SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), issued in August 2024, is the single consolidated cyber standard for India's capital markets. It supersedes every earlier SEBI cybersecurity circular and is organised around five NIST-style functions — Governance, Identify, Protect, Detect, Respond and Recover — applied through a tiered compliance model.

The four tiers are: Market Infrastructure Institutions (MIIs — exchanges, clearing corporations, depositories), Qualified Registrars to an Issue and Share Transfer Agents (QRTAs), larger intermediaries (RE-T1) and smaller intermediaries (RE-T2/T3). Obligations scale by tier: MIIs face quarterly VAPT, 24x7 SOCs and twice-yearly DR drills; smaller intermediaries may use shared SOCs and annual cycles.

Signature CSCRF mechanisms include the Cyber Capability Index (CCI) — an annual self-assessment maturity score submitted to SEBI — mandatory CISO appointments with board reporting lines, board-level cybersecurity committees, and 6-hour incident reporting to SEBI's Cybercell run in parallel with CERT-In.

Enforcement flows through SEBI's adjudication machinery under the SEBI Act: monetary penalties, directions, suspension of activities and — for repeat offenders — cancellation of registration. Because most SEBI REs are also Data Fiduciaries under the DPDP Act, a single investor-data breach can now trigger SEBI, CERT-In and Data Protection Board proceedings simultaneously.

Work through the layers below to map your tier, your control gaps, your filing calendar and your penalty exposure.