SEBI Extends Cybersecurity Compliance Deadline to August 31, 2025

The Securities and Exchange Board of India (SEBI) has granted a two-month extension for regulated entities (REs) to comply with its mandatory Cybersecurity and Cyber Resilience Framework (CSCRF). The new deadline has been extended to August 31, 2025, providing additional time for financial market participants to implement the necessary measures to safeguard against rising cyber threats.

This latest extension follows multiple requests from industry participants seeking more time to align with the cybersecurity requirements. SEBI stated that the decision was taken to ensure ease of compliance for regulated entities that are still in the process of implementing the framework.

The extension applies to all regulated entities, except for Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs), who have separate compliance timelines.

Invest in Indian Markets and Unlock Future Potential With 5paisa!

Open Account Now

Background of SEBI's Cybersecurity Initiative

SEBI unveiled the Cybersecurity and Cyber Resilience Framework in August 2024 in response to the increasing demand for strong protection of digital infrastructure in India's financial markets. The framework establishes an organised method for handling cybersecurity, outlining roles, duties, and accountability in detail to address cyber threats successfully.

The CSCRF aims to ensure that all SEBI-regulated entities maintain a strong cybersecurity posture backed by cyber resilience capabilities that enable them to prevent, withstand, and swiftly recover from cyber incidents.

Following the initial rollout of the guidelines, SEBI received several queries from stakeholders seeking clarity, prompting the regulator to issue a detailed clarification in December 2024. The deadline for implementing the framework has since been revised multiple times to accommodate industry feedback.

The initial deadline for six categories of regulated entities was set for January 1, 2025, with other entities required to comply by April 1, 2025. The deadline was first extended to March 31, 2025, then to June 30, 2025, and has now been pushed to August 31, 2025.

Way Forward for Regulated Entities

The revised deadline must be communicated to all members and participants by stock exchanges, depositories, and other market infrastructure participants. SEBI has also requested that they publish the updated circular on their websites to ensure it is widely disseminated.

Developing a robust financial system that mitigates cybersecurity risks is a priority for the regulator. Market participants are advised to utilise the additional time to complete the technological and operational improvements necessary to meet SEBI's cybersecurity criteria.