In April 2024, the RBI’s Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices came into effect for banks and NBFCs. Four months later, SEBI released its Cybersecurity and Cyber Resilience Framework (CSCRF) with a 205-page mandate that replaced years of older circulars and introduced a tiered compliance model for the securities market.
For entities that are operating across both sectors, the SEBI CSCRF vs RBI Cybersecurity Framework comparison is no longer theoretical. Each framework has its own scope, audit cycles, SOC requirements and incident reporting timelines. Understanding where they are different – helps you build a programme that satisfies both without duplicating effort.
This post covers what each framework applies to, the five areas where they differ most and where a unified compliance approach is possible.
What each framework covers
The RBI Master Direction applies to scheduled commercial banks, small finance banks, payment banks, NBFCs and credit information companies. It covers IT governance, cybersecurity risk management, SOC maturity, VAPT and business continuity planning.
SEBI’s CSCRF applies to 22 types of entities across the securities market – stock exchanges, clearing corporations, depositories, stockbrokers, AMCs, custodians, portfolio managers, KRAs, registrars and credit rating agencies. The framework organises these entities into five tiers based on size and systemic importance. Its structure is built around five cyber resilience goals: Anticipate, Withstand, Contain, Recover and Evolve. Both frameworks are active and binding. The differences between them shape your compliance roadmap.
5 key differences between SEBI CSCRF and the RBI cybersecurity framework
These are the areas where the two frameworks diverge most significantly for BFSI entities.
Entity classification
SEBI’s framework applies a five-tier model: Market Infrastructure Institutions (MIIs), Qualified, Mid-size, Small and Self-certification REs. Each tier carries differentiated audit cycles, SOC obligations and reporting requirements. The RBI framework applies more uniformly across regulated entities, building proportionality through control thresholds.
SOC model
Both frameworks require 24/7 Security Operations Centre (SOC) coverage for continuous monitoring and incident detection. SEBI additionally introduced a Market SOC (M-SOC) model, where smaller firms that cannot build or sustain their own SOC can access shared SOC infrastructure operated by NSE and BSE.
VAPT obligations
SEBI CSCRF mandates VAPT after every major system release and on a defined periodic cycle. As per SEBI’s FAQ clarification circular (June 2025), all identified vulnerabilities must be closed within three months of report submission. High-severity patch-related flaws must be remediated within one week. The RBI framework requires periodic VAPT under a risk-based approach, without a comparable release-triggered cycle.
Incident reporting timeline (Reduce 1 word)
The August 2024 SEBI CSCRF circular requires regulated entities to report cyber incidents to the SEBI Incident Reporting portal and to CERT-In within six hours of detection. The RBI Master Direction requires regulated entities to comply with applicable CERT-In reporting directions for cyber incident notification.
Disaster recovery thresholds (Reduce 1 word)
SEBI’s August 2025 technical clarifications circular sets a Recovery Time Objective (RTO) of two hours and a Recovery Point Objective (RPO) of 15 minutes for critical operations. The RBI Master Direction requires a Board-approved Business Continuity Plan and Disaster Recovery policy but does not prescribe uniform RTO/RPO thresholds across all entity types.
Where the two frameworks align
SEBI clarification circular introduced the Principle of Exclusivity and Equivalence. For entities regulated by both SEBI and RBI, compliance with one regulator’s framework can satisfy the other’s where controls are equivalent. This reduces duplication. It does not replace the need for a formal gap analysis confirming which framework is more valid for each control area.
Both frameworks share a common foundation: board-level IT governance, SOC requirements, VAPT mandates, IS audit obligations and third-party risk management. A common programme that satisfies both regulators can be achieved, provided each control is mapped to its source requirement and gaps under the stricter standard are addressed.
Conclusion
The SEBI CSCRF vs RBI Cybersecurity Framework discussion is not about choosing one over the other. For dual-regulated BFSI entities, both apply simultaneously. The real challenge is building a single compliance architecture that maps to both mandates and holds up to audit scrutiny from either regulator.
CyberNX can help you across both frameworks. Our teams work with SEBI-regulated entities on SEBI CSCRF framework consulting and with RBI-supervised banks and NBFCs on RBI Master Direction compliance. We bring hands-on experience across both regulatory environments. Connect with our experts to map your SEBI CSCRF vs RBI Cybersecurity Framework obligations and build a compliance programme that covers both.
SEBI CSCRF vs RBI Cybersecurity Framework FAQs
Does the Principle of Exclusivity and Equivalence mean dual-regulated entities only need to comply with one framework?
Not automatically. SEBI’s August 2025 clarification circular states that where a regulated entity is also supervised by another regulator and that regulator’s controls are equivalent, CSCRF compliance may be considered satisfied for those areas. However, entities still need a formal gap analysis to confirm equivalence for each control.
What are the VAPT requirements for Qualified Stockbrokers under SEBI CSCRF?
As per SEBI’s June 2025 FAQ circular, Qualified Stockbrokers must conduct VAPT on a half-yearly basis, irrespective of their tier. All vulnerabilities identified must be closed within three months of report submission. High-severity patch-related vulnerabilities carry a one-week remediation deadline.
Does the RBI Master Direction apply to NBFCs the same way it applies to banks?
Yes. The RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices explicitly covers non-banking financial companies alongside scheduled commercial banks, small finance banks, payment banks, All India Financial Institutions and credit information companies.
What disaster recovery standards does SEBI CSCRF set for regulated entities?
SEBI’s August 2025 technical clarifications circular specifies a Recovery Time Objective (RTO) of two hours and a Recovery Point Objective (RPO) of 15 minutes for critical operations. Entities must also document contingency plans for scenarios where these timelines cannot be met.
