SEBI has extended the deadline for regulated entities (REs), excluding Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs), to adopt and implement the Cybersecurity and Cyber Resilience Framework (CSCRF). The new deadline is June 30, 2025, a three-month extension from the original date. This decision follows multiple requests from REs seeking more time for compliance. SEBI had previously issued the CSCRF in August 2024 and provided clarifications in December 2024. The extension aims to ease compliance for the affected entities. Stock exchanges and depositories are instructed to inform their members and participants about this change. The circular, effective immediately, is issued under SEBI’s regulatory authority to protect investor interests and regulate the securities market.
Securities and Exchange Board of India
Circular No. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/45 Dated: March 28, 2025
To,
All Alternative Investment Funds (AIFs)
All Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs)
All Collective Investment Schemes (CIS)
All Credit Rating Agencies (CRAs)
All Custodians
All Debenture Trustees (DTs)
All Depositories
All Designated Depository Participants (DDPs)
All Depository Participants through Depositories
All Investment Advisors (IAs) / Research Analysts (RAs)
All KYC Registration Agencies (KRAs)
All Merchant Bankers (MBs)
All Mutual Funds (MFs)/ Asset Management Companies (AMCs)
All Portfolio Managers
Association of Portfolio Managers in India (APMI)
All Registrar to an Issue and Share Transfer Agents (RTAs)
All Stock Brokers through Exchanges
All Stock Exchanges
All Venture Capital Funds (VCFs)
Dear Sir / Madam,
Subject: Extension towards Adoption and Implementation of Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)
1. Recognising the need for robust cybersecurity measures and protection of data and IT infrastructure, Securities and Exchange Board of India (SEBI) has issued ‘Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)’ vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024. Upon receipt of various queries from REs seeking clarification on the aforementioned circular, SEBI has also issued ‘Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)’ vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184 dated December 31, 2024.
2. SEBI had received multiple requests for CSCRF compliance timelines extension to ensure ease of compliance for them. Therefore, it has been decided to extend the compliance timelines by three (3) months, i.e., till June 30, 2025 to all REs, except Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs).
3. Stock Exchanges/ Depositories are directed to:
3.1. Bring the provisions of this circulars to the notice of their members/ participants and also disseminate the same on their websites.
4. The provisions of this Circular shall come into force with immediate effect.
5. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
6. This circular is issued with the approval of Competent Authority. Page 2 of 3
7. This circular is available on SEBI website at www.sebi.gov.in under the category “Legal” and drop “Circulars”.
Yours faithfully,
Shweta Banerjee
General Manager
Phone: 022-26449509
Email: shwetas@sebi.gov.in
