SEBI Tightens Cybersecurity Rules: New Compliance Categories for Regulated Entities [Read Circular]

The Securities and Exchange Board of India (SEBI) introduced a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) on August 20, 2024, to increase the digital safety of regulated entities (REs) in the securities market. Due to industry feedback and requests for clarifications and extensions, SEBI has now released an updated circular on April 30, 2025, refining classifications, obligations, and compliance expectations.

practical case studies in forensic accounting & corporate fraud investigation - CLICK HERE

1. Categories Based on Size and Risk

SEBI has divided all regulated companies into different groups depending on how many clients they have or how much trading they do. Once a company is placed into a category at the start of the financial year, it stays there for the whole year.

For Stock Brokers:

Category	Number of Clients	Trading Volume (Rs. /Year)
Qualified RE	Over 10 lakh clients	Over Rs. 10 lakh crore
Mid-size RE	1–10 lakh clients	Rs. 1–10 lakh crore
Small-size RE	10,000–1 lakh clients	Rs. 10,000–1 lakh crore
Self-certification	1,000–10,000 clients	Rs. 1,000–10,000 crore

If a broker has less than 1,000 clients and trades under Rs. 1,000 crore a year, they are exempt from these rules.

Want a deeper insight into the Income Tax Bill, 2025? CLICK HERE

2. What About Other Financial Entities?

• Depository Participants (DPs): Follow stock broker rules. If they have fewer than 100 clients, they don’t need advanced cybersecurity tools.
• Investment Advisers (IAs) and Research Analysts (RAs):
  • If they are only registered as IAs or RAs (and not in other roles), they are exempt.
  • If they hold multiple roles, they follow the strictest rule among them.
  • BSE will now handle their cybersecurity compliance for 5 years starting July 2024.
• KYC Registration Agencies (KRAs): Classified as Qualified REs (highest category).
• Portfolio Managers: If they manage less than Rs. 3,000 crore and have fewer than 100 clients, they are exempt from some cyber rules.
• AIFs and VCFs (Alternative & Venture Funds): Categorized based on the manager’s total fund size.
• Merchant Bankers:
  • Those handling IPOs, buybacks, etc. = Mid-size REs
  • Others = Small-size REs
• Registrars and Transfer Agents: Exempt if they serve less than 100 clients.

3. Cloud Security Requirements

Companies using cloud services must install special secure hardware (HSM):

• Mandatory for Qualified REs and Market Infrastructures (like stock exchanges).
• Optional for others, but they must document the decision and get board approval.

Tax Planning For NRIs - CLICK HERE

4. Deadlines and Compliance

• Companies must follow these updated rules by June 30, 2025.
• From financial year 2025–26, all cybersecurity audits must be based on the updated framework.
• Exchanges and BSE must update their rules and inform all relevant companies.

In short, SEBI has made it easier for smaller firms by exempting them from heavy cybersecurity requirements, while larger players must follow stricter rules. Companies should check which category they fall into and take steps to comply before the June 30 deadline.

To Read the full text of the CIRCULAR CLICK HERE

Support our journalism by subscribing to Taxscan premium. Follow us on Telegram for quick updates