sebi
Published on 16 July 2025
SEBI Updates: Compliance Deadline Extensions and Data Localization Changes
SEBI Revises CSCRF Timelines and Puts Data Localization on Hold: What Regulated Entities Need to Know
In a measured response to industry concerns, the Securities and Exchange Board of India (SEBI) has issued a circular revising key compliance timelines under the Cybersecurity and Cyber Resilience Framework (CSCRF) and placing the framework’s data localization requirement temporarily on hold.
The circular, released in July 2025, offers breathing room to regulated entities (REs) navigating operational and infrastructural constraints, while signalling that regulatory expectations remain high.
Revised Compliance Deadlines: Who Gets More Time—and Why
SEBI’s revised approach takes into account the varied operational maturity of different market participants. The staggered deadlines reflect the regulator’s intent to support genuine implementation efforts while maintaining accountability.
For Existing CSCRF-Compliant REs
- Original Deadline: January 1, 2025
- Revised Status: Regulatory forbearance until March 31, 2025
Implication: SEBI will not initiate enforcement actions during this grace period, provided the entity:
- Demonstrates tangible progress (e.g., internal audits, vendor onboarding, or system upgrades)
- Can document its compliance roadmap
- Responds to audits or show-cause notices with evidence of ongoing efforts
For KRAs (KYC Registration Agencies) and DPs (Depository Participants)
- Previous Deadline: January 1, 2025
- New Deadline: April 1, 2025
These entities serve as the backbone of investor onboarding and transaction monitoring. SEBI has acknowledged their technical constraints by offering a short extension—not a blanket relaxation.
For All Other REs Newly Covered by CSCRF
-
Original Deadline: April 1, 2025
-
Revised Deadlines: Extended twice
- First to June 30, 2025
- Now further extended to August 31, 2025
This category includes newer market participants brought under the CSCRF umbrella. SEBI expects full compliance by end-August and will likely resume normal enforcement actions thereafter.
Exclusions
The latest circular does not alter timelines for:
- Market Infrastructure Institutions (MIIs)
- KRAs and Qualified RTAs (Registrars to an Issue and Share Transfer Agents)
These entities are expected to meet the shorter compliance windows as originally specified.
Data Localization Requirements: Temporarily Suspended
In a major update, SEBI has suspended the enforcement of data localization mandates under Standard PR.DS.S2 of the CSCRF, following widespread industry feedback.
SEBI’s Position:
“Based on the feedback received... further consultations are required. Accordingly, the guidelines and provisions related to Data Localization under PR.DS.S2 have been kept in abeyance until further notice.”
What This Means for REs:
- No immediate requirement to move or restrict investor data to servers located in India
- Entities relying on global cloud service providers can continue their operations without major IT changes
- However, firms are encouraged to remain architecturally flexible, anticipating that localization rules may return in a modified form
Quick Snapshot: Compliance Status by Entity Type
| Entity Type | Original Deadline | Revised Deadline(s) | Current Status |
|---|---|---|---|
| REs under original CSCRF mandate | Jan 1, 2025 | Forbearance until Mar 31 → Full by Aug 31 | Extended with conditional forbearance |
| New REs under CSCRF | Apr 1, 2025 | June 30 → Aug 31, 2025 | Extended to August 31 |
| KRAs and DPs | Jan 1, 2025 | Apr 1, 2025 | Revised fixed deadline |
| MIIs, KRAs, Qualified RTAs | Unchanged | Unchanged | No extension |
| Data Localization | N/A | In abeyance | Deferred until further SEBI notification |
Practical Takeaways for Regulated Entities
This Is Time—Not Exemption
The extensions offer room to act, not to defer. SEBI expects:
- Visible compliance efforts
- Robust documentation of progress
- Preparedness for audits post-deadline
Forbearance ≠ Forgetfulness
Entities must maintain cybersecurity logs, ensure board-level oversight, and update vendor SLAs to align with CSCRF expectations—regardless of deadline changes.
Data Localization Pause Is Temporary
Although the data storage requirement is suspended, REs should:
- Assess dependencies on offshore servers
- Plan for future-proof, modular IT setups to pivot quickly if localization returns
Collaborative Regulation, Not Lax Enforcement
The revised circular reflects SEBI’s consultation-led, market-sensitive approach, but trust must be earned through disciplined execution.
Final Word: Compliance With Clarity
The CSCRF is a cornerstone of SEBI’s evolving risk and resilience architecture. By offering time-linked flexibility, the regulator is acknowledging implementation challenges—but not compromising on expectations.
For regulated entities, this is a crucial opportunity to:
- Tighten internal governance
- Formalize cybersecurity practices
- Strengthen oversight and vendor controls
- Prepare for a future where cyber accountability is as fundamental as financial compliance