Revised Categorization Thresholds: Historical vs. Current Requirements

1. Stock Brokers

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

Categorized solely by active client base (Unique Client Code, UCC). The tiers were defined as: Qualified REs for more than 5 lakh active clients; Mid-size for 50,000–5,00,000 clients; Small-size for 10,000–50,000; and Self-certification for less than 10,000 clients. Additionally, brokers not offering Internet-Based Trading (IBT) or Algo trading could remain in a lower tier despite higher client count.

‍

New Circular (April 2025 - SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

Introduces a dual-parameter classification system based on total clients and annual trading volume. A stock broker is classified in the highest applicable category if either parameter crosses a threshold. The thresholds for each tier are expanded significantly:

• By Client Count
  • Self-certification for 1,000–10,000 clients;
  • Small-size for >10,000 up to 1 lakh;
  • Mid-size for >1 lakh up to 10 lakh;
  • Qualified for >10 lakh clients.‍
• By trading volume (yearly):
  • Self-certification for ₹1,000–10,000 crore;
  • Small-size for >₹10,000 up to ₹1,00,000 crore;
  • Mid-size for >₹1 lakh crore up to ₹10 lakh crore;
  • Qualified for >₹10 lakh crore.

Exemption
Brokers with < 1,000 clients and< ₹1,000 crore trading volume are fully exempted from the CSCRF requirements.

‍

Impact
Approximately 40% of small brokers now fall outside the framework, potentially reducing compliance costs by an estimated ₹2–3 crore annually for each such entity (costs that would have been incurred on security infrastructure and audits).

‍

2. Depository Participants (DPs)

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

All institutional DPs were classified as Qualified REs by default, regardless of scale or operations, while non-institutional DPs fell into lower tiers. In practice, this meant most bank-affiliated or large DPs faced the highest compliance obligations.

‍

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

Adopts an activity-based classification. If a DP is dual-registered as a stock broker, it must be classified per the stock broker criteria (i.e. potentially in a lower category if its client/volume metrics are small). A “pure” DP (registered only as DP and not as a broker or bank) is treated as a Qualified RE by default. However, DPs with fewer than 100 clients are exempted from the requirement to maintain a dedicated Security Operations Center (SOC) or to onboard to the shared Market-SOC service. Such small DPs can thus avoid the heavy cost of 24x7 SOC monitoring.

Rationale
‍This approach aligns with SEBI’s risk-based philosophy – a DP that also handles brokerage activities is categorized by the higher of its risk parameters, whereas a standalone DP handling a limited client base can operate with reduced burdens.

‍

Further Relief
DPs having <100 clients no longer need to engage an SOC provider or join the Market-SOC, markedly lowering compliance overhead for the smallest DPs.

‍

‍

3. KYC Registration Agencies (KRAs)

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

KRAs were treated as part of Market Infrastructure Institutions (MIIs), facing some of the most stringent requirements. This included semi-annual CERT-In audits, real-time SOC monitoring, and mandatory maintenance of certifications like ISO 27001 for information security.

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

KRAs are downgraded to the Qualified RE category (no longer in the MII-equivalent tier). Compliance requirements have been correspondingly relaxed: annual internal audits can replace the previous half-yearly CERT-In audit mandate, SOC monitoring frequency is reduced (e.g. weekly reporting instead of real-time), and obtaining an ISO 27001 certification is now optional rather than mandatory.

Savings
‍This reclassification is significant – KRAs are expected to save on the order of ₹2–3 crore annually in compliance costs due to reduced audit and infrastructure requirements, without materially impacting the security of the KYC data they handle.

‍

4. Portfolio Managers (PMs)

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

A four-tier structure based on Assets Under Management (AUM) was in place. Portfolio management firms with AUM > ₹5,000 crore were classified as Qualified REs, those with ₹1,000–5,000 crore as Mid-size, ₹500–1,000 crore as Small-size, and those below ₹500 crore as Self-certification REs.

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

The categorization is streamlined into two tiers for portfolio managers, eliminating the Qualified and Small-size categories for this segment. Now, Mid-size RE includes any PM with AUM > ₹3,000 crore, and Self-certification RE covers AUM up to ₹3,000 crore. No PM is currently expected to fall under a “Qualified” category. Additionally, an important exemption is introduced: portfolio managers who qualify as Self-certification REs and have fewer than 100 clients are exempt from the requirement to onboard to the centralized Market-SOC (managed SOC) service. They still must implement baseline cybersecurity requirements, but need not maintain a full-fledged 24x7 SOC either in-house or via the market SOC, given their limited client base.

Outcome
With the threshold raised to ₹3,000 crore for the higher tier, about 60% of registered portfolio managers now qualify for the lighter self-certification category under CSCRF, reducing their compliance burden. Small PMs with very limited clientele (e.g. <100 clients) especially benefit by avoiding mandatory SOC expenses while still adhering to core cybersecurity practices.

‍

5. Alternative Investment Funds (AIFs) & Venture Capital Funds (VCFs)

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

Classification was done at the individual fund level (scheme level). Each AIF/VCF fund was categorized by its own corpus size, with thresholds (for Self/Small/Mid/Qualified) defined per fund’s AUM. This potentially allowed large fund managers to split assets across multiple smaller funds to appear in lower categories.

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

Manager-level aggregation is now used – the categorization is based on the combined corpus of all AIF/VCF schemes managed by the same manager. In other words, an AIF/VCF manager with multiple funds will be classified according to the total assets of all those funds taken together, preventing any dilution of compliance obligations through fund fragmentation. The revised thresholds are as follows:

• Self-certification RE: Total corpus ≤ ₹3,000 crore (across all AIF/VCF schemes under the manager).
• Small-size RE: Total corpus > ₹3,000 crore up to ₹10,000 crore.
• Mid-size RE: Total corpus > ₹10,000 crore. (No “Qualified” category is explicitly applied to AIF/VCF managers under the new framework; the mid-size tier effectively serves as the highest rung for this segment.)

Managers with < 100 investors (across all their funds combined) are exempt from the mandatory Market-SOC onboarding requirement, similar to the exemption for small portfolio managers. They must still implement appropriate cybersecurity measures, but the highest-tier SOC monitoring can be avoided at such a small scale.
‍

Strategic Shift
This manager-centric approach closes the loophole of large AIF/VCF operators potentially avoiding strict controls by spreading assets over several smaller funds. Now, the compliance burden is commensurate with the true scale of assets managed by an entity.

‍

6. Merchant Bankers (MBs)

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

Requirements for Merchant Bankers were mostly uniform, with some categorization based on institutional affiliations. For example, any merchant banker that was part of a large conglomerate or a Systemically Important Financial Institution (SIFI) was deemed a Qualified RE, those involved in issue management activities (IPO/FPO, buybacks, etc.) were Mid-size, and all others were Small-size REs by default.

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

Emphasizes activity-based categorization more clearly. Any merchant banker engaged in issue management activities – including managing or co-managing public issues (IPOs/FPOs, including SME IPOs), public offers by REITs/InvITs, buy-backs, delistings, or open offers under takeover regulations – is classified as a Mid-size RE. All other merchant bankers (those providing only advisory or consulting services without handling public issue management) are classified as Small-size REs. (None are automatically treated as Qualified REs unless they separately fall into that category by virtue of being part of an MII or other criteria outside the merchant banking activity scope.)

Impact
IPO-focused merchant bankers face stricter controls under CSCRF (since they are Mid-size REs under the framework, with more extensive obligations), while pure advisory firms enjoy relaxed standards as Small-size REs. This differentiation ensures that entities directly involved in handling public issuances – which carry higher risk and larger investor impact – implement stronger cyber resilience measures.

‍

‍

7. Investment Advisers (IAs) & Research Analysts (RAs)

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

All non-individual IAs and RAs were generally classified as Small-size REs, meaning even standalone advisory or research entities had to comply with baseline CSCRF provisions (albeit the lighter tier).

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

Full exemption from the CSCRF framework is now granted to standalone investment advisers and research analysts. If an IA or RA is not registered with SEBI in any other capacity (i.e., they operate solely as an adviser or analyst), they are not required to comply with CSCRF at all. However, if an IA/RA is dual-registered in another regulated capacity (for instance, someone who is both a Research Analyst and a stock broker, or an IA who is also a portfolio manager), then the entity must comply with the CSCRF requirements of the highest applicable category among those registrations. In practice, that means a dual-registered intermediary cannot avoid stringent requirements just because one of its roles (IA/RA) is exempt.

Another key change is that the reporting authority for IAs and RAs’ cybersecurity compliance has been shifted to BSE Ltd. (Bombay Stock Exchange). BSE will act as the monitoring authority for CSCRF compliance of all IAs/RAs for five years starting July 25, 2024. This implies that until July 2029, investment advisers and research analysts will report their cyber resilience status to BSE (which consolidates and oversees this segment’s compliance), rather than directly to SEBI.

‍

Significance
These changes remove the compliance burden entirely for approximately 8,000 standalone advisers and analysts, allowing them to focus on their core advisory functions without the overhead of a formal cyber resilience framework. At the same time, the transitional oversight by BSE ensures that even exempt IAs/RAs maintain some level of monitoring and that any multi-licensed entities adhere to the necessary standards via their other registrations.

‍

8. Registrars to an Issue & Share Transfer Agents (RTAs)

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

RTAs were not explicitly differentiated by size in the original framework – all RTAs were expected to comply with the CSCRF appropriate to their category (which was generally equivalent to a Small or Mid-size RE, depending on their functions). No specific client-based exemption was provided earlier.

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

A specific relief has been introduced for smaller RTAs. RTAs with less than 100 clients are exempted from the requirement of employing dedicated SOC services or onboarding to the Market-SOC. In essence, if an RTA serves a very small number of issuers/investors (under 100), it need not maintain a full-scale Security Operations Center monitoring arrangement under the CSCRF. Larger RTAs (with 100 or more clients) must comply with all standard CSCRF provisions including 24x7 SOC monitoring (either in-house or via the market-wide SOC).

‍

Impact
This change spares small RTA firms from the substantial cost and operational complexity of continuous cyber monitoring, on the rationale that an RTA with such a limited client base presents a lower risk footprint. It strikes a balance by still requiring all other cybersecurity measures in place for these RTAs, but removing the most onerous obligation. Larger RTAs that handle a high number of clients remain fully covered by the framework, ensuring that investor records and transactions managed by RTAs at scale are protected.

‍

9. Hardware Security Module (HSM) Requirements

Previous Circular (August 2024 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113):

The use of Hardware Security Modules for cryptographic key management was mandatory for all REs except those in the Self-certification tier. This meant even relatively small entities (Small-size and Mid-size REs) had to invest in HSMs or similar dedicated hardware for secure key storage.

New Circular (April 2025 – SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60):

The HSM deployment mandate is now risk-tiered. It is mandatory only for Market Infrastructure Institutions (MIIs) (stock exchanges, depositories, clearing corporations) and Qualified REs. Lower-tier REs (Mid-size, Small-size, and Self-certification categories) are given flexibility: they may use software-based or cloud-based alternatives if supported by a Board-approved risk assessment and mitigation plan. For example, a mid-sized broker could opt for a cloud HSM or other key management solution after evaluating the risks, instead of purchasing physical HSM appliances.

‍

Technical Impact
This relaxation significantly reduces upfront costs – smaller and mid-tier entities can avoid expensive hardware procurement. Some estimates suggest a ~40% cost reduction for small REs opting for cloud-based key management solutions (e.g., using a managed Cloud HSM or Key Management Service) as opposed to on-premises HSM devices. By allowing options like Cloudflare’s Keyless SSL or other cloud HSM services, SEBI is acknowledging modern security solutions that can be as effective as physical HSMs when properly managed, thereby easing compliance without compromising security.

SEBI’s revised CSCRF demonstrates a proportional regulatory approach, easing burdens on smaller entities while tightening oversight of systemically critical players. Overall, SEBI Regulated Entity’s current cybersecurity posture and controls should be reassessed against these updated categories and requirements to ensure alignment by the June 30, 2025 deadline.
‍

Critical Actions for SEBI Regulated Entity‍

• Confirm CSCRF Category: Determine your firm’s category (Self-cert, Small, Mid, Qualified) under the new thresholds, using FY 2023-24 data as the baseline. Remember that this category will remain fixed for the entirety of FY 2024-25.

• Leverage Exemptions if Eligible: If you qualify for an exemption (e.g. a broker with minimal clients/volume, a standalone IA/RA, a PM/RTA/DP with very few clients), document this and adjust your compliance program accordingly. Submit any required self-declarations or Board approvals for exemption from Market-SOC or other provisions where applicable.

• Enhance Controls for Higher Category: If classified in a higher tier (Mid-size or Qualified RE), ensure all enhanced controls are budgeted and on track – e.g. engaging an independent SOC, stricter access controls, HSM deployment (for Qualified REs), etc. MIIs and Qualified REs should fast-track HSM implementation or equivalent solutions.

• Validate with Reporting Authority: Cross-verify your category and compliance roadmap with your reporting authority. For example, brokers/DPs should coordinate with the stock exchange or depository, and IAs/RAs should follow guidance from BSE (their designated monitoring authority) regarding annual CSCRF filings.

• Audit Readiness: Prepare for cyber audits from FY 2025-26 onwards under the new framework. Even if exempt from certain requirements, maintain evidence of compliance with the core framework and any risk assessments or approvals for availing exemptions.

The revised framework’s calibrations ensure that resources are focused where the risk is greatest, allowing smaller players breathing room even as large institutions bolster the market’s cyber resilience.

‍

Critical Actions for SEBI Regulated Entity

The table below summarizes all key exemption criteria introduced under the revised CSCRF framework and what compliance requirements are waived in each case:

Each exemption above is designed to calibrate the framework’s impact, freeing smaller or lower-risk entities from heavy requirements while preserving overall cyber resilience. Entities should carefully evaluate if they meet the criteria and maintain documentation or approvals as needed for these exemptions. Compliance status should be reported through the proper channels (exchanges, BSE, etc.) with the understanding that any growth beyond the thresholds will bring the entity into the CSCRF fold in the next financial year.