Regulatory Briefing · Updated July 2026

DPDP & SEBI CSCRF Compliance Deadlines 2026–27: The Readiness Briefing

Two of India's biggest cyber-compliance clocks are running at once — the Digital Personal Data Protection (DPDP) regime and SEBI's Cybersecurity & Cyber Resilience Framework (CSCRF). This briefing puts every deadline, penalty and core obligation in one place, compiled by CyberSigma's CERT-In empanelled, PCI QSA auditors.

At a glance

13 Nov 2025
DPDP Rules notified
13 May 2027
DPDP hard enforcement date
₹250 crore
Maximum DPDP penalty per breach
30 Jun 2026
SEBI CSCRF audit deadline (Qualified & Mid-size REs)
₹1,500–5,000
SEBI daily penalty for a missed audit
6 domains
SEBI CSCRF: Govern, Identify, Protect, Detect, Respond, Recover

1. The DPDP regime — the clock started on 13 November 2025

The Digital Personal Data Protection Act was passed in 2023, but the operative detail arrived with the DPDP Rules, notified on 13 November 2025. The Rules trigger an 18-month transition, so the substantive obligations — and the Data Protection Board's power to levy penalties — take effect on 13 May 2027. That is not a reason to wait: consent, data-mapping and security-safeguard work takes most organisations the better part of that window.

DPDP timeline

  • 13 Nov 2025 — DPDP Rules notified; Data Protection Board of India established (fully digital).
  • ~Nov 2026 — Consent Manager registration criteria and window.
  • 13 May 2027 — hard enforcement: full obligations live and penalties enforceable.

DPDP penalty structure

FailureMaximum penalty
Failure to take reasonable security safeguards₹250 crore
Failure to notify a personal-data breach₹200 crore
Breach of children's-data obligations₹200 crore
Failure of Significant Data Fiduciary (SDF) duties₹150 crore
General non-compliance₹50 crore

A structured programme — data inventory, lawful consent flows, data-principal rights handling, breach response and security safeguards — is what closes the gap. See CyberSigma's DPDP Act compliance services for the full scope.

2. SEBI CSCRF — the 30 June 2026 audit deadline is the nearest hard date

SEBI issued its Cybersecurity & Cyber Resilience Framework (CSCRF) in August 2024 and, after extensions in 2025, set implementation from 31 August 2025. For Qualified and Mid-size Regulated Entities, the first audit must be completed by 30 June 2026. Miss it and the entity is non-compliant, exposed to daily penalties of ₹1,500–₹5,000 and adverse reporting via NSE/BSE.

Who is a Regulated Entity?

Stockbrokers, Mutual Fund AMCs, Portfolio Managers (PMS), Registrar & Transfer Agents (RTAs), Depositories and Depository Participants, Clearing Corporations, KYC Registration Agencies (KRAs), Investment Advisers and Research Analysts with client-data systems.

The six CSCRF domains

  • Govern — cybersecurity policy, board oversight, third-party risk.
  • Identify — asset inventory and risk assessment.
  • Protect — access control, encryption, security awareness.
  • Detect — security monitoring and anomaly detection.
  • Respond — incident-response plan and communication.
  • Recover — business continuity and disaster recovery.

CyberSigma runs the full cycle — gap assessment, VAPT, SOC/market-SOC alignment and the auditor's report. See our SEBI CSCRF compliance audit.

3. Where readiness actually breaks down

Across the DPDP and CSCRF programmes CyberSigma's auditors run, the same weak points recur: consent and data-mapping treated as a legal formality rather than an engineering task; continuous vulnerability management that lapses between annual tests; third-party / vendor risk that is documented but not verified; and incident-response plans that have never been exercised. Documentation is rarely the blocker — evidence that controls actually operate is. Both regimes are audited on operating effectiveness, not intent.

Free DPDP Act readiness checklist

Consent, data-principal rights, breach reporting and Significant Data Fiduciary duties — mapped to actionable controls by CyberSigma’s DPDP consultants.

No spam. Unsubscribe anytime.

Primary sources

This briefing is for general information and reflects the position as of July 2026; regulatory dates can be revised — confirm the current requirement for your entity category. For a scoped assessment, contact CyberSigma.