SEBI Framework for Adoption of Cloud Services — a practitioner reference

ControlForge free guide · 2026-05-24 · Reflects SEBI Circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 of 6 March 2023

Quick reference

Applies to: all SEBI Regulated Entities (REs) adopting public, community, or hybrid cloud services for any system or data within SEBI's regulatory scope. Includes stock exchanges, clearing corporations, depositories, depository participants, stock brokers, mutual funds and AMCs, portfolio managers, alternative investment funds, investment advisers, research analysts, KYC Registration Agencies, custodians, debenture trustees, credit rating agencies, foreign portfolio investor custodians, merchant bankers, and other intermediaries registered with SEBI.
Excluded: private cloud deployments are treated as on-premises and governed by SEBI's broader cybersecurity, BCP/DR, and outsourcing circulars rather than this framework.
Mandatory or voluntary: mandatory regulation for in-scope REs.
Year published: 6 March 2023, effective immediately for new or proposed cloud onboarding; 12-month transition (to 6 March 2024) for REs with pre-existing cloud arrangements.
Issuing body: Securities and Exchange Board of India (SEBI), Information Technology Department.
Penalties: monetary penalties under SEBI Act provisions (typically ₹1 crore range for SEBI Act offences); supervisory action including restrictions on operations, public censure, and licence conditions. The Framework integrates with the SEBI Cyber Security and Cyber Resilience Framework (CSCRF) which has its own penalty regime.
ControlForge density: 25 controls curated across the 9 principles; cross-walked extensively with SEBI CSCRF, RBI ITGRCA, ISO/IEC 27001:2022, ISO/IEC 27017:2015, ISO/IEC 27018:2019, and CSA Cloud Controls Matrix v4.

What it is

The SEBI Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) is the cloud-specific cybersecurity framework for India's capital markets sector. Issued in March 2023, it complements (rather than replaces) SEBI's broader cybersecurity framework (CSCRF) by addressing the specific risks of cloud computing: shared responsibility complexity, data residency, vendor lock-in, concentration risk, and the operational practicalities of supervising IT services running on third-party infrastructure.

The Framework is structurally aligned with NIST CSF principles and incorporates concepts from MeitY empanelment (the Government of India's process for vetting cloud service providers for government and regulated-entity use). The intersection point is operationally consequential: SEBI REs adopting public cloud must use cloud service providers (CSPs) that are MeitY-empanelled or that satisfy equivalent assurance.

Nine principles organise the framework:

Principle 1: Governance, Risk and Compliance Sub-Framework.
Principle 2: Selection of Cloud Service Providers.
Principle 3: Data Localisation.
Principle 4: Responsibility of the Regulated Entity.
Principle 5: Due Diligence by the Regulated Entity.
Principle 6: Security Controls.
Principle 7: Contractual and Regulatory Obligations.
Principle 8: Business Continuity and Disaster Recovery.
Principle 9: Vendor Lock-in and Concentration Risk Management.

A distinctive feature: the Framework is prescriptive on data residency. SEBI REs must store and process data within MeitY-empanelled CSP data centres located in India, with limited exceptions for backup or DR data subject to documented justification. This is more restrictive than the negative-list approach in some other Indian frameworks (e.g. DPDPA's cross-border regime) and reflects SEBI's concern about regulatory accessibility to capital-markets data.

Two operational reporting requirements layered with the principles: - By 6 June 2023: REs were required to submit an implementation roadmap to SEBI. - Between 6 June 2023 and 6 March 2024: quarterly progress reports against the roadmap. - After 6 March 2024: full compliance with the framework; ongoing updates to SEBI.

By mid-2026, in-scope REs should have completed the transition; new cloud arrangements have been framework-compliant from day one since March 2023.

Structure at a glance

The Framework is organised around the nine principles, with each principle expanded into sub-requirements and implementation guidance:

Principle 1 — Governance, Risk and Compliance Sub-Framework. Board-approved cloud computing strategy; integrated with the RE's overall IT governance; documented cloud adoption rationale; periodic risk assessment; Board / management committee oversight.

Principle 2 — Selection of Cloud Service Providers. CSP selection criteria including MeitY empanelment; financial soundness; geographic operations; security certifications (ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, STAR Certification); operational track record; references from comparable REs.

Principle 3 — Data Localisation. Data storage and processing within India in MeitY-empanelled CSP data centres; documented exceptions for backup or DR where justified; data classification driving residency requirements; explicit prohibition on routing data outside India without documented authorisation.

Principle 4 — Responsibility of the Regulated Entity. The RE remains fully accountable for compliance with SEBI regulations regardless of cloud adoption; documented allocation of responsibility between RE and CSP using the shared responsibility model; clarity on operational responsibility per function.

Principle 5 — Due Diligence by the Regulated Entity. Pre-engagement due diligence: CSP security and operational posture review; site visit or independent assessment where feasible; review of CSP audit reports (SOC 2, ISO 27001, ISO 27017); reference checks; legal review of standard CSP contracts.

Principle 6 — Security Controls. Implementation of cloud-specific security controls aligned with CSCRF requirements: identity and access management with MFA, network security, encryption in transit and at rest, vulnerability management, secure configuration, logging and monitoring integrated to the RE's SIEM, incident response procedures with CSP coordination.

Principle 7 — Contractual and Regulatory Obligations. CSP contracts include specific provisions: SEBI's right to inspect the CSP, data return on exit, data destruction certification, sub-processor controls, incident notification with defined timelines, audit rights for the RE, regulatory cooperation, no use of customer data for the CSP's own purposes.

Principle 8 — Business Continuity and Disaster Recovery. Documented BCP and DR plans accommodating cloud architecture; tested at least annually including failover and failback; alternate-site capability either via a different CSP region or via a hybrid arrangement; RTO and RPO defined per service.

Principle 9 — Vendor Lock-in and Concentration Risk Management. Documented exit strategy with realistic data and workload portability; multi-cloud or hybrid architecture considered for critical workloads; concentration risk assessment at the CSP and CSP-region level; CSP technology choices evaluated for portability.

The Framework also requires REs to periodically provide audit reports to SEBI — including systems audit, cybersecurity audit, and VAPT reports — covering their cloud-resident systems.

Who must comply

The Framework applies to all SEBI-regulated entities adopting public, community, or hybrid cloud services. The scope is broad and covers virtually every SEBI registration category:

Market Infrastructure Institutions (MIIs): Stock Exchanges (BSE, NSE), Clearing Corporations (NSCCL, ICCL, MCXCCL), Depositories (NSDL, CDSL).

Intermediaries: - Stock Brokers and Trading Members. - Depository Participants. - Mutual Funds, Asset Management Companies, Trustees. - Portfolio Managers (including Discretionary, Non-Discretionary, Advisory). - Alternative Investment Funds (AIFs). - Investment Advisers and Research Analysts. - KYC Registration Agencies (KRAs). - Custodians of Securities. - Debenture Trustees. - Credit Rating Agencies. - Foreign Portfolio Investor Custodians. - Merchant Bankers. - Underwriters. - Bankers to an Issue. - Registrars to an Issue and Share Transfer Agents. - Issue Management entities.

Other SEBI-registered entities including SEBI-recognised vendors and SEBI-approved infrastructure providers.

Scope exclusion: private cloud deployments — where the RE controls the underlying infrastructure entirely — are treated as on-premises infrastructure and follow SEBI's general cybersecurity (CSCRF), BCP/DR, and outsourcing circulars rather than this Framework. The Framework specifically targets public, community, and hybrid cloud where the RE shares infrastructure responsibility with a third-party CSP.

A practical scoping consideration: many REs operate hybrid environments with some workloads on private infrastructure and others in public cloud. The Framework applies to the public/hybrid portions; the private portions follow the general SEBI cyber framework.

Core obligations

Walking the major obligations under the nine principles.

Board-approved cloud strategy. Board / partners / proprietors approved governance model and strategy for cloud computing covering: business rationale; types of cloud services (IaaS, PaaS, SaaS); scope of cloud adoption; risk appetite; risk treatment approach; oversight structure. Maps into ControlForge clusters cl-policy, cl-it-governance-board, and cl-isms-context.

MeitY empanelment of CSPs. Cloud service providers must be MeitY-empanelled (or satisfy equivalent independent assurance). The MeitY empanelment process vets CSPs against the GoI cloud security framework with periodic re-assessment. As of 2026, the major hyperscalers operating Indian regions (AWS, Azure, Google Cloud, Oracle Cloud) are MeitY-empanelled for relevant service tiers; smaller and specialised CSPs vary. Maps into cl-supplier-policy and cl-third-party-due-diligence.

Data residency in India. Data storage and processing within MeitY-empanelled CSP data centres located in India. Specifically: customer data, transaction data, regulatory data must reside within India. Backup data may be replicated outside India where documented and approved at the Board / senior management level; DR data may reside in non-India regions subject to risk assessment and explicit approval. The default is in-India residency. Maps into cl-data-classification, cl-cross-border-transfer, and cl-data-residency.

Shared responsibility model. The RE remains fully accountable for SEBI compliance regardless of cloud adoption. A documented shared responsibility matrix per cloud service identifies what the RE manages and what the CSP manages. Critical: the RE cannot delegate accountability for SEBI compliance to the CSP; the CSP's certifications support but do not substitute for the RE's own assurance. Maps into cl-cloud-shared-responsibility and cl-roles-responsibilities.

Due diligence. Pre-engagement and ongoing due diligence on the CSP: security certifications (ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, STAR Certification ideally); third-party audit reports; financial soundness; geographic presence; references; legal review. Documented diligence file maintained and refreshed at material changes. Maps into cl-third-party-due-diligence and cl-supplier-policy.

Identity and access management. MFA enforced for all administrative access to cloud-resident systems; role-based access; quarterly access reviews; privileged access management; service account governance; federation with the RE's identity provider. Maps into cl-access-rights, cl-multi-factor-authentication, and cl-authentication.

Encryption. Encryption in transit (TLS 1.2+) for all data flows; encryption at rest for sensitive data; customer-managed keys (CMK) for high-sensitivity workloads where feasible; documented key management. Maps into cl-cryptography and cl-encryption.

Network and infrastructure security. Network segmentation between cloud and on-premises environments; cloud security posture management (CSPM) tooling; secure configuration baselines; vulnerability scanning of cloud resources; cloud-aware vulnerability management. Maps into cl-network-protection, cl-cspm-cloud-posture, and cl-configuration-management.

Logging and monitoring. Comprehensive logging of cloud activities (API calls, administrative actions, security events) integrated to the RE's SIEM; log retention within Indian jurisdiction per SEBI requirements; alerting on suspicious patterns; periodic log review. Maps into cl-logging and cl-monitoring-activities.

Vulnerability assessment and penetration testing. Annual VAPT covering cloud-resident systems by CERT-In empanelled firms; manual penetration testing required (not just scanning); remediation tracked through documented closure; segmentation testing for cloud-resident environments. Maps into cl-vapt-cycle and cl-vuln-identification.

Contractual obligations on CSPs. SEBI right to inspect the CSP; data return on exit in usable format; data destruction certification; sub-processor controls; incident notification within defined timelines (typically 24 hours to RE); audit rights for the RE; regulatory cooperation clauses; data-usage restrictions preventing the CSP from using customer data for its own purposes. Maps into cl-supplier-policy and cl-cloud-shared-responsibility.

Business continuity and disaster recovery. Cloud-aware BCP and DR plans; documented RTO and RPO; tested annually including cloud failover scenarios; alternate-site capability (different CSP region, multi-cloud, or hybrid); communication plan during disruption. Maps into cl-bcp-ict-readiness and cl-cyber-rehearsal.

Exit strategy and vendor lock-in management. Documented exit strategy with data portability mechanism; assessment of CSP technology choices for portability; multi-cloud or hybrid consideration for critical workloads; concentration risk assessment at the CSP level and at the CSP-region level. Maps into cl-supplier-policy and cl-cloud-shared-responsibility.

Periodic reporting to SEBI. Audit reports (systems audit, cybersecurity audit, VAPT) on cloud-resident systems submitted periodically to SEBI; ad-hoc reporting on material changes (new CSP engagement, geography change, significant incident). Maps into cl-mandatory-audit and cl-incident-reporting-external.

How auditors test it

Three audit pathways:

SEBI inspection under the SEBI Act inspection authority. Risk-based selection; cloud adoption is a focus area in inspections of REs that have meaningfully migrated to cloud. Inspectors review the cloud strategy document, the shared responsibility matrix, the CSP contracts (sample clauses), the data residency posture, the BCP/DR test evidence, and the periodic reporting to SEBI.

Mandatory cybersecurity audit under SEBI CSCRF — covers cloud-resident systems within the broader CSCRF audit scope. Conducted by CERT-In empanelled firms. Findings tracked through closure.

Periodic VAPT as required by the Framework and CSCRF. Annual minimum; manual testing required; CERT-In empanelment of the lead auditor is a prerequisite.

Evidence patterns at a SEBI cloud-focused audit:

Board-approved cloud strategy document with date trail.
Cloud adoption rationale and risk assessment.
CSP selection due diligence file with MeitY empanelment proof and security certifications.
Shared responsibility matrix per cloud service.
Data residency documentation including MeitY-empanelled-region selection and exception register.
CSP contracts with the prescribed clauses (SEBI inspection, data return, destruction, audit rights).
Identity and access evidence including MFA enforcement and access review records.
Encryption evidence including CMK deployment where applicable.
CSPM deployment and configuration evidence.
Logging integration with the SIEM; sample log entries traced through to incident response.
VAPT reports with manual testing depth and CERT-In empanelment proof.
BCP / DR test reports including cloud failover scenarios.
Exit strategy document and concentration risk assessment.

Common findings in SEBI cloud-focused inspections: - CSP region selection without explicit MeitY-empanelment verification. - Shared responsibility matrix exists but doesn't drill to specific controls (gap at the operational implementation level). - Backup or log data routed to non-India regions without documented approval. - CSP audit reports (SOC 2, ISO 27001) accepted without entity-specific configuration review. - Exit strategy theoretical; not tested.

How it relates to other frameworks

The Cloud Framework integrates with the broader SEBI cybersecurity stack and parallel Indian regulators:

SEBI CSCRF: the general SEBI cyber resilience framework (20 August 2024 master circular). The Cloud Framework is the cloud-specific overlay; CSCRF is the general cyber baseline.
SEBI Cyber Audit, BCP/DR, Outsourcing Circulars: pre-existing instruments that apply alongside the Cloud Framework (and to private-cloud / on-premises deployments which are out of the Cloud Framework's scope).
CERT-In Direction 70B: 6-hour incident reporting; applies in parallel including for cloud-incident scenarios.
DPDPA 2023 + Rules 2025: personal-data aspects of cloud-resident data; from May 2027 the DPBI breach notification applies.
RBI ITGRCA / CSF: for SEBI REs that are also banks or NBFCs (e.g. depository participants that are banks). Parallel applicability; coordinated programme architecture.
MeitY guidelines on cloud computing: foundational; MeitY empanelment is the underlying assurance mechanism.
ISO/IEC 27001:2022: general security baseline expected of CSPs and increasingly of REs themselves.
ISO/IEC 27017:2015: cloud security extension to ISO 27001; specifically relevant to CSPs.
ISO/IEC 27018:2019: cloud PII processor extension; relevant where the cloud holds personal data.
CSA Cloud Controls Matrix v4: the global meta-framework; provides structural reference but is not mandated.
AICPA SOC 2 Trust Services Criteria: CSP attestation framework referenced in due diligence.

ControlForge cross-walks the SEBI Cloud Framework against the parallel cloud frameworks (ISO 27017/18, CSA CCM) and against the Indian regulatory layer (CSCRF, RBI ITGRCA, DPDPA) to surface where evidence overlaps.

Common pitfalls

Five recurring failure patterns:

CSP region selection not verified as MeitY-empanelled. Major hyperscaler global regions are not automatically MeitY-empanelled; the empanelment applies to specific Indian regions and service tiers. Selecting a "default" or non-India region misses the requirement. Fix: explicit MeitY-empanelment verification per CSP region used; documented attestation; review at annual cadence.
Data residency leakage through ancillary services. Primary database resides in an India MeitY-empanelled region but analytics, logging, monitoring, or backup services route data outside India by default. Fix: data residency review covering all ancillary services; explicit configuration to keep data in India unless exception approved.
Shared responsibility documented at high level, not at control level. The matrix says "encryption" without specifying who manages keys, what cipher, what rotation cadence. Inspections find the gap. Fix: control-level shared responsibility matrix with explicit operational ownership.
CSP contracts using standard templates without SEBI-specific clauses. SEBI right to inspect the CSP, regulatory cooperation, data return on exit, destruction certification, sub-processor controls — these are often absent in CSP standard contracts. Fix: contract review against the Framework's contractual requirements; negotiated addenda where standard contracts don't cover.
Exit strategy theoretical. The exit document exists but has not been tested; data portability mechanisms have not been exercised; the RE doesn't actually know how long an exit would take. Fix: scoped exit drill (partial workload migration) at least biennially; documented exit playbook with realistic timing.

Two further patterns:

CSPM and cloud-aware vulnerability management not deployed. Traditional vulnerability scanning misses cloud-specific misconfigurations (S3 bucket policies, IAM policies, security group rules). Fix: deploy CSPM tooling with continuous monitoring; integrate findings into the RE's vulnerability management process.
Concentration risk at the CSP-region level not assessed. Many REs concentrate on a single CSP and a single region; CSP-region-level outages have affected multiple REs simultaneously. Fix: concentration risk assessment; multi-region or multi-cloud architecture for critical workloads.

When to use this framework

The Cloud Framework applies to all SEBI REs that adopt public, community, or hybrid cloud services. Implementation considerations:

Greenfield cloud adoption: framework-compliant from day one; the build is easier than retrofitting.
Brownfield cloud (existing arrangements): the 12-month transition window has closed (March 2024); existing arrangements that are not yet compliant face supervisory exposure.
Cloud migration planning: SEBI Cloud Framework + CSCRF + outsourcing circulars together form the compliance backbone for migration projects; engage SEBI early through the roadmap-and-progress-report mechanism for material migrations.
Multi-RE arrangements: shared services across affiliated REs operating in cloud need coordinated framework alignment.

For SEBI REs that operate only private cloud or on-premises, the framework does not apply directly; the general SEBI cyber framework (CSCRF) and outsourcing circulars govern. Such REs may still consider the framework's principles voluntarily as a reference for any future cloud adoption.