SEBI further extends timeline for implementation of Cybersecurity framework for regulated entities

SEBI extends timeline for implementation of Cybersecurity

Market regulator Securities and Exchange Board of India (SEBI) has extended timeline for implementation of Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities.

In a circular issued on Monday, SEBI said, “SEBI has received multiple requests for CSCRF compliance timelines extension to ensure ease of compliance for them. Therefore, it has been decided to extend the compliance timelines by two (2) months, i.e., till August 31, 2025 to all REs, except Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs)”.

The deadline for compliance has been extended multiple times. The immediate deadline was expiring on June 30th. SEBI had come out with a circular in August 2024. SEBI had set a deadline for six categories of regulated entities where cybersecurity and cyber resilience circular already exists as January 01, 2025. For other regulated entities the timeline was 1st April 2025.

Also read: Crackdown on ‘furus’ starts: Meta mandates SEBI verification for investment ads

But through December 2024 circular, SEBI extended the deadline from January 1, 2025, to March 31, 2025. In March 2025 it was again extended to June 30th 2025.

The purpose of SEBI’s, CSCRF is to have a structured approach to cybersecurity management within financial institutions. Under the cyber risk guideline ensures the establishment of clear roles, responsibilities, and accountability for managing cybersecurity risks. Timely detection, reporting and mitigation of cybersecurity incidents has been described under the cyber security framework.

Also read: SEBI proposes reduced IT capacity for commodity stock exchanges citing underutilisation