In a significant relief to SEBI-regulated entities (REs), the Securities and Exchange Board of India has officially extended the deadline for adopting the Cybersecurity and Cyber Resilience Framework (CSCRF) to June 30, 2025.
This extension comes as a result of numerous industry appeals for additional preparation time, considering the operational and strategic overhaul CSCRF demands from regulated entities.
But let’s break it down, what does this really mean for your organization?
What Is SEBI’s CSCRF?
The CSCRF, introduced in August 2024, is part of SEBI’s broader initiative to tighten the cybersecurity standards across India’s capital markets (Here’s a detailed breakdown of the CSCRF framework). It mandates regulated entities to:
Establish a Board-approved cybersecurity policy
Perform regular Vulnerability Assessments and Penetration Testing (VAPT)
Implement Security Operation Centers (SOC)
Ensure Incident Response and Recovery protocols are active
Continuously monitor cyber threats
Submit periodic audit reports and gap analyses
The framework aims to strengthen cyber resilience, protect sensitive investor data, and ensure the uninterrupted functioning of India’s financial markets.
Who Gets the Extension?
The extended deadline of June 30, 2025, applies to most regulated entities under SEBI’s purview, including brokers, AMCs, mutual funds, portfolio managers, investment advisors, etc.
However, no extensions have been granted to:
Market Infrastructure Institutions (MIIs)
KYC Registration Agencies (KRAs)
Qualified Registrars to an Issue and Share Transfer Agents (QRTAs)
These entities are expected to adhere to the original compliance timelines as outlined in SEBI’s 2024 circular.
Why the Extension Matters
Let’s be real, compliance isn’t just about ticking off a checklist. It involves integrating cybersecurity into the very DNA of your operational framework. With SEBI now giving entities more breathing room, this is the moment to move from compliance for the sake of it to compliance with confidence.
Here’s what you should be doing during this extension window:
Conduct a gap analysis aligned with SEBI’s CSCRF control measures
Invest in automation tools to streamline evidence collection and reporting
Engage with cybersecurity experts to operationalize your framework
Stay audit-ready, not just on paper, but in practice
Final Word
This isn’t just about SEBI or deadlines , it’s about showing stakeholders that your cybersecurity posture is proactive, resilient, and aligned with global best practices. With CSCRF, SEBI is sending a clear message: cybersecurity is no longer optional.
Ready to prepare for CSCRF the right way?
Talk to the experts at Zeron.
