SEBI Extends Cybersecurity Compliance Deadline to Aug 31, 2025

The Securities and Exchange Board of India (SEBI) has issued a circular dated June 30, 2025, granting a two-month extension to regulated entities for complying with its Cybersecurity and Cyber Resilience Framework (CSCRF). The revised deadline now stands at August 31, 2025, offering welcome relief to entities preparing for more robust cybersecurity mandates.

This move follows multiple industry requests for more time to fully implement the framework, originally introduced by SEBI in August 2024.

What is the SEBI Cybersecurity and Cyber Resilience Framework?

The CSCRF was launched on August 20, 2024, to help protect India’s securities market from cyber threats. It mandates SEBI-regulated entities to:

• Conduct cybersecurity risk assessments
• Monitor IT infrastructure and critical systems
• Establish clear incident response plans
• Report security breaches effectively
• Train internal teams on cybersecurity awareness

The goal is to strengthen digital defenses and safeguard investor data, especially in an increasingly digital and fast-paced market environment.

Who Gets the Extension?

The extension applies to most SEBI-regulated entities, including:

• Mutual Funds
• Alternative Investment Funds (AIFs)
• Portfolio Managers
• Credit Rating Agencies
• Stock Brokers
• Depositories
• Merchant Bankers

However, Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs) are not covered by this extension. These entities must still comply with the original deadline.

Legal Basis

The circular (No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/96) was issued under Section 11(1) of the SEBI Act, 1992, which empowers SEBI to take protective measures for investor interests and ensure the orderly development of the securities market.

Stock exchanges and depositories have been instructed to communicate this extension to their members and also publish the circular on their websites to ensure wide visibility.

Impact on the Market

This extension provides:

• More preparation time for entities to implement the cybersecurity standards
• Opportunity to conduct internal training programs
• Time to invest in security infrastructure
• Better alignment with incident response protocols and reporting standards

In short, the delay offers a buffer for smooth, penalty-free implementation—ultimately promoting long-term market stability and investor trust.

FAQs

Q1. What is the new deadline for CSCRF compliance?
The new deadline is August 31, 2025 for applicable SEBI-regulated entities.

Q2. Who is not eligible for the deadline extension?
MIIs, KRAs, and QRTAs must still comply by the original deadline, as they are excluded from this extension.

Q3. Why was the extension granted?
The extension was provided after receiving requests from various entities seeking more time for proper implementation and preparedness.

Q4. What areas does the CSCRF cover?
The framework includes risk assessments, monitoring, incident handling, data protection, and employee training on cybersecurity.

Q5. Will SEBI issue penalties after the new deadline?
Yes. Entities that fail to comply even after the extended deadline could face regulatory consequences and penalties.

Conclusion

SEBI’s decision to extend the CSCRF compliance timeline shows a balanced approach—encouraging stronger cybersecurity while allowing companies enough time to prepare. It reflects the regulator’s focus on protecting market integrity without disrupting business operations.

For SEBI-regulated entities, this is a valuable opportunity to strengthen digital frameworks, invest in long-term resilience, and build a culture of cybersecurity awareness—before the clock runs out.

📅 Published on: 02 July 2025
✍️ Author: CS Chhavi Goyal