SEBI CSCRF Requirements by RE Category: MII, QRE and SRE Explained

Why the RE Category Matters

SEBI's CSCRF operates on a risk-proportionate model. Entities that are more systemically important, process higher volumes, or have greater exposure to retail investors face more stringent requirements. Before you build your compliance roadmap, you need to know with certainty which category your firm belongs to — and if you are near a threshold, you must plan for the possibility of reclassification.

Category 1: Market Infrastructure Institutions (MII)

MIIs are at the apex of India's securities market infrastructure. They include recognised stock exchanges (BSE, NSE, etc.), depositories (CDSL, NSDL), and clearing corporations. These entities operate the systems on which the entire market depends, so SEBI holds them to the highest cybersecurity standard.

Key MII Requirements

• 24x7 Security Operations Centre (SOC) with real-time threat monitoring
• Board-level Cyber Security Committee with independent oversight
• Chief Information Security Officer (CISO) at senior management level with direct board access
• Continuous VAPT (not just half-yearly) and red team exercises
• Comprehensive cyber resilience metrics reported quarterly to the board
• Integrated crisis management drills including market-wide scenario simulations
• Advanced threat intelligence programme and information-sharing with SEBI/CERT-In

Category 2: Qualified Regulated Entities (QRE)

QREs are market intermediaries that exceed SEBI-specified thresholds of trading volume, client base, or operational scale. The majority of large stockbrokers and major depository participants fall into this category. If you are a stockbroker with significant retail client volume or a DP operating at scale, QRE classification is the most relevant category for you. For the complete list of controls QREs must implement, refer to our SEBI CSCRF Compliance Checklist.

Key QRE Requirements

• Designated CISO — either in-house or a formally appointed external CISO
• Board-approved IS Policy, CCMP, and Incident Response Plan
• Annual IS audit by a CERT-In empanelled auditor; report submitted to SEBI within 30 days
• Half-yearly VAPT with critical findings remediated before the next cycle
• Privileged Access Management (PAM) and multi-factor authentication for critical systems
• SIEM or equivalent for centralised log management, with logs retained for 5 years
• Documented BCP and DR, tested annually
• Vendor and third-party risk management policy

Category 3: Standard Regulated Entities (SRE)

SREs are smaller market intermediaries — those below the QRE thresholds. This typically includes smaller sub-brokers, investment advisers with smaller AUM, and boutique intermediaries. While the compliance requirements are lighter relative to QREs, they are not trivial. SREs are still required to maintain basic cybersecurity hygiene.

Key SRE Requirements

• IS Policy documented (can be simpler than QRE policy but must be board-approved)
• Basic access controls: user accounts reviewed quarterly, no shared admin credentials
• Regular software patching — documented process even if informal
• Incident reporting to SEBI and CERT-In as required
• Cyber insurance (recommended; SEBI may strengthen requirements over time)
• Annual IS audit may be required depending on specific intermediary type

The most common mistake we see is firms operating as QREs but treating themselves as SREs — often because no one has formally assessed which category applies. A reclassification audit finding is far more damaging than proactively preparing for the right tier.

Infosek Team

Key Differences Between Categories

• Audit frequency: MIIs face continuous monitoring requirements; QREs need annual IS audits and half-yearly VAPT; SREs have lighter requirements.
• Governance: MIIs need board-level cyber committees; QREs need a designated CISO; SREs need documented ownership but with more flexibility.
• SOC requirements: MIIs must maintain 24x7 SOC; QREs must have monitoring (typically SIEM); SREs need basic log review.
• Incident reporting: All categories must report to CERT-In within 6 hours and to SEBI per the CSCRF timelines, but the reporting depth and internal escalation requirements differ.

Compliance Timelines

SEBI issued CSCRF in August 2024 and has provided a phased implementation timeline. MIIs were expected to comply immediately; QREs had a defined onboarding period; SREs have longer runway but must demonstrate progress. Industry experience shows that QREs that start their readiness programmes well in advance fare significantly better in audits than those who begin close to the deadline. For common failure modes, read our article on 5 Reasons Stockbrokers Fail Their SEBI Cyber Audit.