SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) introduces a structured approach to cybersecurity compliance for all Regulated Entities (REs) in the Indian securities market. This comprehensive guide focuses specifically on Self-certification REs and breaks down the mandatory and optional controls they must implement to maintain compliance with this crucial framework.
Introduction to CSCRF and Self-Certified REs
SEBI issued the Cybersecurity and Cyber Resilience Framework (CSCRF) for Regulated Entities on August 20, 2024, with the aim of strengthening cybersecurity measures and ensuring adequate cyber resiliency across the securities market ecosystem. The framework follows a graded approach, classifying REs into five distinct categories based on their operational scope and specific thresholds:
Self-certification REs represent entities that fall below certain operational thresholds established by SEBI. As the name suggests, these organizations can self-certify their compliance rather than requiring external audit validation in all cases, though they must still implement all applicable controls.
It's worth noting that SEBI has recently extended the compliance timeline for all REs (except MIIs, KRAs, and QRTAs) until June 30, 2025, providing Self-certification REs additional time to implement the necessary controls.
Mandatory Controls for Self-Certified REs
The following controls are explicitly marked as "Mandatory" for Self-certification REs based on the CSCRF framework:
Governance Controls (GV)
Identification Controls (ID)
Protection Controls (PR)
Other Applicable Controls for Self-Certified REs
Beyond mandatory controls, several other requirements apply to Self-certification REs but are not explicitly marked as "Mandatory":
Implementation Timeline Extension
SEBI has recognized the complexity of implementing comprehensive cybersecurity controls and has therefore extended the compliance timeline for most REs. As per Circular SEBI/HO/ITD-1/ITD/CSC/EXT/P/CIR/2025/45 dated March 28, 2025, Self-certification REs now have until June 30, 2025, to achieve full compliance with the CSCRF framework.
Addendum: CSCRF Implementation Using Ofofo.ai, Acronis, and Cloudflare Access ZTNA
Ofofo.ai, an agentic AI company specializing in CSCRF compliance management, offers a comprehensive solution for Self-certification REs that integrates with industry-leading security tools like Acronis End Point Protection and Cloudflare Access ZTNA. Here's how these technologies map to specific CSCRF controls:
Acronis End Point Protection Implementation
Acronis helps Self-certification REs meet several critical CSCRF requirements:
Cloudflare Access ZTNA Implementation
Cloudflare Access ZTNA enables Self-certification REs to implement:
Ofofo.ai's Agentic AI for CSCRF Compliance
Ofofo.ai's agentic AI platform enhances CSCRF compliance through:
Conclusion
Self-certification REs must navigate a comprehensive set of cybersecurity controls under SEBI's CSCRF framework, balancing mandatory and recommended requirements. With the compliance deadline extended to June 30, 2025, these organizations now have additional time to implement necessary controls.
By leveraging integrated solutions like Ofofo.ai's agentic AI platform in conjunction with Acronis End Point Protection and Cloudflare Access ZTNA, Self-certification REs can efficiently meet CSCRF requirements while maintaining robust cybersecurity postures appropriate to their operational scale and risk profile.
Remember that this guide provides an overview of CSCRF requirements for Self-certification REs, but each organization should carefully review the complete framework to ensure full compliance by the extended deadline.
Frequently asked questions by Self-Certified REs
SEBI CSCRF Compliance: Key Exemptions for Self-Certified REs
Below are simplified answers to common questions about requirements that do NOT apply to Self-Certified REs under SEBI’s CSCRF framework but are mandatory for other RE categories (MIIs, Qualified, Mid-size, and Small-size REs).
1. Do Self-Certified REs need to conduct background checks on third-party vendors?
No.
Self-Certified REs are exempt from mandatory third-party vendor background checks, unlike MIIs and Qualified REs, which must verify vendors’ cybersecurity compliance.
2. Do Self-Certified REs require CERT-In empanelled audits?
No.
Periodic cyber audits by CERT-In empanelled organizations are optional for Self-Certified REs. Other REs must conduct these audits annually or half-yearly.
3. Do Self-Certified REs need a Chief Information Security Officer (CISO)?
No.
Only MIIs and Qualified REs must appoint a full-time CISO. Self-Certified REs can rely on senior management or external experts for cybersecurity oversight.
4. Do Self-Certified REs need an external consultant in the IT Committee?
No.
Self-Certified REs are not required to form a dedicated IT Committee. Mid-size and larger REs must have one with external cybersecurity experts.
5. Do Self-Certified REs need ISO 27001 certification?
No.
ISO 27001 certification is mandatory only for MIIs and Qualified REs. Self-Certified REs can adopt its principles voluntarily.
6. Do Self-Certified REs need to conduct red teaming exercises?
No.
Red teaming (simulated cyberattacks) is required only for MIIs and Qualified REs. Self-Certified REs focus on basic threat monitoring.
7. Do Self-Certified REs need to measure SOC efficacy?
No.
Self-Certified REs using third-party SOC services (like Market SOC) don’t need to measure SOC performance. MIIs and Qualified REs must evaluate SOC efficacy twice yearly.
8. Do Self-Certified REs need comprehensive risk assessments?
No.
In-depth risk assessments (e.g., post-quantum risks) are optional. Other REs must perform these assessments annually.
9. Do Self-Certified REs need strict data localization?
No.
Self-Certified REs can use global SaaS tools without storing all data in India. Larger REs must ensure critical data resides within India.
10. Do Self-Certified REs need complex contingency plans?
No.
Self-Certified REs aren’t required to maintain detailed disaster recovery systems (e.g., golden server images). MIIs and Qualified REs must test recovery plans twice yearly.
11. Do Self-Certified REs need to audit 100% of their IT systems?
No.
Cyber audits for Self-Certified REs are optional. Qualified and Mid-size REs must audit 100% of critical systems and 25% of non-critical systems annually
12. Do Self-Certified REs need to implement AI-driven threat detection?
No.
Advanced AI/ML security tools are optional. MIIs and Qualified REs must deploy such technologies for real-time threat analysis
13. Do Self-Certified REs need to conduct root-cause analysis (RCA) for incidents?
No.
Only Mid-size and Qualified REs must perform RCA for major incidents. Self-Certified REs focus on basic incident reporting to SEBI within 24 hours
Why These Exemptions Exist
SEBI’s CSCRF follows a graded approach, recognizing that Self-Certified REs have smaller operations and limited IT infrastructure. Their focus is on essential controls like endpoint security (e.g., Acronis), zero-trust access (e.g., Cloudflare ZTNA), and basic governance14. Larger REs face stricter rules due to systemic risks and larger attack surfaces.
For more details, refer to:
Check out to Ofofo.ai to implement CSCRF through Agentic AI for Self-certification REs.