The International Financial Services Centres Authority (IFSCA), through Circular No. IFSCA-CSD0MSC/1/2026-DCS dated March 10, 2026, has amended its earlier “Guidelines on Cyber Security and Cyber Resilience for Regulated Entities in IFSCs” issued on March 10, 2025. The amendment follows representations from regulated entities (REs) highlighting challenges in complying with certain provisions of the original circular. Under the revised framework, certain categories of REs—including branches of regulated Indian or foreign entities, entities providing services only to group companies, and entities with fewer than 10 employees—are granted a three-year exemption from the circular’s requirements, subject to specified conditions. These entities must adopt the cyber security framework of their parent entity, appoint the parent entity’s CISO as the designated officer, submit certifications and annual cyber security audit reports to IFSCA, and ensure the parent entity is regulated in its home jurisdiction. Additional exemptions are provided for foreign universities in IFSCs, newly incorporated standalone entities without parent organizations, and credit rating agencies, subject to annual certification of adequate cyber security measures.
International Financial Services Centres Authority
Circular No. IFSCA-CSD0MSC/1/2026-DCS | Dated: March 10, 2026
To,
All Regulated Entities in the International Financial Services Centres (IFSCs)
Dear Madam/Sir,
Sub: Amendment to the Circular titled “Guidelines on Cyber Security and Cyber Resilience for Regulated Entities in IFSCs”
1. Reference is drawn to the circular titled “Guidelines on Cyber Security and Cyber Resilience for Regulated Entities in IFSCs” (hereinafter referred to as the “Cyber Security Circular”), dated March 10, 2025, issued by the Authority.
2. Following the issuance of the Cyber Security Circular, the Authority has received representations from various Regulated Entities (REs) highlighting the challenges faced in complying with certain provisions of the said Circular.
3. The Authority considered the representations received from the REs and has decided to amend the Cyber Security Circular as follows:
i) For para 21 of the said Circular, the following para shall be substituted, namely:-
“The following categories of REs are exempted from the requirements mentioned in this Circular for a period of three (3) years from the date of its issuance:
a) The RE operating in the form of a branch of a regulated Indian or foreign entity;
b) The RE providing services to its group entities only e.g. Global In-House Centre (GIC); and
c) The RE having less than 10 employees.”
ii) For para 22 of the said Circular, the following para shall be substituted, namely:-
“The REs specified in para 21 shall comply with the following conditions during the exempted period:
a) The RE shall adopt the Cyber Security and Cyber Resilience framework and IS Policy of its parent entity or the holding company of such parent entity;
b) The CISO of the parent entity shall act as the Designated Officer for the RE;
c) The parent entity or the holding company of such parent entity of the RE, in India or overseas, must be regulated by a regulator/ Government Body in its home jurisdiction;
d) The Designated Officer of the RE shall certify that all the necessary systems/processes, in line with these Guidelines, have been put in place, and shall submit the same to the respective supervision Department/ Division of IFSCA within ninety (90) days of the end of each financial year; and
e) The RE shall submit the annual cyber security audit report to IFSCA.”
iii) After para 22 of the said Circular, the following para shall be inserted, namely:-
“23. The following categories of REs are exempted from the requirements mentioned in this Circular for a period of three (3) years from the date of its issuance:
a) Foreign university set up in the IFSC;
b) The RE which has been established as newly incorporated standalone entity within the IFSC and does not have any parent organisation; and
c) Credit Rating Agency.
Provided that the Designated Officer of such RE shall, during the exempted period, certify that the RE has implemented adequate cybersecurity measures proportionate to its risk exposure, and shall submit the same to the respective supervision Department/ Division of IFSCA within ninety (90) days of the end of each financial year.”
4. This Circular is issued in exercise of powers conferred by Section 12 and 13 of the International Financial Services Centres Authority Act, 2019, to develop and regulate the financial services market in the International Financial Services Centre, and shall come into effect immediately.
A copy of this circular is available on the website at www.ifsca.gov.in
Yours Faithfully,
Praveen Kamat
General Manager & Chief Information Security Officer
Division of Cyber Security
praveen.kamat@ifsca.gov.in
Tel : +91- 079 – 61809820
