The Securities and Exchange Board of India (SEBI) has issued clarifications on its Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities, extending compliance deadlines and offering regulatory forbearance. This decision, announced on Tuesday, comes in response to feedback and queries from stakeholders since the framework’s introduction in August 2023.
Key Highlights:
- Compliance Deadline Extensions:
- The initial compliance deadline of January 1, 2025, has been extended to March 31, 2025.
- For KYC registration agencies (KRAs) and depository participants, the deadline has been further extended to April 1, 2025.
- Regulatory Forbearance:
SEBI has granted a forbearance period until March 31, 2025, during which regulated entities will not face penalties for non-compliance, provided they demonstrate progress in implementing cybersecurity measures. - Data Localisation Guidelines on Hold:
The guidelines related to data localisation under the framework have been temporarily paused for further consultation and will be notified at a later date.
Framework Overview:
The CSCRF aims to bolster the cybersecurity resilience of SEBI-regulated entities by mandating measures to withstand, respond to, and recover from cyber threats effectively. These efforts are critical to safeguarding the Indian securities market from rising cyber risks.
SEBI’s Stance:
SEBI highlighted the significance of the CSCRF in adapting to technological advancements and cyber risks. The framework is designed to enhance the resilience of regulated entities, ensuring swift recovery from cyber incidents while minimising disruptions to market operations.
The extensions and clarifications underline SEBI’s commitment to balancing robust cybersecurity with practical implementation timelines for market participants.
