SEBI Clarifies Cybersecurity Norms And Provides Compliance Extensions

The Securities and Exchange Board of India on Tuesday issued clarifications regarding its Cybersecurity and Cyber Resilience Framework for regulated entities (REs), offering regulatory forbearance and extending compliance deadlines for certain categories.

The clarification followed queries from stakeholders concerning the framework introduced in August this year.

The framework aims to ensure that SEBI-regulated entities maintain a strong cybersecurity posture, are equipped with adequate cyber resilience measures, and are capable of effectively withstanding, responding to, and recovering from cyber threats.

"With regard to the compliance requirements, which are effective from January 1, 2025, under the framework, regulatory forbearance is provided till March 31, 2025," SEBI said in a circular.

During this period, the entities will not face penalties for non-compliance, provided they demonstrate progress in implementing the framework, it added.

Further, the compliance deadline has been extended to April 1, 2025, for KYC registration agencies and depository participants, following feedback on the rationalisation of these categories, as per the circular.

In addition, guidelines related to data localisation under the framework have been put on hold for further consultations. The market's watchdog stated that these provisions, outlined as data security standards, would be notified later.

The CSCRF is a significant step in adapting towards evolving cyber risks and technological advancements.

The regulator emphasised that the framework aims to enhance the resilience of regulated entities, enabling them to withstand and recover from cyber incidents effectively.

(With PTI inputs.)