Summary: The first annual cyber security compliance deadline under the IFSCA Cyber Security and Cyber Resilience Framework (CSCRF) falls on 29 June 2026, requiring all regulated entities in GIFT City to submit their cyber security audit reports within 90 days of the close of FY 2025-26. The framework adopts a proportionate, risk-based approach rather than a uniform control model, while emphasizing operational resilience as a key pillar of GIFT City’s global financial ambitions. Although certain entities enjoy temporary exemptions under the amended framework, these exemptions apply only to compliance implementation and not to annual reporting or Designated Officer Certification requirements. Full CSCRF entities must obtain audits from qualified independent or CERT-In empanelled auditors, who must assess whether cyber controls are proportionate to actual risks. The article also highlights mandatory cyber incident reporting timelines and reminds exempt entities that full compliance becomes mandatory after the transition period ending in March 2028.
GIFT City’s First Cyber Deadline Arrives soon. Is the Regulated Community Ready?
29 June 2026 is the first hard submission deadline under IFSCA’s CSCRF. For India’s international financial hub, this is not a box-ticking exercise – it is a credibility test.
29 June 2026 is not just a date on a regulatory calendar. It is the first real test of whether India’s GIFT City regulated community has taken its cyber security obligations seriously. Every regulated entity – from fund managers and insurance intermediaries to banking units and fintech platforms – must submit their annual cyber security audit report to IFSCA by June 29, 2026. Ninety days from the close of FY 2025-26. The math has always been simple. The question is whether the preparation was equally straightforward.
Based on what we have seen in the advisory and audit space over the past few months, the answer is: not always.
What GIFT City Is Building Toward
IFSCA’s ambition for GIFT City is well documented – a global financial centre that competes with Singapore, Dubai, and London. Serious international investors and counterparties evaluate not just tax and regulatory incentives, but the underlying operational resilience of the institutions they deal with. A robust cyber security framework is not incidental to that ambition. It is foundational.
The CSCRF, issued under Circular IFSCA-CSD0MSC/13/2025-DCS, does something important. It does not prescribe a one-size-fits-all control set. It applies the principle of proportionality – asking regulated entities to calibrate their cyber risk posture to their scale, complexity, and interconnectedness with the broader financial ecosystem. That is thoughtful regulatory design. The question is whether the regulated community has responded with matching thoughtfulness.
The Exemption Trap
IFSCA’s March 2026 amendment – Circular IFSCA-CSD0MSC/1/2026-DCS – extended exemptions under Para 21 to branches of regulated entities, Global In-House Centres, and entities with fewer than 10 employees. A new Para 23 category covers foreign universities, newly incorporated standalone entities without a parent organisation, and Credit Rating Agencies.
This was a reasonable accommodation. India’s GIFT City ecosystem includes many small and newly established entities for whom building a full standalone CSCRF from scratch in year one would have been genuinely onerous.
But here is the clause that many entities appear to have missed. The exemption removes the compliance build burden. It does not remove the reporting obligation. Para 22(e) is unambiguous – even exempted entities must submit the annual cyber security audit report to IFSCA by 29 June. The Designated Officer Certification – a personal certification by the parent entity’s CISO confirming that adequate systems and processes consistent with the CSCRF are in place – must also be submitted to the respective IFSCA supervision department by the same date.
I have seen this pattern before. In the early cycles of SEBI’s cyber security framework for market intermediaries, a significant number of smaller brokers assumed that ‘exemption’ meant ‘nothing to do.’ IFSCA’s framework makes the same distinction explicit. The question is how many GIFT City entities read it carefully enough.
What the Audit Must Cover
For full CSCRF entities, the audit report is not a self-assessment. It must be prepared by a CERT-In empanelled auditor or an independent auditor holding recognised credentials – CISA, CISM, GSNA, or CISSP – with prior experience in financial services cybersecurity audits. The auditor’s responsibility goes beyond confirming that policies exist. The CSCRF explicitly requires certification that the controls implemented are proportionate to the entity’s actual risk profile.
That is a more demanding standard than a checklist audit. It requires professional judgment. An auditor who produces a policy-mapping report without assessing whether those controls are calibrated to the entity’s actual threat landscape has not met the CSCRF’s expectation.
The Clock Running Toward 2028
For entities currently operating under Para 21 or Para 23 exemptions, 29 June is the beginning of a compliance journey, not a destination. The three-year exemption window runs from March 2025. March 2028 is the effective end of the transition period – at which point full CSCRF compliance becomes non-negotiable for all regulated entities.
Two more annual cycles remain. Entities that use this window to progressively build their compliance posture – IT asset inventories, access control frameworks, incident response procedures, third-party risk registers – will find the 2028 transition manageable. Those treating the exemption as a full reprieve will face a compressed and expensive correction.
For an entity operating as a branch of a regulated Indian bank or foreign financial institution, ‘adopting the parent’s IS policy’ sounds straightforward. In practice, it requires confirming that the parent’s cybersecurity framework explicitly names the GIFT City entity within its scope, that the parent’s CISO has formally accepted the Designated Officer role, and that the parent itself is regulated in its home jurisdiction – all conditions IFSCA has made explicit in the amended circular.
One More Obligation That Cannot Wait
The CSCRF’s cyber incident reporting requirement deserves attention independent of the annual audit. Any cyber incident must be reported to IFSCA at cyber-incidents@ifsca.gov.in within six hours of detection. An interim report follows within three days. A detailed root cause analysis within thirty days. Mitigation measures within seven days.
These are not aspirational timelines. They are mandatory. And they require that detection tools, escalation protocols, and communication templates are operational before an incident – not assembled in its aftermath. Entities that have spent the past year building their compliance documentation without building their response capability have a gap worth addressing urgently.
India has built the GIFT City infrastructure. IFSCA has built a proportionate and well-designed regulatory framework. What the first submission deadline on 29 June will reveal is whether the regulated community has matched that effort with genuine cyber security preparedness – or treated it as one more form to file.
The answer to that question matters well beyond GIFT City.
– The author is Co-Founder and Cybersecurity & Privacy Practice Leader at Ascentium India and advises GIFT IFSC-regulated entities on CSCRF compliance.
Author Bio
