Regulatory Alert: CDSL Mandates Submission of VAPT Findings Closure Reports Under SEBI’s CSCRF Framework
On March 5, 2026, Central Depository Services (India) Limited (“CDSL”) issued Communiqué No. CDSL/OPS/DP/POLCY/2026/152, directing all registered Depository Participants (“DPs”) to submit compliance documentation pertaining to the closure of findings identified during Vulnerability Assessment and Penetration Testing (“VAPT”). This directive forms a critical component of India’s increasingly rigorous cybersecurity regulatory architecture and carries significant legal implications for financial market intermediaries operating under the supervision of the Securities and Exchange Board of India (“SEBI”).
Table of Contents
Regulatory Background and Legislative Basis
The present communiqué does not arise in isolation. It is grounded in an extensive chain of regulatory instruments, commencing with SEBI’s Cybersecurity and Cyber Resilience Framework (“CSCRF”) Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, issued on August 20, 2024. This foundational circular established a comprehensive framework, governing cybersecurity obligations, applicable to all SEBI-regulated entities (“Res”). Subsequent clarification circulars issued by SEBI on December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and a Frequently Asked Questions document dated June 11, 2025, have progressively refined and elaborated upon the obligations enunciated therein.
CDSL itself reinforced these obligations through Communiqué No. CDSL/OPS/DP/POLCY/2024/468 dated August 21, 2024, and further issued a detailed directive vide Communiqué No. CDSL/IS/DP/POLCY/2025/822 dated December 15, 2025, which specifically addressed the procedural requirements for VAPT report submissions. The March 2026 communiqué builds upon this established regulatory lineage, operationalising compliance requirements for a specific half-yearly reporting period.
Scope and Applicability
The present compliance obligation is specifically directed at two categories of regulated entities: Qualified Stock Brokers (“QSBs”) and entities classified as Protected Regulated Entities (“Protected REs”). This categorical distinction is legally significant, as it delineates the precise class of DPs to whom this mandatory obligation attaches. Entities falling outside these classifications are not expressly covered under the current directive, though such entities would be well-advised to maintain vigilance regarding their own applicable cybersecurity obligations under the broader CSCRF framework.
Nature of the Compliance Obligation
The substance of the directive requires DPs to submit a formal Action Taken Report (“ATR”) evidencing the closure of all findings identified during the VAPT exercise conducted for the half-yearly period spanning April 2025 to September 2025. VAPT, as a mandated cybersecurity assessment tool, serves the dual purpose of identifying systemic vulnerabilities within a regulated entity’s information technology infrastructure and providing a structured mechanism through which such vulnerabilities may be remediated under regulatory oversight.
The legal significance of the ATR submission lies in its evidentiary character: it constitutes a formal representation by the DP to CDSL and by extension, to SEBI that identified security deficiencies have been addressed in a timely and efficacious manner. Failure to submit such a report, or the submission of an incomplete or inaccurate report, could expose the DP to regulatory inquiry, enforcement proceedings, or adverse findings under the applicable securities laws.
Compliance Deadline and Procedural Requirements
The submission deadline prescribed by CDSL is March 31, 2026. DPs are required to transmit their VAPT ATRs exclusively via electronic mail to the designated address: dpinfosec@cdslindia.com. No alternative mode of submission has been prescribed or sanctioned. Given the proximity of the deadline to the date of issuance of the communiqué, DPs are urged to treat this as a matter of immediate priority and initiate the collation of requisite documentation without delay.
Legal and Practical Implications for Depository Participants
From a legal compliance perspective, this directive reinforces the paramount importance of maintaining robust cybersecurity governance frameworks within regulated financial entities. Non-compliance carries the risk of regulatory censure, which, in the context of securities market intermediaries, can have far-reaching consequences including reputational damage, operational restrictions, or monetary penalties. Legal counsel advises that DPs treat the VAPT process not merely as a procedural formality, but as a substantive component of their enterprise risk management and regulatory compliance obligations.
Furthermore, the iterative nature of SEBI’s clarificatory circulars signals a regulatory environment that is actively evolving. DPs and their legal advisors must maintain continuous engagement with emerging regulatory guidance to ensure that compliance programmes remain current and responsive to the dynamic cybersecurity landscape.
Conclusion
CDSL’s March 2026 directive represents a concrete and time-bound expression of SEBI’s commitment to embedding cybersecurity resilience within India’s securities market infrastructure. For Depository Participants falling within the ambit of this directive, the obligation to submit VAPT Action Taken Reports by March 31, 2026 is unequivocal and non-discretionary. Our firm recommends that all relevant DPs undertake an immediate review of their VAPT findings, ensure that all identified vulnerabilities have been duly remediated, and submit their ATRs in accordance with the prescribed procedure. Proactive engagement with regulatory obligations of this nature not only ensures compliance but also demonstrates the institutional commitment to cybersecurity governance that regulators and stakeholders increasingly expect.
For guidance on SEBI compliance, cybersecurity regulatory obligations, or assistance in preparing VAPT Action Taken Reports, please contact our Securities and Financial Regulations practice.
For more details, write to us at: contact@indialaw.in
By entering the email address you agree to our Privacy Policy.
