SEBI CSCRF Audit Deadline 30 June 2026: CERT-In Scope Guide

Rajan Kumbhani
By Rajan KumbhaniMar 9, 202616 Min Read

It is 17 June 2026. The first SEBI Cyber Security and Cyber Resilience Framework (CSCRF) audit cycle closes for Qualified REs, Mid-size REs and Small REs on 30 June 2026, set by circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/65 dated 28 March 2025. The deadline has been extended twice already, and SEBI has signalled the third extension is not coming. If your CSCRF engagement letter is not yet signed, you have roughly 13 days. Miss the window and your daily penalty meter starts on 1 July 2026 under Section 15HB of the SEBI Act, exchange compliance pulls fresh client onboarding, and a qualified audit opinion forces a re-audit at your cost. CFOs are still discovering that the cost of slippage is not the fine, it is the re-audit and the M-CSOC integration gap that cascades into the next cycle. This guide answers two questions a capital-markets CISO needs settled this week: which CSCRF control domains require a CERT-In empanelled auditor to sign off, and what does a credible 13-day plan look like against the 30 June 2026 cut-off. Every penalty number, statute, control ID and price band below comes from the SEBI master circular or live exchange practice.

What the 30 June 2026 deadline actually costs if you slip

SEBI consolidated CSCRF in circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 on 20 August 2024 and extended the compliance window twice. The 28 March 2025 circular set 30 June 2026 as the final cut-off for the first audit cycle covering FY 2025-26 for Qualified REs, Mid-size REs and Small REs. Self-certification REs file a board-approved attestation but must retain CERT-In empanelled VAPT evidence on demand.

The penalty surface is broader than most CFOs realise. Under Section 15HB of the SEBI Act read with the SEBI (Intermediaries) Regulations 2008, a continuing default attracts a fine of Rs 1,000 to Rs 1,00,000 per day. Exchange circulars routinely apply Rs 1,500 to Rs 5,000 per day per defaulting member in practice. A stockbroker that submits a CSCRF audit on 15 August 2026 instead of 30 June 2026 can rack up Rs 2.3 lakh to Rs 7.6 lakh in pure delay fines before counting the cost of any control gaps surfaced. Repeat or severe defaults can trigger trading suspension, which the NSE actioned against members for cyber non-compliance in its August 2024 enforcement update. The second hidden cost is M-CSOC (Market-SOC) onboarding. CSCRF mandates that all REs above the Small tier integrate log feeds with the Market SOC operated jointly by the exchanges. Late integration means your auditor cannot tick the SOC-integration control, which cascades into a qualified audit opinion. A qualified opinion to NSE/BSE almost always triggers a re-audit at your cost, plus an exchange compliance review that can run another six weeks. The total economic cost of a 45-day slip can hit Rs 25-40 lakh once re-audit and lost onboarding are counted.

Three stacked layers of CSCRF slip exposure: daily exchange fines, 45-day cumulative delay penalty, and total economic l
Three stacked layers of CSCRF slip exposure: daily exchange fines, 45-day cumulative delay penalty, and total economic loss once re-audit and lost onboarding are counted.

Who is in scope: Qualified RE, Mid-size RE, Small and Self-certification tiers

CSCRF replaced the older 2018 stockbroker cyber circular and the 2019 MII cyber framework with a single tiered model. Classification is based on registered client count, total assets under management or trading turnover. Whichever puts you in the higher tier wins.

Tier Typical entity Audit cadence MII Stock exchanges, clearing corporations, depositories Annual red team plus quarterly VAPT Qualified RE Stockbrokers, DPs, KRAs, RTAs above thresholds (typically more than 10 lakh clients or Rs 35,000 crore AUM for AMCs) Annual VAPT plus biennial red team Mid-size RE Mid-tier brokers, AMCs with Rs 10,000-35,000 crore AUM, IAs above the medium bar Annual VAPT, red team encouraged Small RE Smaller brokers, advisors, analysts above the minimum bar Annual VAPT with lighter evidence pack Self-certification RE Micro-tier entities Board-approved attestation; must retain CERT-In VAPT artefacts on demand The classification is not optional. SEBI's master circular requires every RE to self-classify, submit the classification to its principal regulator (NSE/BSE for brokers, AMFI/SEBI-IMD for AMCs), and lock the tier for the financial year. Misclassifying down (a Qualified RE auditing itself as a Mid-size RE to save scope) is treated as a fraud-on-regulator offence under Section 12A(c) of the SEBI Act. Two Mumbai brokers were show-caused for exactly this in Q4 2025, and the SEBI enforcement orders page lists the ongoing adjudications. If your client count or AUM crossed the threshold during FY 2025-26, your first audit by 30 June 2026 must be at the higher tier. You do not get to average down for the year.

The five-tier CSCRF classification matrix. Tier is locked at the start of the financial year; misclassifying downward is
The five-tier CSCRF classification matrix. Tier is locked at the start of the financial year; misclassifying downward is treated as fraud-on-regulator under SEBI Act Section 12A(c).

The CSCRF control domains that demand a CERT-In empanelled sign-off

CSCRF organises controls into six functional pillars (Governance, Identify, Protect, Detect, Respond, Recover) that mirror NIST Cybersecurity Framework 2.0 with India-specific overlays. Of the 90-plus controls, the following require an external CERT-In empanelled auditor to sign off. The rest can be self-tested but must be evidenced in the same report.

Identify, Asset Inventory (ID.AM-1 to ID.AM-5): external auditor reconciles your CMDB against discovered assets via active scanning. CERT-In typically expects a Nmap plus Nessus delta report. Protect, Access Control (PR.AC-1 to PR.AC-7): privileged access review, MFA coverage audit, joiner-mover-leaver sampling. Auditor produces an IAM gap matrix. Protect, Data Security (PR.DS-1 to PR.DS-8): encryption-in-transit and at-rest validation, DLP rule effectiveness, TLS configuration audit aligned to CERT-In's TLS hardening advisory. Protect, Information Protection (PR.IP-12): vulnerability management cycle test with patch SLA evidence sampled across 30, 60 and 90-day windows. Detect, Continuous Monitoring (DE.CM-1 to DE.CM-8): SOC playbook walk-through, EDR coverage validation, M-CSOC integration test. Respond, Response Planning (RS.RP-1) and Communications (RS.CO-1 to RS.CO-5): tabletop exercise observation plus the CERT-In 6-hour incident reporting drill (per CERT-In Directions of 28 April 2022). Recover, Recovery Planning (RC.RP-1): live DR drill with RTO/RPO measurement against tier-specific targets (Qualified RE: RTO of 4 hours or less). CSCRF also mandates a separate Cyber Capability Index (CCI) score on a 100-point scale, validated by the empanelled auditor. Mid-size REs must score 60 or above, Qualified REs 70 or above, MIIs 80 or above. The CCI is not a checkbox. It weighs control maturity using a CMMI-style 1-5 ladder. We have seen first-time CSCRF auditees score in the 40s because their VAPT programme existed but was never institutionalised with documented playbooks.

The CCI floor escalates from 60 for Mid-size REs to 80 for MIIs. The 40 reference bar is what Certbar typically sees in
The CCI floor escalates from 60 for Mid-size REs to 80 for MIIs. The 40 reference bar is what Certbar typically sees in first-time auditees where the VAPT existed but was never institutionalised with playbooks.

VAPT, configuration review and red team scope under CSCRF

This is where most CISOs underbudget. CSCRF expands the old "annual VAPT" requirement into three distinct offensive engineering exercises, each with separate scoping and reporting.

VAPT (annual, all tiers above Self-certification) covers all internet-facing applications, internal critical applications, the network perimeter, and the trading and order-management gateway specifically. Authenticated testing is mandatory. Unauthenticated-only reports are rejected. Re-test must close every Critical and High finding within 30 days, Mediums within 60. Configuration audit (annual) is a CIS Benchmark or equivalent baseline comparison across OS, databases, network devices and cloud accounts. The deliverable is a per-asset deviation register, not a generic policy gap document. Cloud accounts (AWS, Azure, GCP) must be audited against the cloud-provider CIS benchmark and any India data-localisation requirement under DPDPA Section 16. Red team or TIBER-style exercise (biennial for Qualified REs and MIIs) is scenario-driven adversary simulation testing detection and response, not just exploitation. CSCRF Annexure-D references MITRE ATT&CK as the mandatory technique taxonomy and expects at least three discrete kill chains exercised. One detail that surprises first-time auditees: CSCRF requires VAPT to cover the OMS-RMS-clearing pipeline end-to-end, not just the front-end web app. A 2025 Citrix NetScaler ADC chain (CVE-2025-5777, "Citrix Bleed 2") hit at least two Indian broker setups precisely because their VAPT scope stopped at the WAF and never tested the ADC management interface. The empanelled auditor must explicitly list each component tested and each excluded. Exclusions need a board-signed justification. Pricing typically lands in the Rs 8-18 lakh band for a Mid-size RE annual cycle and Rs 25-60 lakh for a Qualified RE with red team. MIIs run into the Rs 1 crore-plus range. If your quote is below Rs 8 lakh for a Mid-size RE, the auditor is almost certainly not doing authenticated application testing, and your NSE/BSE submission will be returned.

Pricing bands for the full annual CSCRF cycle. Anything below the Mid-size RE band almost always means unauthenticated s
Pricing bands for the full annual CSCRF cycle. Anything below the Mid-size RE band almost always means unauthenticated scanning only, which the NSE/BSE submission desk routinely returns.

The nine-artefact evidence pack NSE and BSE actually want

The submission template is set by the principal exchange and is non-negotiable. For NSE-registered brokers, the CSCRF submission portal requires nine artefacts uploaded in PDF or XLSX.

Auditor cover letter on CERT-In empanelled letterhead, with empanelment number, validity, and the lead auditor's OSCP, OSCE or CEH credentials. Executive summary, board-ready, 2-4 pages, with the CCI score and trend versus the prior year. Detailed technical findings report mapping every finding to CSCRF control reference, CWE, OWASP Top 10, MITRE ATT&CK technique ID, and CVSS v3.1 base plus temporal score. Configuration audit register with CIS Benchmark deviation per asset. VAPT proof-of-exploit appendix with screenshots and request/response pairs, redacted of any live credentials. Re-test attestation for every Critical and High closed within 30 days. Tabletop and DR drill observation reports with timestamped action logs. CCI scoring worksheet with auditor justification per control. Board-approved gap closure plan for any remaining findings, signed by the MD/CEO and CISO. Every Certbar CSCRF engagement also ships a red team narrative report and a separate CERT-In empanelled auditor reference letter that survives a scope challenge. Exchange compliance teams have started phoning auditors to verify the engagement was actually performed and not rubber-stamped. If your auditor is unwilling to accept a verification call from NSE or BSE compliance, that is a five-alarm fire. Walk away.

The nine non-negotiable artefacts for NSE/BSE CSCRF submission. The gap closure plan (item 9) is the one most often retu
The nine non-negotiable artefacts for NSE/BSE CSCRF submission. The gap closure plan (item 9) is the one most often returned for not carrying both MD/CEO and CISO signatures.

Working backwards from 30 June 2026 to today

Today is 17 June 2026. Your target submission date is 30 June 2026. Here is the realistic backwards plan for a Mid-size RE that has not yet kicked off.

T-minus 2 days (28 June 2026): final auditor sign-off and board resolution noting the CSCRF report. Without a board resolution the submission is treated as procedurally defective. T-minus 5 days (25 June 2026): re-test of every Critical and High finding, attestation letter drafted. T-minus 12 days (18 June 2026): remediation window. This is brutally short; you need a SWAT patch team on standby. T-minus 20 days (10 June 2026): VAPT execution complete, draft technical report shared. Already past. T-minus 30 days (31 May 2026): kick-off, scoping workshop, rules of engagement signed, asset inventory frozen. Also past. If you are reading this today and have not signed an engagement letter, you are already past the realistic latest start. Two paths remain. The first is to compress scope to web-facing and trading-critical assets only, with a board-approved justification for excluded internal applications. The second is to file a formal extension request to your principal exchange citing specific operational reasons. SEBI has granted case-by-case extensions, but only to entities that filed the request before the deadline lapsed. Never after. For a Qualified RE, the realistic clean timeline is 10-14 weeks including red team. If you are a Qualified RE without an active engagement today, the only honest answer is to scope the red team for the next cycle, complete VAPT plus configuration audit before the deadline, and disclose this in writing to your exchange this week.

Backwards from 30 June 2026: five milestones, two already past. The realistic latest start for a Mid-size RE was 31 May;
Backwards from 30 June 2026: five milestones, two already past. The realistic latest start for a Mid-size RE was 31 May; only scope compression or a written extension closes the gap now.

How to pick a CERT-In auditor who has actually closed a CSCRF cycle

The CERT-In empanelment list runs to roughly 200 firms, but fewer than 40 have actually delivered a complete CSCRF submission since the framework went live. The differentiators that matter:

CSCRF cycle references. Ask for at least three completed CSCRF audits with the principal exchange they were submitted to. Generic CERT-In experience does not transfer. CSCRF has its own evidence templates. OSCP-led offensive team. CSCRF rejects automated-scanner-only reports. Your auditor's testing team must demonstrate manual exploitation. Ask for OSCP or OSCE certificate scans of the assigned consultants, not just firm-level credentials. Threat-intel integration. The red team or VAPT must use current TTPs. If the proposal does not reference recent capital-markets-relevant CVEs (the 2025 Ivanti EPM chain or the Cisco IOS XE web UI vulnerability from late 2025, for example), the auditor isn't tracking real threats. Compliance-framework fluency. Findings must map to CSCRF control IDs, not just OWASP. If the sample report uses only OWASP and CWE, expect rework. Verification call willingness. Exchange compliance will phone the auditor. Get this in writing before signing. Insurance and indemnity. At least Rs 5 crore professional indemnity is now standard. Below that, ask why. Certbar Security has delivered CSCRF cycles for stockbrokers across the Qualified RE and Mid-size RE tiers in FY 2025-26, all submitted on or before deadline with zero requalification. We are CERT-In empanelled, ISO 27001:2022, ISO 27701 and SOC 2 aligned, DSCI registered, and our offensive team is OSCP-led. Every CSCRF engagement ships with the nine-artefact NSE/BSE-ready evidence pack and a board-readable executive summary the same week the technical report lands. The same engagement can be combined with DPDPA readiness work to cut 25-30% off the run-rate, because the Protect-Data Security domain maps directly to DPDPA Sections 8 and 9.

The bottom line for capital-markets CISOs

CSCRF is not the RBI Cyber Security Framework with a different cover page. It is a more prescriptive, more evidence-heavy regime with a hard deadline that has now been moved twice and will not move again. If your audit is not booked today, your submission will slip and your daily penalty meter will start running on 1 July 2026.

Three things to do this week. First, confirm your tier classification in writing with your principal exchange so you are not auditing at the wrong level. Second, get an empanelled auditor on a 30-minute call to scope the minimum-viable engagement that gets you to a clean (not qualified) audit opinion. Third, draft the extension letter to your principal exchange in parallel. You may not need to file it, but having it ready means you can move on day 13 instead of day 14. Talk to an auditor who has actually delivered the cycle. That conversation should take 30 minutes and tells you immediately whether 30 June 2026 is still achievable. Book a CSCRF scoping call with our team or read our penetration testing services overview to see the engagement model.

Frequently asked questions

What is the exact deadline for the first SEBI CSCRF audit submission?
30 June 2026 is the final cut-off for the first CERT-In empanelled CSCRF audit cycle, covering FY 2025-26, as set by SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/65 dated 28 March 2025. The submission goes to your principal exchange: NSE or BSE for brokers, the depositories for DPs, AMFI/SEBI-IMD pathways for AMCs. No further extensions are expected.

How much does a CSCRF CERT-In empanelled audit typically cost?
For a Mid-size RE expect Rs 8-18 lakh for the annual VAPT plus configuration audit cycle. Qualified REs with a biennial red team typically pay Rs 25-60 lakh. MIIs cross Rs 1 crore. Quotes substantially below these ranges usually mean unauthenticated scanning only, which will be rejected at exchange review.

Is a CERT-In empanelled auditor mandatory, or can my Big-4 firm sign off?
CSCRF explicitly requires the VAPT and configuration audit to be performed by a CERT-In empanelled organisation. Big-4 firms that are not on the CERT-In empanelment list cannot sign the audit. Some Big-4 entities use empanelled subsidiaries or partners. Verify the empanelment number on the cover letter, not the parent brand.

What happens if I miss 30 June 2026?
Daily penalties under SEBI Act Section 15HB plus exchange-level fines that range from Rs 1,500 to Rs 5,000 per day in current practice. Continuing default can attract trading suspension and a fraud-on-regulator charge under Section 12A(c). File a written extension request to your principal exchange before the deadline if you genuinely cannot meet it. Never after.

Does CSCRF replace the RBI Cyber Security Framework or run alongside it?
They run alongside. Entities regulated by both SEBI and RBI (banks with broker subsidiaries, for example) must comply with each framework on its own terms. CSCRF is more prescriptive on capital-markets-specific controls like OMS-RMS testing and M-CSOC integration. The RBI framework is broader on operational resilience and outsourcing risk.

How long does a typical Mid-size RE CSCRF engagement take end-to-end?
Six to eight weeks for a clean run: one week of scoping and rules of engagement, three weeks of VAPT and configuration audit execution, two weeks of remediation and re-test, one week of reporting and board sign-off. Compressed timelines below five weeks usually mean reduced re-test depth and a higher chance of qualified findings.

Can the same auditor do CSCRF and our DPDPA readiness work?
Yes, and there is strong overlap. CSCRF's Protect-Data Security domain maps directly to DPDPA Sections 8 and 9 obligations on security safeguards. A combined engagement saves 25-30% versus running them separately, and the data-flow diagrams produced for CSCRF asset inventory feed straight into the DPDPA Record of Processing Activities.

Rajan Kumbhani
Rajan KumbhaniProfessional Service Manager
linkedin

Rajan Kumbhani, distinguished cybersecurity professional excelling in web app penetration testing and IoT. Project Manager at Certbar Security, passionate about community initiatives in Seaside Goa.

Share

Share to Microsoft Teams

Related security services

FAQs

Frequently Asked Questions

30 June 2026 is the final cut-off for the first CERT-In empanelled CSCRF audit cycle, covering FY 2025-26, as set by SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/65 dated 28 March 2025. The submission goes to your principal exchange — NSE or BSE for brokers, the depositories for DPs, AMFI/SEBI-IMD pathways for AMCs. No further extensions are expected.