Regulatory Briefing · Updated July 2026
DPDP & SEBI CSCRF Compliance Deadlines 2026–27: The Readiness Briefing
Two of India's biggest cyber-compliance clocks are running at once — the Digital Personal Data Protection (DPDP) regime and SEBI's Cybersecurity & Cyber Resilience Framework (CSCRF). This briefing puts every deadline, penalty and core obligation in one place, compiled by CyberSigma's CERT-In empanelled, PCI QSA auditors.
At a glance
1. The DPDP regime — the clock started on 13 November 2025
The Digital Personal Data Protection Act was passed in 2023, but the operative detail arrived with the DPDP Rules, notified on 13 November 2025. The Rules trigger an 18-month transition, so the substantive obligations — and the Data Protection Board's power to levy penalties — take effect on 13 May 2027. That is not a reason to wait: consent, data-mapping and security-safeguard work takes most organisations the better part of that window.
DPDP timeline
- 13 Nov 2025 — DPDP Rules notified; Data Protection Board of India established (fully digital).
- ~Nov 2026 — Consent Manager registration criteria and window.
- 13 May 2027 — hard enforcement: full obligations live and penalties enforceable.
DPDP penalty structure
| Failure | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards | ₹250 crore |
| Failure to notify a personal-data breach | ₹200 crore |
| Breach of children's-data obligations | ₹200 crore |
| Failure of Significant Data Fiduciary (SDF) duties | ₹150 crore |
| General non-compliance | ₹50 crore |
A structured programme — data inventory, lawful consent flows, data-principal rights handling, breach response and security safeguards — is what closes the gap. See CyberSigma's DPDP Act compliance services for the full scope.
2. SEBI CSCRF — the 30 June 2026 audit deadline is the nearest hard date
SEBI issued its Cybersecurity & Cyber Resilience Framework (CSCRF) in August 2024 and, after extensions in 2025, set implementation from 31 August 2025. For Qualified and Mid-size Regulated Entities, the first audit must be completed by 30 June 2026. Miss it and the entity is non-compliant, exposed to daily penalties of ₹1,500–₹5,000 and adverse reporting via NSE/BSE.
Who is a Regulated Entity?
Stockbrokers, Mutual Fund AMCs, Portfolio Managers (PMS), Registrar & Transfer Agents (RTAs), Depositories and Depository Participants, Clearing Corporations, KYC Registration Agencies (KRAs), Investment Advisers and Research Analysts with client-data systems.
The six CSCRF domains
- Govern — cybersecurity policy, board oversight, third-party risk.
- Identify — asset inventory and risk assessment.
- Protect — access control, encryption, security awareness.
- Detect — security monitoring and anomaly detection.
- Respond — incident-response plan and communication.
- Recover — business continuity and disaster recovery.
CyberSigma runs the full cycle — gap assessment, VAPT, SOC/market-SOC alignment and the auditor's report. See our SEBI CSCRF compliance audit.
3. Where readiness actually breaks down
Across the DPDP and CSCRF programmes CyberSigma's auditors run, the same weak points recur: consent and data-mapping treated as a legal formality rather than an engineering task; continuous vulnerability management that lapses between annual tests; third-party / vendor risk that is documented but not verified; and incident-response plans that have never been exercised. Documentation is rarely the blocker — evidence that controls actually operate is. Both regimes are audited on operating effectiveness, not intent.
Free DPDP Act readiness checklist
Consent, data-principal rights, breach reporting and Significant Data Fiduciary duties — mapped to actionable controls by CyberSigma’s DPDP consultants.
Primary sources
- SEBI — CSCRF for Regulated Entities (Aug 2024 circular)
- SEBI — CSCRF technical clarifications (Aug 2025)
- PIB — DPDP Rules, 2025 notified (Nov 2025)
This briefing is for general information and reflects the position as of July 2026; regulatory dates can be revised — confirm the current requirement for your entity category. For a scoped assessment, contact CyberSigma.
