Categorized solely by active client base (Unique Client Code, UCC). The tiers were defined as: Qualified REs for more than 5 lakh active clients; Mid-size for 50,000–5,00,000 clients; Small-size for 10,000–50,000; and Self-certification for less than 10,000 clients. Additionally, brokers not offering Internet-Based Trading (IBT) or Algo trading could remain in a lower tier despite higher client count.
Introduces a dual-parameter classification system based on total clients and annual trading volume. A stock broker is classified in the highest applicable category if either parameter crosses a threshold. The thresholds for each tier are expanded significantly:
Exemption
Brokers with < 1,000 clients and< ₹1,000 crore trading volume are fully exempted from the CSCRF requirements.
Impact
Approximately 40% of small brokers now fall outside the framework, potentially reducing compliance costs by an estimated ₹2–3 crore annually for each such entity (costs that would have been incurred on security infrastructure and audits).
All institutional DPs were classified as Qualified REs by default, regardless of scale or operations, while non-institutional DPs fell into lower tiers. In practice, this meant most bank-affiliated or large DPs faced the highest compliance obligations.
Adopts an activity-based classification. If a DP is dual-registered as a stock broker, it must be classified per the stock broker criteria (i.e. potentially in a lower category if its client/volume metrics are small). A “pure” DP (registered only as DP and not as a broker or bank) is treated as a Qualified RE by default. However, DPs with fewer than 100 clients are exempted from the requirement to maintain a dedicated Security Operations Center (SOC) or to onboard to the shared Market-SOC service. Such small DPs can thus avoid the heavy cost of 24x7 SOC monitoring.
Rationale
This approach aligns with SEBI’s risk-based philosophy – a DP that also handles brokerage activities is categorized by the higher of its risk parameters, whereas a standalone DP handling a limited client base can operate with reduced burdens.
Further Relief
DPs having <100 clients no longer need to engage an SOC provider or join the Market-SOC, markedly lowering compliance overhead for the smallest DPs.
KRAs were treated as part of Market Infrastructure Institutions (MIIs), facing some of the most stringent requirements. This included semi-annual CERT-In audits, real-time SOC monitoring, and mandatory maintenance of certifications like ISO 27001 for information security.
KRAs are downgraded to the Qualified RE category (no longer in the MII-equivalent tier). Compliance requirements have been correspondingly relaxed: annual internal audits can replace the previous half-yearly CERT-In audit mandate, SOC monitoring frequency is reduced (e.g. weekly reporting instead of real-time), and obtaining an ISO 27001 certification is now optional rather than mandatory.
Savings
This reclassification is significant – KRAs are expected to save on the order of ₹2–3 crore annually in compliance costs due to reduced audit and infrastructure requirements, without materially impacting the security of the KYC data they handle.
A four-tier structure based on Assets Under Management (AUM) was in place. Portfolio management firms with AUM > ₹5,000 crore were classified as Qualified REs, those with ₹1,000–5,000 crore as Mid-size, ₹500–1,000 crore as Small-size, and those below ₹500 crore as Self-certification REs.
The categorization is streamlined into two tiers for portfolio managers, eliminating the Qualified and Small-size categories for this segment. Now, Mid-size RE includes any PM with AUM > ₹3,000 crore, and Self-certification RE covers AUM up to ₹3,000 crore. No PM is currently expected to fall under a “Qualified” category. Additionally, an important exemption is introduced: portfolio managers who qualify as Self-certification REs and have fewer than 100 clients are exempt from the requirement to onboard to the centralized Market-SOC (managed SOC) service. They still must implement baseline cybersecurity requirements, but need not maintain a full-fledged 24x7 SOC either in-house or via the market SOC, given their limited client base.
Outcome
With the threshold raised to ₹3,000 crore for the higher tier, about 60% of registered portfolio managers now qualify for the lighter self-certification category under CSCRF, reducing their compliance burden. Small PMs with very limited clientele (e.g. <100 clients) especially benefit by avoiding mandatory SOC expenses while still adhering to core cybersecurity practices.
Classification was done at the individual fund level (scheme level). Each AIF/VCF fund was categorized by its own corpus size, with thresholds (for Self/Small/Mid/Qualified) defined per fund’s AUM. This potentially allowed large fund managers to split assets across multiple smaller funds to appear in lower categories.
Manager-level aggregation is now used – the categorization is based on the combined corpus of all AIF/VCF schemes managed by the same manager. In other words, an AIF/VCF manager with multiple funds will be classified according to the total assets of all those funds taken together, preventing any dilution of compliance obligations through fund fragmentation. The revised thresholds are as follows:
Managers with < 100 investors (across all their funds combined) are exempt from the mandatory Market-SOC onboarding requirement, similar to the exemption for small portfolio managers. They must still implement appropriate cybersecurity measures, but the highest-tier SOC monitoring can be avoided at such a small scale.
Strategic Shift
This manager-centric approach closes the loophole of large AIF/VCF operators potentially avoiding strict controls by spreading assets over several smaller funds. Now, the compliance burden is commensurate with the true scale of assets managed by an entity.
Requirements for Merchant Bankers were mostly uniform, with some categorization based on institutional affiliations. For example, any merchant banker that was part of a large conglomerate or a Systemically Important Financial Institution (SIFI) was deemed a Qualified RE, those involved in issue management activities (IPO/FPO, buybacks, etc.) were Mid-size, and all others were Small-size REs by default.
Emphasizes activity-based categorization more clearly. Any merchant banker engaged in issue management activities – including managing or co-managing public issues (IPOs/FPOs, including SME IPOs), public offers by REITs/InvITs, buy-backs, delistings, or open offers under takeover regulations – is classified as a Mid-size RE. All other merchant bankers (those providing only advisory or consulting services without handling public issue management) are classified as Small-size REs. (None are automatically treated as Qualified REs unless they separately fall into that category by virtue of being part of an MII or other criteria outside the merchant banking activity scope.)
Impact
IPO-focused merchant bankers face stricter controls under CSCRF (since they are Mid-size REs under the framework, with more extensive obligations), while pure advisory firms enjoy relaxed standards as Small-size REs. This differentiation ensures that entities directly involved in handling public issuances – which carry higher risk and larger investor impact – implement stronger cyber resilience measures.
All non-individual IAs and RAs were generally classified as Small-size REs, meaning even standalone advisory or research entities had to comply with baseline CSCRF provisions (albeit the lighter tier).
Full exemption from the CSCRF framework is now granted to standalone investment advisers and research analysts. If an IA or RA is not registered with SEBI in any other capacity (i.e., they operate solely as an adviser or analyst), they are not required to comply with CSCRF at all. However, if an IA/RA is dual-registered in another regulated capacity (for instance, someone who is both a Research Analyst and a stock broker, or an IA who is also a portfolio manager), then the entity must comply with the CSCRF requirements of the highest applicable category among those registrations. In practice, that means a dual-registered intermediary cannot avoid stringent requirements just because one of its roles (IA/RA) is exempt.
Another key change is that the reporting authority for IAs and RAs’ cybersecurity compliance has been shifted to BSE Ltd. (Bombay Stock Exchange). BSE will act as the monitoring authority for CSCRF compliance of all IAs/RAs for five years starting July 25, 2024. This implies that until July 2029, investment advisers and research analysts will report their cyber resilience status to BSE (which consolidates and oversees this segment’s compliance), rather than directly to SEBI.
Significance
These changes remove the compliance burden entirely for approximately 8,000 standalone advisers and analysts, allowing them to focus on their core advisory functions without the overhead of a formal cyber resilience framework. At the same time, the transitional oversight by BSE ensures that even exempt IAs/RAs maintain some level of monitoring and that any multi-licensed entities adhere to the necessary standards via their other registrations.
RTAs were not explicitly differentiated by size in the original framework – all RTAs were expected to comply with the CSCRF appropriate to their category (which was generally equivalent to a Small or Mid-size RE, depending on their functions). No specific client-based exemption was provided earlier.
A specific relief has been introduced for smaller RTAs. RTAs with less than 100 clients are exempted from the requirement of employing dedicated SOC services or onboarding to the Market-SOC. In essence, if an RTA serves a very small number of issuers/investors (under 100), it need not maintain a full-scale Security Operations Center monitoring arrangement under the CSCRF. Larger RTAs (with 100 or more clients) must comply with all standard CSCRF provisions including 24x7 SOC monitoring (either in-house or via the market-wide SOC).
Impact
This change spares small RTA firms from the substantial cost and operational complexity of continuous cyber monitoring, on the rationale that an RTA with such a limited client base presents a lower risk footprint. It strikes a balance by still requiring all other cybersecurity measures in place for these RTAs, but removing the most onerous obligation. Larger RTAs that handle a high number of clients remain fully covered by the framework, ensuring that investor records and transactions managed by RTAs at scale are protected.
The use of Hardware Security Modules for cryptographic key management was mandatory for all REs except those in the Self-certification tier. This meant even relatively small entities (Small-size and Mid-size REs) had to invest in HSMs or similar dedicated hardware for secure key storage.
The HSM deployment mandate is now risk-tiered. It is mandatory only for Market Infrastructure Institutions (MIIs) (stock exchanges, depositories, clearing corporations) and Qualified REs. Lower-tier REs (Mid-size, Small-size, and Self-certification categories) are given flexibility: they may use software-based or cloud-based alternatives if supported by a Board-approved risk assessment and mitigation plan. For example, a mid-sized broker could opt for a cloud HSM or other key management solution after evaluating the risks, instead of purchasing physical HSM appliances.
Technical Impact
This relaxation significantly reduces upfront costs – smaller and mid-tier entities can avoid expensive hardware procurement. Some estimates suggest a ~40% cost reduction for small REs opting for cloud-based key management solutions (e.g., using a managed Cloud HSM or Key Management Service) as opposed to on-premises HSM devices. By allowing options like Cloudflare’s Keyless SSL or other cloud HSM services, SEBI is acknowledging modern security solutions that can be as effective as physical HSMs when properly managed, thereby easing compliance without compromising security.
SEBI’s revised CSCRF demonstrates a proportional regulatory approach, easing burdens on smaller entities while tightening oversight of systemically critical players. Overall, SEBI Regulated Entity’s current cybersecurity posture and controls should be reassessed against these updated categories and requirements to ensure alignment by the June 30, 2025 deadline.
The revised framework’s calibrations ensure that resources are focused where the risk is greatest, allowing smaller players breathing room even as large institutions bolster the market’s cyber resilience.
The table below summarizes all key exemption criteria introduced under the revised CSCRF framework and what compliance requirements are waived in each case:
Each exemption above is designed to calibrate the framework’s impact, freeing smaller or lower-risk entities from heavy requirements while preserving overall cyber resilience. Entities should carefully evaluate if they meet the criteria and maintain documentation or approvals as needed for these exemptions. Compliance status should be reported through the proper channels (exchanges, BSE, etc.) with the understanding that any growth beyond the thresholds will bring the entity into the CSCRF fold in the next financial year.