New Delhi, June 30 -- The Securities and Exchange Board of India (SEBI) has extended the deadline again for alternative investment funds (AIFs) and other selected regulated entities to implement its Cybersecurity and Cyber Resilience Framework (CSCRF).
In a circular issued on June 30, the market regulator gave these entities an additional two months, extending the implementation deadline to August 31, 2025.
This marks the second extension by the regulator. The first was announced on March 28, 2025, shifting the original deadline to June 30, 2025, except for market infrastructure institutions (MIIs), KYC registration agencies (KRAs) and qualified registrars to an Issue and share transfer agents (QRTAs).
Launched by SEBI in August 2024, CSCRF aims to "address evolving cyber threats, to align with the industry standards, to encourage efficient audits, and to ensure compliance by SEBI REs (regulated entities). The CSCRF also sets out standard formats for reporting by REs," the regulator said in a August 20, 2024, circular.
The rollout was originally intended to be staggered. Six categories of REs, which already had cybersecurity guidelines, were required to comply by January 1, 2025. All other categories of REs had to do so by April 1, 2025. These deadlines have now been revised twice.
Framework overview
The CSCRF framework follows a graded approach, with different REs required to fulfil different standards based on factors such as span of operations, number of clients, trade volume, and assets under management.
The framework is based on five cyber resiliency goals adopted from the Cyber Crisis Management Plan (CCMP), developed by the Indian Computer Emergency Response Team (CERT-In), focused on countering cyber attacks and cyber terrorism. The five goals are anticipate, withstand, contain, recover and evolve.
These goals are supported by six stated cybersecurity functions: governance, identify, protect, detect, respond and recover.
Published by HT Digital Content Services with permission from VC Circle.