The penalty structure under CSCRF operates across multiple dimensions. It includes daily exchange fines for report non-submission, per-vulnerability charges for closure failures, trading terminal disablement and formal SEBI enforcement under the SEBI Act. Each has a different trigger, a different authority and a different commercial impact. Knowing what applies to your entity and when is where compliance risk management starts.
Penalties for non-submission of audit and VAPT reports
The most immediate and quantified penalties under CSCRF come from NSE and BSE for failing to submit cyber audit and VAPT reports within prescribed timelines. These are exchange-imposed, apply from day one of the delay and escalate with each passing week.
The current NSE penalty structure for VAPT report non-submission, as per NSE Circular NSE/INSP/74185 dated May 14, 2026, is as follows:
| Days Late | Non-QRE | Qualified RE (QRE) |
| Day 1–7 | ₹1,500 per day | ₹3,000 per day |
| Day 8–21 | ₹2,500 per day | ₹5,000 per day |
From day 21, new client registration is prohibited, and a seven-day disablement notice is issued. That notice is shared with all exchanges. From day 28, the member is disabled across all segments until the report is submitted.
For repeat instances, the same monetary penalties apply with a 50% escalation. The disablement structure applies immediately without the initial grace period.
Similar penalty structures apply to cyber audit report submissions. For the full breakdown of cyber audit submission timelines and reporting requirements, read our cyber audit under SEBI CSCRF guide.
Penalties for non-closure of vulnerabilities
Separate from the report submission penalties, CSCRF imposes per-vulnerability fines for each finding that is not closed within the prescribed timeline. These are charged per unclosed vulnerability and scale with both the risk rating of the finding and the RE category. The current NSE structure for VAPT vulnerability non-closure, as per NSE/INSP/74185 (May 14, 2026):
Low-risk vulnerabilities carry no fine only where the RE provides certification on the efficacy of compensatory controls. Without that certification, the per-vulnerability fine applies regardless of risk rating.
An entity with multiple unclosed critical findings at audit (not an uncommon position for a Qualified RE entering a second audit cycle with carry-forward observations) can accumulate significant exposure from this mechanism alone.
Trading terminal disablement
The disablement consequence deserves attention separate from the fine amounts. For a stock broker, disablement across all segments is not a financial penalty in the conventional sense but an operational stop. Trading halts, client orders cannot be executed and revenue stops immediately. The seven-day notice and the 28-day disablement timeline mean this outcome is entirely avoidable, but it requires active tracking of submission deadlines rather than reactive scrambling after they pass.
The disablement notice being shared with all exchanges is also significant. Non-compliance status becomes visible across the entire market infrastructure, not just to NSE. That visibility extends beyond the immediate period of non-compliance and enters the regulatory record.
SEBI formal enforcement under the SEBI Act
Exchange-imposed penalties apply to reporting and submission failures. For substantive non-compliance – mandatory controls absent, repeated audit observations, failure to implement CSCRF requirements – SEBI can initiate formal enforcement proceedings under the SEBI Act.
Under Section 15HB of the SEBI Act, any failure to comply with SEBI provisions or directions for which no separate penalty is prescribed carries a minimum penalty of ₹1 lakh. SEBI initiates this process by appointing an Adjudicating Officer, who issues a show cause notice to the entity and conducts an inquiry. Penalties, disgorgement and in serious or repeated cases, registration restrictions or cancellation, can follow.
Section 15J requires the Adjudicating Officer to consider the amount of disproportionate gain, the loss caused to investors and the repetitive nature of the default when determining the quantum. Repeat observations in audit reports, which auditors are required to flag explicitly under NSE’s Terms of Reference, directly feed this assessment. An entity with a record of repeat audit observations is in a materially different position before an Adjudicating Officer than an entity with a clean audit history.
What repeat observations do to your regulatory standing
The NSE circular audit guidelines require auditors to clearly mark any finding that recurs from a previous audit cycle as a repeat observation. These are not treated as equivalent to first-time findings. Repeat observations signal to SEBI’s supervisory teams that a gap has been identified, communicated and not resolved. That distinction matters when SEBI assesses whether to pursue formal enforcement and what level of action is proportionate.
An entity that closed its prior-cycle findings, evidenced the closure and entered the current audit cycle clean is in a structurally different compliance position to one that carries forward open observations. The repeat observation flag is the mechanism that makes that difference visible in the regulatory record.
The amplified liability position during non-compliance
Under SEBI FAQ Q38, regulated entities are solely accountable for all aspects of cybersecurity, including compliance with SEBI’s regulations, regardless of third-party involvement. If a breach occurs while an RE is in a state of active CSCRF non-compliance, that non-compliance is an aggravating factor. The absence of mandatory controls during the period of the breach directly affects how SEBI assesses the RE’s accountability. Compliance is the documented evidence that reasonable protective measures were in place.
Conclusion
The penalty exposure under SEBI CSCRF is specific, escalating and tracked across audit cycles. Daily exchange fines begin from day one of a missed submission, per-vulnerability closure fines accumulate per unclosed finding by RE category, trading terminal disablement follows within 28 days and formal SEBI enforcement under the SEBI Act applies to substantive non-compliance.
The most effective way to manage this exposure is to enter each audit cycle with submissions on time, findings closed and documentation in order. Our SEBI CSCRF audit readiness guide covers the preparation steps in detail.
If you need support building a compliance programme that keeps your entity on the right side of these obligations, connect with our SEBI CSCRF consulting team.
SEBI CSCRF penalties FAQs
Are the daily penalties different for VAPT non-submission and cyber audit non-submission?
The penalty structure for VAPT non-submission is confirmed in NSE/INSP/74185 (May 14, 2026). Cyber audit report non-submission penalties follow a similar structure as per NSE/INSP/73849 (April 22, 2026). Verify the current cyber audit penalty table against the latest NSE circular applicable to your entity type before each submission cycle.
Do the per-vulnerability closure fines apply to cyber audit findings or only VAPT findings?
The per-vulnerability fines confirmed in NSE/INSP/74185 apply specifically to VAPT non-closure. Cyber audit observation closure requirements follow the Action Taken Report mechanism – non-closure is tracked and flagged as a repeat observation in the next cycle, which feeds into SEBI’s formal enforcement assessment.
Can SEBI act directly against an RE without going through the exchange?
Yes. Exchange-imposed penalties apply to submission and reporting failures. SEBI formal enforcement under the SEBI Act operates independently and applies to substantive non-compliance with CSCRF provisions. MIIs, which report directly to SEBI rather than through exchanges, face SEBI enforcement without an exchange intermediary.
