and Detect expectations extend to these surfaces: secure configuration, identity and access management, encryption, and monitoring of cloud workloads, plus authentication, authorisation, and rate-limiting on APIs. Our API penetration testing and cloud security assessments map directly to these controls; for the wider cloud picture, see Cloud Security for Fintech & NBFCs.

Cyber audit & compliance reporting

Beyond VAPT, REs must undergo periodic cyber security audits assessing the design and operating effectiveness of controls against CSCRF, with reports submitted to the relevant authority — typically routed through the respective MII (for example, brokers report via the stock exchanges). Audit frequency and depth scale with category. The practical implication: maintain evidence continuously — policies, logs, VAPT closure records, drill reports, CCI results — so audit is a compilation exercise, not a scramble.

Governance: board, committee & CISO

CSCRF places cyber resilience firmly at board level. Expectations include a board-approved cybersecurity & cyber-resilience policy, oversight through the board or a technology/risk committee, a designated CISO with real authority, defined roles and responsibilities, periodic reporting to leadership, and cyber-awareness training for staff. Where an RE lacks a full-time security leader, a virtual CISO can supply the governance, documentation, and board reporting the framework requires.

Common Compliance Gaps

1. Misjudging your category

Getting the RE category wrong cascades into either wasted spend or a serious compliance shortfall. Establish it first, with evidence for the thresholds used.

2. Treating VAPT as a once-a-year checkbox

CSCRF expects remediation and re-validation, not just a report. Findings that stay open past their timeline are a finding in themselves.

3. Buying tools without a SOC to run them

A SIEM licence is not a SOC. Continuous monitoring needs tuned detections and analysts — which is exactly why the M-SOC and managed-SOC routes exist.

4. No SBOM for critical systems

Many REs have never inventoried their software dependencies. SBOM is now an explicit expectation, not an optional maturity nicety.

5. Governance on paper only

A policy no one operationalises, or a CISO with no authority, fails audit. CSCRF wants demonstrable board oversight and a functioning programme.

CSCRF vs RBI vs CERT-In vs ISO 27001 — How They Fit Together

Many organisations sit under more than one regime. Understanding how CSCRF relates to the others prevents duplicated effort and lets you build one control set that satisfies several masters.

Framework Applies to Nature Focus
SEBI CSCRFSecurities-market REsMandatoryCyber resilience, graded by entity
RBI directionsBanks, NBFCs, PSOsMandatoryIT governance & controls for banking
CERT-In directionsAll Indian orgsMandatoryIncident reporting (6-hr), logs
ISO 27001Any organisationVoluntary standardISMS best practice (referenced by CSCRF)

The good news: they overlap heavily. An ISO 27001-based ISMS gives you most of CSCRF's Govern/Identify/Protect controls; CERT-In reporting is CSCRF's incident-reporting mechanism; and RBI-regulated groups will find much of their existing programme reusable. Build once, map to many — a unified GRC programme is the efficient path when multiple regimes apply.

Consequences of Non-Compliance

CSCRF is issued under SEBI's statutory powers, so non-compliance is an enforcement matter, not a best-practice miss. Depending on severity and entity type, consequences can include regulatory scrutiny and directions, monetary penalties, adverse findings in inspection, and — for serious lapses — restrictions on operations. Beyond the regulator, a breach at an RE carries investor-trust, market-integrity, and reputational costs that shadow the compliance spend. The practical takeaway: the cost of a credible CSCRF programme is materially lower than the cost of explaining to SEBI why you didn't have one.

A Practical Roadmap to CSCRF Compliance

01
Confirm your RE category
Map your thresholds to the five categories and document the basis. This defines the entire scope of your obligations.
02
Run a gap assessment against CSCRF
Assess current controls across all six functions, identify gaps, and produce a prioritised, evidence-backed remediation plan.
03
Stand up monitoring (SOC / M-SOC)
Onboard assets and log sources into your own, managed, or Market SOC, with detections mapped to your environment.
04
Test: VAPT, SBOM, resilience drills
Conduct CERT-In-empanelled VAPT, build SBOMs for critical systems, and (for MIIs/Qualified REs) run scenario-based resilience testing.
05
Formalise governance & reporting
Board-approved policy, CISO authority, incident-reporting playbook, CCI measurement (where applicable), and periodic audit submissions.
06
Operate & evolve
Treat compliance as continuous — re-validate fixes, trend your CCI, run drills, and feed lessons back into controls.

CSCRF Compliance Checklist

A condensed, function-mapped checklist to pressure-test your programme. If you can't evidence a line, it's a gap.

Govern & Identify
  • RE category determined, verified and documented
  • Board-approved cybersecurity & resilience policy in place
  • Designated CISO with independent oversight authority appointed
  • Asset inventories mapped and data classification completed
  • Third-party/vendor cybersecurity risk registers active
Protect
  • Least-privilege access controls and mandatory MFA live
  • End-to-end database and communications encryption active
  • Secure SDLC workflows and SBOM inventories for critical systems
  • Regulatory data stored and replicated per localization mandates
  • Hardened cloud workload and API endpoint configurations
Detect & Respond
  • 24x7 SOC or shared M-SOC log monitoring active
  • Immutable audit trail and security log storage retained for 1 year
  • Incident response plans and playbooks formalized
  • Dynamic reporting paths for CERT-In (6-hour) and SEBI alerts
  • Root-cause analysis and forensic readiness workflows defined
Recover & Evolve
  • BCP/DR strategies and localized restoration drill schedules set
  • Periodic VAPT audits conducted by CERT-In empanelled agencies
  • Security findings remediated, re-validated, and closed dynamically
  • CCI score tracked and reported (MIIs/Qualified REs)
  • Annual cyber drills simulated and lessons learned integrated

Key Terms & Glossary

RE (Regulated Entity) — Any entity regulated by SEBI and covered by CSCRF (exchange, broker, depository, AMC, adviser, etc.).
MII (Market Infrastructure Institution) — Crucial market platforms: Stock Exchanges, Clearing Corporations, and Depositories.
CCI (Cyber Capability Index) — An objective maturity rating system to measure an entity's cyber resilience posture over time.
M-SOC (Market SOC) — A shared Security Operations Center facility offered through MIIs for smaller brokers/intermediaries.
SBOM (Software Bill of Materials) — An inventory list of software libraries, modules, and open-source packages built into a critical system.

Operationalising CSCRF: How Adayptus Partners with You

Adayptus supports REs across the full CSCRF lifecycle: category determination and gap assessment, continuous monitoring via managed SOC / SOC-as-a-Service, CERT-In-aligned VAPT for web and API systems, red teaming for MIIs, SBOM and secure code review, threat modeling, incident response and retainers, and ISO 27001 implementation. When leadership bandwidth is the constraint, our virtual CISO service provides the governance and board reporting CSCRF expects. For a wider view of India's regulatory direction, see our RBI Master Direction guide and Cloud Security for Fintech & NBFCs.

Frequently Asked Questions

Q What is SEBI CSCRF?

CSCRF stands for the Cybersecurity and Cyber Resilience Framework, issued by SEBI on 20 August 2024. It is a consolidated, mandatory framework that governs how SEBI-regulated entities protect their systems and data and how they withstand, contain, and recover from cyber incidents. It replaces earlier entity-specific cybersecurity circulars with one proportionate, NIST-aligned framework.

Q Who does SEBI CSCRF apply to?

It applies broadly to SEBI-regulated entities — including stock exchanges, clearing corporations, depositories, stock brokers, depository participants, mutual funds and AMCs, KRAs, RTAs, merchant bankers, portfolio managers, investment advisers, research analysts, and AIFs. Entities are graded into five categories (MIIs, Qualified, Mid-size, Small-size, and Self-certification REs), with obligations scaled to size and systemic importance.

Q What is the Cyber Capability Index (CCI)?

The Cyber Capability Index is a scoring mechanism introduced by CSCRF to measure and monitor an entity's cyber-resilience maturity over time. Market Infrastructure Institutions and Qualified REs must assess their CCI periodically; for MIIs this includes independent third-party assessment in addition to self-assessment. It gives boards and the regulator a trended, comparable maturity score.

Q Do small SEBI-regulated entities need their own SOC?

Not necessarily their own. CSCRF requires SOC-based monitoring, but smaller entities can meet this through the Market SOC (M-SOC) facility offered via the market infrastructure institutions, or through a third-party managed SOC / SOC-as-a-Service. The obligation is continuous monitoring and detection — not necessarily building an in-house SOC from scratch.

Q Does CSCRF require CERT-In empanelled auditors for VAPT?

Yes. CSCRF requires periodic VAPT of critical systems conducted by CERT-In empanelled organisations, with findings remediated and re-validated within defined timelines and reports submitted to the relevant authority. Adayptus delivers CSCRF-aligned VAPT across web, API, and infrastructure, plus red teaming and resilience testing for higher-tier entities.

Q How can Adayptus help with CSCRF compliance?

Adayptus supports the full CSCRF lifecycle: RE-category determination and gap assessment, managed SOC / SOC-as-a-Service for continuous monitoring, CERT-In-aligned VAPT and red teaming, SBOM creation and secure code review, incident response and retainers, ISO 27001 implementation, and virtual CISO services for governance and board reporting. The engagement is scaled to your category so you meet obligations without over-building.

Q When did SEBI CSCRF come into effect?

CSCRF was published on 20 August 2024 with phased adoption. Entities already covered by earlier SEBI cyber circulars were expected to transition first, and newly-covered entity types were given more time. SEBI subsequently issued clarifications and extended certain compliance dates into 2025. Because effective dates differ by category and have been revised, confirm the current deadline for your specific category against SEBI's latest circular.

Q What is M-SOC (Market SOC)?

Market SOC (M-SOC) is a shared Security Operations Center facility offered through the market infrastructure institutions so that smaller regulated entities can meet CSCRF's continuous-monitoring obligation without building their own SOC. Entities can also use a third-party managed SOC or SOC-as-a-Service; the requirement is effective monitoring and detection, not a specific ownership model.

Q Is ISO 27001 mandatory under CSCRF?

CSCRF is built on ISO 27001-aligned controls, and higher-tier entities such as MIIs are expected to hold ISO 27001 certification. Even where formal certification is not explicitly required for a category, an ISO 27001-based ISMS is the most efficient way to satisfy much of CSCRF's Govern, Identify, and Protect requirements, because the control sets overlap heavily.


Share this Insight
CybersecurityRegulatory ComplianceAdayptus Intelligence
Peyush Baranwal

Peyush Baranwal

Senior Delivery Manager — Cyber Security, Adayptus

Peyush Baranwal is a Senior Delivery Manager at Adayptus Consulting with 11+ years of experience designing, implementing, and managing enterprise security programmes. His core expertise spans Vulnerability Assessment & Penetration Testing (VAPT), Application Security, and Security Operations — leading web, mobile, API, and infrastructure security assessments for CISOs and security teams across BFSI, healthcare, and SaaS. He focuses on measurable risk reduction, governance maturity, and operationalising detection-and-response capability. Outside work, Peyush is a passionate biker and part-time photographer.

Connect on LinkedIn

Executive Intelligence Briefing

Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.

Zero Spam. Unsubscribe Anytime.