The Securities and Exchange Board of India (SEBI) has published a comprehensive set of FAQs addressing the Cybersecurity and Cyber Resilience Framework (CSCRF) and the Cloud Adoption Framework for its regulated entities (REs). Released on June 11, 2025, this marks a pivotal step in translating complex compliance requirements into actionable guidance for market participants.
Industry-led engagement brings clarity
Developed with active industry consultation, the FAQs respond to widespread queries raised since the original frameworks were issued—CSCRF in August 2024 and the Cloud Framework in March 2023. These frameworks set strict expectations on digital governance, data protection, and operational security across all SEBI-registered entities. The new FAQs cover 17 critical focus areas, including patch management, cloud service provider accountability, SOC operations, and forensic audits.
DSCI, which was involved in shaping these FAQs, applauded SEBI’s inclusive regulatory approach. According to DSCI’s note, these clarifications are not binding but serve as strong interpretative aids for regulated entities to streamline compliance efforts.
Key clarifications on governance and categorization
The FAQs provide much-needed clarification on CISO roles, especially for entities that fall under both SEBI and RBI regulation. Notably, group-level CISOs and remote CISOs are now permissible under strict conditions. The guidance also refines how different types of stockbrokers and depository participants are classified, ensuring regulatory obligations are proportionate and consistent with actual operational risks.
SEBI also addressed mid-year reclassifications—a long-standing industry concern—by confirming that once entities are classified annually, their category will remain fixed throughout the financial year.
Operational flexibility balanced with accountability
Smaller REs can now maintain manual IT asset inventories if updated periodically, reducing the burden of mandatory tooling. Similarly, SEBI has allowed tiered approaches for patch management and vulnerability closure, including realistic timelines and provisions for third-party delays.
Cloud adoption has been a focal point in SEBI’s regulatory push. The FAQs underscore that regulated entities may host critical workloads on the cloud but must maintain complete accountability. MeitY empanelment, service level agreement coverage, and data sovereignty safeguards (like Bring Your Own Key models) are among the must-haves for compliant cloud operations.
Emphasis on proactive security practices
The FAQs strongly emphasize proactive security—clarifying requirements around Cybersecurity Drills, Red/Blue Teaming, and Business Continuity testing. Drills must be conducted live, not as tabletop exercises, and all regulated entities must comply with non-negotiable recovery metrics, including a 15-minute Recovery Point Objective (RPO) and 2-hour Recovery Time Objective (RTO).
Security Operation Centers (SOC) are also under scrutiny. While smaller entities can use group SOCs, Qualified REs must show uniform implementation and submit periodic efficacy reports.
Cyber capability and supply chain security in focus
The release introduces a structured methodology for calculating the Cyber Capability Index (CCI), with clear scoring models, assessment frequencies, and expectations for both internal and third-party audit integration. It also expands on Software Bill of Materials (SBOM) obligations and lays down expectations for source code escrow, third-party compliance, and service provider audit access.
Strengthening compliance without stalling innovation
Through this detailed FAQ release, SEBI has sought to strike a balance between cybersecurity enforcement and operational feasibility. It offers a strong roadmap for both emerging and mature market entities to scale securely while navigating digital transformation.
Download the full FAQ document here.
