Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesIndia Compliance

SEBI CSCRF: the compliance guide for regulated entities

SEBI's Cybersecurity and Cyber Resilience Framework consolidates years of circulars into one graded standard. Here is what it means for your firm.

8 min read

SEBI introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) to bring its regulated entities under a single, consistent cyber standard, replacing a patchwork of earlier circulars. It applies across market participants and is graded by the size and nature of the entity.

CSCRF is notable for framing security as resilience: not just preventing incidents, but anticipating, withstanding, containing, recovering from, and learning from them. This guide explains what that means in practice.

Key takeaways
  • CSCRF consolidates SEBI's prior cyber circulars into one graded framework.
  • It applies across regulated entities, from stockbrokers and AMCs to depositories and KRAs.
  • Requirements are graded by entity size and are built around five cyber-resilience goals.
  • SOC coverage, VAPT, cyber audit, and incident reporting are core obligations.

Who it applies to

CSCRF covers SEBI Regulated Entities (REs), a broad set that includes stockbrokers and depository participants, asset management companies and mutual funds, KYC registration agencies, clearing corporations, depositories, and other intermediaries. Obligations are graded, so smaller REs face a proportionate subset while larger ones face the full standard.

The five resilience goals

CSCRF organises requirements around cyber-resilience outcomes rather than a flat control checklist:

  • Anticipate: understand your risks, assets, and exposure before incidents occur.
  • Withstand: put controls in place to resist attacks.
  • Contain: limit the blast radius when something gets through.
  • Recover: restore operations quickly and predictably.
  • Evolve: learn from incidents and continuously improve.

Core obligations and how to meet them

In practice CSCRF expects Security Operations Centre coverage (in-house, a market SOC, or a managed SOC), regular VAPT, periodic cyber audit, governance and reporting structures, and time-bound incident reporting to SEBI and CERT-In.

The efficient path is to unify these: continuous monitoring and detection support the resilience goals, automated evidence supports the audit, and a single risk view keeps governance honest. That avoids running each requirement as a separate, manual project.

Frequently asked questions

Who must comply with SEBI CSCRF?
SEBI Regulated Entities, including stockbrokers, depository participants, AMCs, mutual funds, KRAs, clearing corporations, and depositories. Requirements are graded by entity size and type.
What is new about CSCRF versus earlier SEBI circulars?
CSCRF consolidates prior cyber circulars into one framework and reframes the goal as cyber resilience, built around anticipate, withstand, contain, recover, and evolve, rather than a flat checklist.
Do smaller entities get a lighter set of requirements?
Yes. CSCRF is graded, so smaller regulated entities face a proportionate subset while larger entities face the full standard.
How does NMT help with CSCRF?
NMT provides continuous monitoring and detection, runs VAPT, automates audit evidence and control mapping, and gives a single risk view aligned to the five resilience goals.

Meet CSCRF without the scramble

Unify monitoring, VAPT, and audit evidence in one platform. See your exposure first with a free check.

Run a free check
Related
SEBI CSCRF compliance solution Guide: What is VAPT? Guide: RBI Cybersecurity Framework