SEBI CSCRF tier classification — a 2026 practitioner reference

ControlForge free guide · 2026-05-24 · Reflects CSCRF Master Circular 20 August 2024, with the 30 April 2025 categorisation revisions and 28 August 2025 clarifications

Quick reference

The problem in one line: SEBI CSCRF imposes a graded compliance model across five tiers of Regulated Entities — Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs, and Self-Certification REs. Self-classification is mandatory; misclassification is a supervisory exposure on its own.
The hard timing facts:
20 August 2024 — CSCRF Master Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 issued.
30 April 2025 — first major revision: categorisation thresholds revised for many RE types (Portfolio Managers AUM thresholds, stock broker classification by registered clients / annual trading volume).
June 2025 — implementation timeline extension for non-MII entities to 31 August 2025.
28 August 2025 — second major revision: critical-systems definition expanded; zero-trust expectations; Principle of Exclusivity and Equivalence for multi-regulated entities; HSM mandate for MIIs and Qualified REs; Portfolio Manager three-tier simplification.
5 May 2026 — AI advisory layered into CSCRF expectations.
Mid-2026 to 2029: BSE monitors CSCRF compliance for Investment Advisers and Research Analysts until July 2029.
The Principle of Exclusivity and Equivalence (August 2025): if an entity regulated by multiple bodies (e.g. NBFC-cum-stock-broker regulated by both RBI and SEBI) operates under an equivalent regulator's framework, CSCRF compliance may be deemed satisfied. This is operationally important — and operationally easy to get wrong.
Audience: CISOs, Heads of Compliance, Operations Heads, Internal IS Auditors at SEBI Regulated Entities, and CERT-In empanelled audit firms serving them.
ControlForge density: 51 controls across SEBI CSCRF curated, cross-walked with NIST CSF 2.0 (CSCRF's structural reference), ISO 27001, CIS Controls, and the Indian sectoral regulators.

The five tiers — what each means

SEBI CSCRF operates a graded approach to compliance: the obligations are proportionate to the RE's tier classification. Classification is at the start of each financial year based on the previous year's operating data and remains fixed for the entire financial year, regardless of mid-year operational changes.

Market Infrastructure Institutions (MIIs)

The highest-criticality tier. Includes Stock Exchanges (BSE, NSE), Clearing Corporations (NSCCL, ICCL, MCXCCL), and Depositories (NSDL, CDSL). KYC Registration Agencies (KRAs) are categorised as Qualified REs effectively at MII operational expectations given their systemic role.

Obligations: full CSCRF requirements including continuous monitoring, 24×7 SOC, comprehensive incident response, regular VAPT with manual depth, mandatory cyber audit by CERT-In empanelled firm, HSM deployment, and the strictest data protection / cyber resilience requirements. Direct SEBI oversight including reporting.

Qualified REs

The next tier — entities of significant scale or systemic importance. Examples include: - Stock brokers with substantial registered clients and annual trading volume (per April 2025 thresholds). - Portfolio Managers with AUM ≥₹10,000 crore (per August 2025 three-tier simplification). - Alternative Investment Fund (AIF) and Venture Capital Fund (VCF) managers overseeing aggregate corpus >₹10,000 crore. - KYC Registration Agencies (KRAs). - Custodians of securities.

Obligations: full CSCRF requirements at most levels comparable to MIIs, with some narrow differentiation. Mandatory annual cyber audit, VAPT, 24×7 monitoring (in-house or via MSSP with documented oversight), HSM mandate (post-August 2025), zero-trust architecture expectations.

Mid-size REs

Moderate-scale entities. Examples (post-April 2025 thresholds): - Stock brokers with more than 1 lakh and up to 10 lakhs registered clients OR annual trading volume between ₹1,00,000 crore and (higher threshold). - Portfolio Managers with AUM ₹3,000–10,000 crore (per August 2025 simplification — three tiers). - AIF / VCF managers with corpus ₹3,000–10,000 crore.

Obligations: substantial CSCRF requirements with simplified compliance in selected areas. Annual cyber audit, periodic VAPT, structured incident response, defined SOC capability (typically MSSP-based), proportionate data protection controls.

Small-size REs

Smaller-scale entities. Examples: - Stock brokers below mid-size thresholds (with the small-size threshold defined per the 2025 revisions). - Portfolio Managers with AUM ≤₹3,000 crore (subject to the >100 client minimum; PMs with <100 clients are exempt). - AIF / VCF managers with corpus below the Small threshold.

Obligations: foundational CSCRF requirements. Self-certification with periodic external audit (typically at multi-year cycle), basic IR capability, vendor-managed security operations.

Self-Certification REs

The least-onerous tier — for the smallest entities. Examples: - Stock brokers below the Small threshold. - AIFs / VCFs below the Small threshold. - Investment Advisers and Research Analysts (subject to BSE oversight until July 2029). - Portfolio Managers with <100 clients (exempt entirely).

Obligations: self-certification of compliance with foundational controls. Annual self-declaration; spot inspections by SEBI; lighter audit cadence.

The "highest applicable category" rule

If an entity qualifies for multiple SEBI categories (e.g. a firm operating as both a stock broker and a depository participant), the provisions of the highest applicable category apply across all activities. This is a common scoping issue — entities sometimes apply different categorisations to different business lines, but CSCRF rejects that pattern.

How the April 2025 revision changed categorisation

The April 2025 amendment was the first major recalibration of CSCRF, addressing industry feedback that the original thresholds were misaligned with operational reality. Key changes:

Stock brokers: classification recalibrated by number of registered clients and annual trading volume. The mid-size band became more generous, capturing brokers that had been disproportionately burdened under the August 2024 thresholds.

Portfolio Managers: original multi-parameter classification (combining AUM, number of clients, asset complexity) was simplified to a single AUM-based threshold. This was further simplified in August 2025 to three tiers.

Alternative Investment Funds / Venture Capital Funds: classification at the manager level using the combined corpus of all managed schemes — rather than at the individual scheme level. This better reflects the operational reality where multiple schemes share infrastructure.

KYC Registration Agencies: explicitly categorised as Qualified REs, reflecting their critical role in the market ecosystem.

Investment Advisers and Research Analysts: BSE monitoring of CSCRF compliance through July 2029, providing implementation runway.

Non-MII implementation extension to 31 August 2025 (announced June 2025) — recognising that many REs needed additional time to operationalise the framework.

How the August 2025 revision changed compliance expectations

The August 2025 amendment focused on clarifying compliance content rather than re-categorising entities:

Critical systems definition expanded: SEBI clarified that "critical systems" includes not just the obviously customer-facing or trading systems but also internal systems whose failure has material consequences for operations or investor protection. The definition encompasses impact of system failure, data sensitivity, security risks (PII data breach), and connectivity to other critical systems.

Zero-trust expectations: introduced as architectural expectations for Qualified REs and MIIs. Implementation includes identity-centric access, micro-segmentation, continuous verification.

HSM (Hardware Security Module) mandate: introduced for MIIs and Qualified REs. Cryptographic key management for high-value keys (signing, payment processing, customer authentication) must use HSMs.

Portfolio Manager three-tier simplification: from the April 2025 simplification, further refined to three tiers (Self-cert ≤₹3000 Cr / Small >₹3000–<₹10,000 Cr / Mid-size ≥₹10,000 Cr).

Principle of Exclusivity and Equivalence: the most operationally consequential August 2025 change. For entities regulated by multiple bodies, if the other regulator's framework is equivalent, CSCRF compliance may be deemed satisfied. This is critically important for: - NBFC-cum-stock-broker entities regulated by both RBI and SEBI. - Bank subsidiaries operating as depository participants. - Insurance entities with capital-markets distribution arms.

The Principle is operationally easy to get wrong: equivalent does not mean identical; the entity must document the equivalent compliance and the assessment.

How to classify your entity in 2026

A structured methodology for self-classification, applicable at the start of each financial year:

Step 1 — Identify all SEBI registrations. Many REs hold multiple SEBI registrations. List all active registrations.

Step 2 — Apply the categorisation criteria per registration. For each registration: - Stock broker: registered clients + annual trading volume against current thresholds. - Depository participant: number of demat accounts + transaction volume. - Portfolio Manager: AUM (three-tier criteria per August 2025). - AIF / VCF: corpus at manager level. - Investment Adviser / Research Analyst: per BSE / SEBI category rules through July 2029. - Custodian: per Qualified RE designation. - Other: per CSCRF Annexure I categorisation table.

Step 3 — Apply the "highest applicable category" rule. If multiple registrations produce different categorisations, the entity is classified at the highest applicable category for all activities.

Step 4 — Consider the Principle of Exclusivity and Equivalence. If the entity is also regulated by another body (RBI, IRDAI) with an equivalent framework, document the equivalent compliance and the basis for it. This requires substantive analysis — the equivalent framework must address the same control areas at comparable depth.

Step 5 — Document the classification. The classification, the basis for it, the data inputs (registered clients, AUM, etc.), and the Principle of Exclusivity assessment are documented and Board-approved. The documentation is the artefact for inspection.

Step 6 — Carry forward through the financial year. Classification is fixed for the financial year; mid-year operational changes do not re-classify until the next year's classification cycle.

Common classification pitfalls

Five recurring patterns observed in 2024–26 implementations:

1. Classifying per business line rather than per entity. A firm classified as Qualified for its stock-broking business but Self-Certification for its IA business. CSCRF rejects this — highest applicable category applies across all activities.

2. Outdated thresholds. Applying the original August 2024 thresholds in mid-2026, ignoring the April 2025 / August 2025 revisions. Particularly affects Portfolio Manager classification and stock broker categorisation.

3. AIF / VCF classification at scheme level rather than manager level. Each scheme assessed independently; classification fragments. CSCRF requires aggregation at the manager level.

4. Principle of Exclusivity misapplied. An NBFC-cum-stock-broker assumes RBI compliance covers CSCRF without documenting the equivalence assessment. SEBI inspection challenges the assumption.

5. Sub-100-client Portfolio Managers misunderstanding the exemption. PMs with <100 clients are exempt entirely; some have applied Self-Certification when they should have claimed exemption — and vice versa.

Tier-specific obligation summary

A high-level view of what differs across tiers (full text in the CSCRF Master Circular):

Area	MII	Qualified	Mid-size	Small-size	Self-cert
Cyber audit	Annual, CERT-In empanelled	Annual, CERT-In empanelled	Annual or biennial	Biennial	Self-declaration
VAPT	Annual + post-change	Annual + post-change	Annual	Periodic	Periodic
Manual pen-testing	Mandatory	Mandatory	Recommended	Optional	Optional
SOC	24×7 in-house	24×7 in-house or strong MSSP	MSSP acceptable	MSSP acceptable	Vendor-managed
Incident response	Full programme	Full programme	Structured procedure	Documented procedure	Procedure required
BCP/DR testing	Annual live	Annual live	Annual tabletop + biennial live	Annual tabletop	Annual tabletop
Zero-trust	Required	Required	Recommended	Optional	Optional
HSM	Required	Required	Where applicable	Where applicable	N/A
Encryption posture	Comprehensive	Comprehensive	Substantial	Foundational	Foundational
Vendor risk management	Full programme	Full programme	Structured	Basic	Basic
Reporting to SEBI	Continuous + on-demand	Periodic + on-demand	Periodic	Annual	Annual

This is a directional summary; the CSCRF Master Circular text is the binding source and is the operational reference.

The CSCRF cyber audit — what tier-specific scope means

The mandatory cyber audit operates differently across tiers:

MII / Qualified RE cyber audit: - Annual cycle. - CERT-In empanelled firm. - Manual penetration testing required. - Full CSCRF control scope. - Report submitted to SEBI within prescribed timeline. - Findings tracked through documented closure with re-test evidence.

Mid-size RE cyber audit: - Annual or biennial per the entity's risk profile. - CERT-In empanelled firm (recommended; mandatory for certain Mid-size sub-categories). - VAPT scope adapted to entity criticality. - Report submitted to SEBI; findings tracked.

Small-size RE cyber audit: - Biennial cadence in most cases. - External audit by qualified firm. - Scope adapted to the foundational CSCRF requirements.

Self-Certification cyber posture: - Annual self-declaration of compliance. - Periodic SEBI spot inspection. - Audit triggered by incident or regulatory request.

How ControlForge supports CSCRF tier classification

ControlForge curates 51 SEBI CSCRF controls cross-walked with NIST CSF 2.0 (the CSCRF's structural reference), ISO 27001:2022, CIS Controls v8, and the broader Indian regulatory stack.

Relevant clusters: - cl-policy — governance and policy foundation. - cl-it-governance-board — Board oversight required at MII / Qualified. - cl-monitoring-activities — SOC obligations per tier. - cl-vapt-cycle — VAPT scope and frequency per tier. - cl-mandatory-audit — cyber audit cadence per tier. - cl-zero-trust — zero-trust architecture expectations. - cl-cryptography — HSM and encryption posture. - cl-bcp-ict-readiness — BCP/DR testing per tier. - cl-supplier-policy — vendor risk management per tier.

The synthesis surfaces the tier-specific obligations and allows entities to map their tier classification to the applicable control set, identifying compliance gaps efficiently. For multi-regulated entities, the synthesis additionally surfaces the equivalent compliance posture across RBI and IRDAI for the Principle of Exclusivity assessment.

A 60-day CSCRF tier readiness uplift

For SEBI REs preparing for CSCRF inspection or self-assessment:

Days 1–15: Classification and gap analysis. - Confirm current tier classification with documented methodology. - Map the CSCRF control set applicable to the tier. - Identify gaps against current state.

Days 16–30: Documentation and policy refresh. - Update Information Security Policy aligned with CSCRF. - Cybersecurity Policy separation per CSCRF. - ICSP / supporting procedures library refresh. - Board approval of refreshed policies.

Days 31–45: Operational uplift. - Address top 5 control gaps (prioritised by criticality and effort). - SOC / monitoring capability gap closure (in-house or MSSP). - VAPT engagement with CERT-In empanelled firm. - Vendor risk programme refresh.

Days 46–60: Audit preparation and submission readiness. - Internal pre-audit review by IS audit function. - Documentation library refresh for inspection. - Reporting calendar to SEBI confirmed. - Cyber audit firm engaged for the annual cycle.

By day 60, the entity should have a defensible CSCRF posture aligned with its tier classification. Continuous improvement extends from there.

A worked classification example — a mid-sized brokerage

A SEBI-registered stock broker with the following profile arrives at the tier classification:

Registered clients: 3.2 lakh.
Annual trading volume: ₹85,000 crore.
Also registered as a portfolio manager (AUM ₹4,200 crore).
Also operating as a depository participant.

Classification analysis: - As stock broker (per April 2025 thresholds): registered clients > 1 lakh and trading volume > ₹1,00,000 crore would push into mid-size; with clients at 3.2 lakh but trading volume just below the ₹1,00,000 crore threshold, the classification falls in mid-size on the registered-clients axis. - As portfolio manager (per August 2025 three-tier): AUM ₹4,200 crore falls in Small-size band (>₹3,000 Cr but <₹10,000 Cr). - As depository participant: per CSCRF Annexure I categorisation, depends on demat account volume — assume mid-size. - Aggregate per the highest-applicable-category rule: Mid-size across all activities.

Principle of Exclusivity consideration: the entity is not regulated by another body with an equivalent framework; the Principle does not apply.

Documentation: - Board-approved tier classification document with the analysis above. - Tier classification carried forward through the financial year. - Re-assessment scheduled at the start of the next financial year (April 1).

Compliance posture as Mid-size: - Annual cyber audit by CERT-In empanelled firm. - Annual VAPT (manual testing recommended given the size). - MSSP-based SOC with documented oversight. - Vendor risk management programme. - BCP/DR with annual tabletop + biennial live testing. - DPDPA convergence planning for May 2027 enforcement.

Inspection-readiness pack: classification document, refreshed CSCRF-aligned policies, cyber audit report, VAPT report, SOC monitoring evidence, vendor risk register, BCP/DR test reports, incident-handling evidence including CIMS submissions.

The brokerage's specific learnings during implementation: (a) the multi-registration aggregation rule surprised the compliance team — they had been managing portfolio-management compliance independently; (b) the MSSP relationship needed to be re-papered to include CSCRF-aligned SOC service expectations; (c) the cyber audit firm previously used was CERT-In empanelled but not specialist in capital-markets context; a switch to a more specialised firm reduced inspection friction. These patterns repeat across mid-size SEBI REs.

Cross-references

CSCRF interacts with:

SEBI Cloud Framework (March 2023) — cloud-specific overlay; applies in addition to CSCRF.
CERT-In Direction 70B — 6-hour incident reporting in parallel.
DPDPA 2023 + Rules 2025 — privacy overlay from May 2027.
NIST CSF 2.0 — the structural reference framework for CSCRF.
ISO/IEC 27001:2022 — substantial control overlap with CSCRF.
RBI ITGRCA / ITO 2023 — for multi-regulated entities under the Principle of Exclusivity and Equivalence.
IRDAI 2023 Guidelines — for entities operating across SEBI and IRDAI.