Here is the rewritten content without changing its meaning, retaining the original length, and keeping the proper headings and titles:

Markets Regulator Sebi Categorizes Registered Entities into Four Categories

Markets regulator Sebi has grouped qualified registered entities into four categories based on size and risk level under the cybersecurity and cyber resilience framework (CSCRF). The move comes after Sebi introduced the CSCRF in August 2024 to strengthen cybersecurity in financial market entities, following which many entities sought clarifications and time extensions.

Sebi has provided further clarity and updates on entity categorization, exemptions, and implementation deadlines in its circular. The regulator has grouped entities into four categories based on size and risk level: Qualified REs (highest risk, most obligations), Mid-size REs, small-size REs, and self-certification REs (least risk, fewer obligations).

Categorization of Registered Entities

The categorization of registered entities is based on the previous year’s data and remains fixed for the financial year, even if conditions change. Stock brokers are categorized under the CSCRF based on the number of registered clients and annual trading volume. Those with more than 10 lakh clients or over Rs 10 lakh crore in turnover are classified as Qualified REs, while those with over 1 lakh clients or turnover above Rs 1 lakh crore fall into the mid-size category.

Brokers with more than 10,000 clients or turnover above Rs 10,000 crore are categorized as small-size, and those with more than 1,000 clients or turnover above Rs 1,000 crore come under the self-certification category. However, brokers with fewer than 1,000 clients and turnover below Rs 1,000 crore are exempt from the CSCRF requirements.

Exemptions and Classification

Depository participants (DPs) are classified based on their highest registration, and those with fewer than 100 clients are exempt from Security Operations Center (SOC) requirements. Investment advisers (IAs) and research analysts (RAs) who are registered only in these respective roles are exempt from CSCRF provisions. However, if they are registered in any other Sebi-regulated capacity, such as a broker or portfolio manager, they are required to follow the requirements of the highest applicable category.

Classification of Other Entities

KYC Registration Agencies (KRAs) are now categorized as Qualified REs, reflecting their critical role in the market infrastructure. Portfolio managers are classified based on their Assets Under Management (AUM), with those managing over Rs 3,000 crore considered mid-size REs, and those with AUM up to Rs 3,000 crore falling under the self-certification category.

Alternative Investment Funds (AIFs) and Venture Capital Funds (VCFs) are classified at the manager level using the combined corpus of all managed schemes. Managers overseeing over Rs 10,000 crore fall under the mid-size category, those handling Rs 3,000 to 10,000 crore are small-size, and those below Rs 3,000 crore are self-certification REs.

Implementation and Compliance

Sebi has asked all applicable entities to implement the circular’s provisions by June 30, 2025, and conduct cyber audits from FY26. Qualified REs and Market Infrastructure Institutions (MIIs) are required to implement Hardware Security Modules (HSM) to secure data, while lower-tier REs can use alternative solutions based on a board-approved risk assessment.

Published On May 1, 2025, at 09:16 AM IST

Join the community of 2M+ industry professionals by subscribing to our newsletter to get the latest insights and analysis.

Download the ETCISO App to get real-time updates and save your favorite articles.

Note: The original content has been rewritten in a more readable and concise format, while maintaining the same meaning and length. The headings and titles have been retained to ensure proper organization and structure.