SEBI CSCRF Audit Deadline 30 June 2026: CERT-In Scope Guide

If you are a SEBI Regulated Entity in the Qualified RE or Mid-size RE tier, your first Cyber Security and Cyber Resilience Framework (CSCRF) audit must be completed by a CERT-In empanelled auditor and submitted to your designated MII (NSE, BSE or a depository) by 30 June 2026. Miss the window and you are looking at daily penalties under the SEBI (Intermediaries) Regulations plus supervisory action that can stop fresh client onboarding. This guide maps every CSCRF control domain to the specific CERT-In empanelled testing artefacts your auditor must produce, and works backwards from 30 June 2026 to show what you should already have in motion this week.

SEBI issued the consolidated CSCRF circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 on 20 August 2024 and has extended the compliance window twice — the latest being SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/65 dated 28 March 2025, which set 30 June 2026 as the final cut-off for the first audit cycle covering FY 2025-26 for Qualified REs, Mid-size REs and Small REs. Self-certification REs file a board-approved attestation but are still required to retain CERT-In empanelled VAPT evidence on demand.

The penalty surface is broader than most CFOs realise. Under Section 15HB of the SEBI Act read with the SEBI (Intermediaries) Regulations 2008, a continuing default attracts a fine of Rs 1,000 to Rs 1,00,000 per day, and exchange circulars routinely apply Rs 1,500 to Rs 5,000 per day per defaulting member in practice — a stockbroker that submits a CSCRF audit on 15 August 2026 instead of 30 June 2026 can rack up Rs 2.3 lakh to Rs 7.6 lakh in pure delay fines before counting the cost of any control gaps surfaced. Repeat or severe defaults can trigger trading suspension, which the NSE has actioned against members for cyber non-compliance as recently as the August 2024 enforcement update.

The second hidden cost is the M-CSOC (Market-SOC) onboarding fee. CSCRF mandates that all REs above the Small tier integrate log feeds with the Market SOC operated jointly by the exchanges. Late integration means your auditor cannot tick the SOC-integration control, which cascades into a qualified audit opinion — and a qualified opinion to NSE/BSE almost always triggers a re-audit at your cost.

CSCRF replaced the older 2018 stockbroker cyber circular and the 2019 MII cyber framework with a single tiered model. The classification is based on registered client count, total assets under management or trading turnover — whichever puts you in the higher tier wins. The five categories that must produce a CERT-In empanelled audit report are:

• Market Infrastructure Institutions (MIIs) — stock exchanges, clearing corporations, depositories. Highest control burden; mandatory red team test every year plus quarterly VAPT.
• Qualified REs — stockbrokers, depository participants, KRAs and RTAs above defined thresholds (typically more than 10 lakh clients or Rs 35,000 crore AUM for AMCs). Annual VAPT plus biennial red team.
• Mid-size REs — most mid-tier brokers, AMCs with Rs 10,000-35,000 crore AUM, investment advisors above the medium threshold. Annual VAPT mandatory; red team encouraged.
• Small REs — smaller brokers, advisors and analysts above the minimum bar. Annual VAPT with a lighter evidence pack.
• Self-certification REs — micro-tier entities. File a board-approved self-attestation but must retain CERT-In empanelled VAPT artefacts and produce them within 7 days of any SEBI/exchange demand.

The classification is not optional. SEBI's master circular requires every RE to self-classify, submit the classification to its principal regulator (NSE/BSE for brokers, AMFI/SEBI-IMD for AMCs), and lock the tier for the financial year. Misclassifying down — a Qualified RE that audits as a Mid-size RE to save scope — is treated as a fraud-on-regulator offence under Section 12A(c) of the SEBI Act. Two Mumbai brokers were show-caused for exactly this in Q4 2025, and the SEBI enforcement orders page lists ongoing adjudications. If your client count or AUM crossed the threshold during FY 2025-26, your first audit by 30 June 2026 must be at the higher tier.

CSCRF organises controls into six functional pillars — Governance, Identify, Protect, Detect, Respond, Recover — closely mirroring the NIST Cybersecurity Framework 2.0 with India-specific overlays. Of the 90+ controls, the following require an external CERT-In empanelled auditor to sign off; the rest can be self-tested but must be evidenced in the same report.

• Identify — Asset Inventory (ID.AM-1 through ID.AM-5): external auditor must reconcile your CMDB against discovered assets via active scanning. CERT-In typically expects a Nmap + Nessus delta report.
• Protect — Access Control (PR.AC-1 to PR.AC-7): privileged access review, MFA coverage audit, joiner-mover-leaver sampling. Auditor produces an IAM gap matrix.
• Protect — Data Security (PR.DS-1 to PR.DS-8): encryption-in-transit and at-rest validation, DLP rule effectiveness. Includes a TLS configuration audit aligned to CERT-In's TLS hardening advisory.
• Protect — Information Protection (PR.IP-12): vulnerability management cycle test — your patch SLA evidence sampled across 30, 60, 90 day windows.
• Detect — Continuous Monitoring (DE.CM-1 to DE.CM-8): SOC playbook walk-through, EDR coverage validation, M-CSOC integration test.
• Respond — Response Planning (RS.RP-1) and Communications (RS.CO-1 to RS.CO-5): tabletop exercise observation plus CERT-In 6-hour incident reporting drill (per CERT-In Directions of 28 April 2022).
• Recover — Recovery Planning (RC.RP-1): live DR drill including RTO/RPO measurement against your RE-tier-specific targets (Qualified RE: RTO ≤4 hours).

Critically, CSCRF also mandates a separate Cyber Capability Index (CCI) score on a 100-point scale, validated by the empanelled auditor. Mid-size REs must score ≥60; Qualified REs ≥70; MIIs ≥80. The CCI is not a checkbox — it weighs control maturity using a CMMI-style 1-5 ladder. We have seen first-time CSCRF auditees score in the 40s because their VAPT programme existed but was never institutionalised with documented playbooks.

This is where most CISOs underbudget. CSCRF expands the old "annual VAPT" requirement into three distinct offensive engineering exercises, each with separate scoping and reporting:

1. VAPT (annual, all tiers above Self-certification): covers all internet-facing applications, internal critical applications, network perimeter, and the trading/order-management gateway specifically. Authenticated testing is mandatory — unauthenticated-only reports are rejected. Re-test must close every Critical and High finding within 30 days, Mediums within 60.
2. Configuration audit (annual): CIS Benchmark or equivalent baseline comparison across OS, databases, network devices, cloud accounts. The deliverable is a per-asset deviation register, not a generic policy gap document. Cloud accounts (AWS/Azure/GCP) must be audited against the cloud-provider CIS benchmark and any India data-localisation requirement under DPDPA Section 16.
3. Red team / TIBER-style exercise (biennial for Qualified REs and MIIs): scenario-driven adversary simulation testing detection and response, not just exploitation. CSCRF Annexure-D references MITRE ATT&CK as the mandatory technique taxonomy and expects at least three discrete kill chains exercised.

One detail that surprises first-time auditees: CSCRF requires VAPT to cover the OMS-RMS-clearing pipeline end-to-end, not just the front-end web app. A 2025 Citrix NetScaler ADC chain (CVE-2025-5777, "Citrix Bleed 2") affected at least two Indian broker setups precisely because their VAPT scope stopped at the WAF and never tested the ADC management interface. The empanelled auditor must explicitly list each component tested and each excluded — exclusions need a board-signed justification.

Pricing typically lands in the Rs 8-18 lakh band for a Mid-size RE annual cycle and Rs 25-60 lakh for a Qualified RE with red team. MIIs run into the Rs 1 crore-plus range. If your quote is below Rs 8 lakh for a Mid-size RE, the auditor is almost certainly not doing authenticated application testing — and your NSE/BSE submission will be returned.

The submission template is set by the principal exchange and is non-negotiable. For NSE-registered brokers, the CSCRF audit submission portal requires nine artefacts uploaded in PDF/XLSX:

1. Auditor cover letter on CERT-In empanelled letterhead, with empanelment number, validity, and the lead auditor's OSCP/OSCE/CEH credentials.
2. Executive summary board-ready, 2-4 pages, with the CCI score and trend versus prior year.
3. Detailed technical findings report mapping every finding to CSCRF control reference, CWE, OWASP Top 10, MITRE ATT&CK technique ID, and CVSS v3.1 base + temporal score.
4. Configuration audit register with CIS Benchmark deviation per asset.
5. VAPT proof-of-exploit appendix with screenshots, request/response pairs and remediation steps — redacted of any live credentials.
6. Re-test attestation for every Critical/High closed within 30 days.
7. Tabletop and DR drill observation reports with timestamped action logs.
8. CCI scoring worksheet with auditor justification per control.
9. Board-approved gap closure plan for any remaining findings, signed by the MD/CEO and CISO.

Every Certbar CSCRF engagement also includes a red team narrative report and a separate CERT-In empanelled auditor reference letter that survives a scope challenge — because exchange compliance teams have started phoning auditors to verify the engagement was actually performed and not just rubber-stamped. If your auditor is unwilling to accept a verification call, that is a five-alarm fire.

Assuming today is mid-June 2026 and your target submission date is 30 June 2026, here is the realistic backwards plan for a Mid-size RE that has not yet kicked off:

• T-minus 2 days (28 June 2026): final auditor sign-off and board resolution noting the CSCRF report. Without a board resolution the submission is treated as procedurally defective.
• T-minus 5 days (25 June 2026): re-test of every Critical and High finding, attestation letter drafted.
• T-minus 12 days (18 June 2026): remediation window. This is brutally short — you essentially need a SWAT patch team.
• T-minus 20 days (10 June 2026): VAPT execution complete, draft technical report shared.
• T-minus 30 days (31 May 2026): kick-off, scoping workshop, rules of engagement signed, asset inventory frozen.

If you are reading this and have not signed an engagement letter, you are already at T-minus 13 days from the realistic latest start. Two paths remain: either compress scope to web-facing and trading-critical assets only with a board-approved justification for excluded internal applications, or file a formal extension request to your principal exchange citing the specific operational reasons. SEBI has granted case-by-case extensions but only to entities that filed the request before the deadline lapsed — never after.

For a Qualified RE, the realistic clean timeline is 10-14 weeks including red team. If you are a Qualified RE without an active engagement on 17 June 2026, the only honest answer is to scope the red team for the next cycle and complete VAPT plus configuration audit before the deadline — and to disclose this in writing to your exchange now.

The CERT-In empanelment list runs to roughly 200 firms, but fewer than 40 have actually delivered a complete CSCRF submission since the framework went live. The differentiators that matter:

• CSCRF cycle references — ask for at least three completed CSCRF audits with the principal exchange they were submitted to. Generic CERT-In experience does not transfer; CSCRF has its own evidence templates.
• OSCP-led offensive team — CSCRF rejects automated-scanner-only reports. Your auditor's testing team must demonstrate manual exploitation capability. Ask to see the OSCP/OSCE certificate scans of the assigned consultants, not just firm-level credentials.
• Threat-intel integration — the red team or VAPT must use current TTPs. If the proposal doesn't reference recent capital-markets-relevant CVEs (e.g., the 2025 Ivanti EPM chain or the Cisco IOS XE web UI vulnerability from late 2025), the auditor isn't tracking the threat landscape.
• Compliance-framework fluency — the report must map findings to CSCRF control IDs, not just OWASP. If the sample report from the auditor uses only OWASP/CWE, expect rework.
• Verification call willingness — exchange compliance will phone the auditor. Get this in writing before signing.
• Insurance and indemnity — at least Rs 5 crore professional indemnity is now standard. Below that, ask why.

Certbar Security has delivered CSCRF cycles for stockbrokers across the Qualified RE and Mid-size RE tiers in FY 2025-26, all submitted on or before deadline with zero requalification. We are CERT-In empanelled, ISO 27001:2022 + ISO 27701 + SOC 2 aligned, DSCI registered, and our offensive team is OSCP-led. Every CSCRF engagement ships with the nine-artefact NSE/BSE-ready evidence pack and a board-readable executive summary the same week the technical report lands.

CSCRF is not RBI Cyber Security Framework with a different cover page. It is a more prescriptive, more evidence-heavy regime with a hard deadline that has now been moved twice and will not move again. If your audit is not booked, your submission will slip and your daily penalty meter will start running on 1 July 2026. Talk to an auditor who has actually delivered the cycle — that conversation should take 30 minutes and tells you immediately whether 30 June 2026 is still achievable. Book a CSCRF scoping call with our team or read our VAPT services overview to see the engagement model.