SEBI Market Infrastructure Institution framework: critical operations, business continuity, and the cyber-security expectations
How SEBI's MII rules - 4-hour RTO, 30-minute RPO, 500-km DR distance, quarterly VAPT and the CSCRF effective 01-Jan-2025 - protect every SIP investor's NAV from outages.
Investors woke up on 15-May-2026 to a market where the plumbing matters as much as the prices. SEBI's Market Infrastructure Institution (MII) framework — the rules that hold stock exchanges, clearing corporations, and depositories to a higher operational standard than ordinary intermediaries — is again in focus. The Cybersecurity and Cyber Resilience Framework (CSCRF), which took effect on 01-Jan-2025, has now begun its tiered rollout across every SEBI-regulated entity, and the recurrence of micro-outages has kept pre-open chatter on resilience rather than price action.
For a retail SIP investor parking money into an index, this is not abstract. If the National Stock Exchange (NSE) or BSE goes dark for even an hour, trade settlements slip, mutual fund cut-offs drift, and the next-day NAV calculation gets messy. Today's note unpacks the regulatory perimeter, the recovery-time targets baked into the circulars, and what the resilience cycle means for ordinary investors who use a Systematic Investment Plan calculator to plan their monthly contribution.
Market Snapshot
Market Infrastructure Institutions sit at the apex of India's market architecture. SEBI's Circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated 03-Dec-2018, updated on 22-Aug-2024, treats stock exchanges, clearing corporations, and depositories as MIIs. The category is narrow by design, and the licensed set is small enough to fit in a single table.
| MII type | Licensed entities (illustrative) | Core function |
|---|---|---|
| Stock exchange | NSE, BSE, MSEI | Order matching, listing |
| Clearing corporation | NSE Clearing, ICCL, MCX-CCL | Novation, margining, settlement |
| Depository | NSDL, CDSL | Demat custody, corporate actions |
Each of these entities operates under tighter prudential, technology, and governance rules than ordinary brokers or asset managers. The 2018 framework, updated in August 2024, mandates an Information Security Management System certified to ISO/IEC 27001, role-based access controls (RBAC), multi-factor authentication for privileged access, and a 24x7 Security Operations Centre (SOC). Quarterly Vulnerability Assessment and Penetration Testing (VAPT) is non-negotiable, with results to be filed with SEBI within 30 days of completion. A data classification policy and periodic tabletop exercises round out the baseline controls.
Why should an ordinary investor care? Because the cost of this compliance burden is embedded in transaction charges that show up on every contract note, and because the resilience these rules buy is what allows a passive lumpsum investment in an index fund to reach the NAV cut-off without re-execution risk.
What Moved Yesterday
The most consequential MII tape over the past five years has not been a price print but an outage. The 24-Feb-2021 NSE shutdown, which halted trading for close to four hours, became the inflection point that pushed SEBI from a "best practices" posture on resilience to a hard-rule posture. Successive circulars then tightened the screws. Business Continuity Plan (BCP) targets now demand a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 30 minutes — meaning a critical system must be back within four hours of an event and must not lose more than thirty minutes of transaction data.
Yesterday's chatter and the broker-research notes circulating overnight kept returning to two strands. First, the depository side, where steady dematerialisation volumes at NSDL and CDSL keep core record-keeping at all-time highs. Second, the clearing side, where SEBI's interoperability arrangement among the three clearing corporations (in force since SEBI's 2018 framework on this subject) lets a trading member route trades through any clearing house — raising the cyber-resilience bar for every link in the chain.
A useful comparative view of the SEBI-prescribed thresholds, all drawn from the 03-Dec-2018 Cyber Security and Cyber Resilience Framework as updated on 22-Aug-2024 and the CSCRF effective 01-Jan-2025:
| Resilience parameter | SEBI mandate | Anchor circular |
|---|---|---|
| Recovery Time Objective (RTO) | 4 hours | BCP-DR circular |
| Recovery Point Objective (RPO) | 30 minutes | BCP-DR circular |
| Disaster Recovery Site distance | Minimum 500 km from primary | BCP-DR circular |
| VAPT frequency | Quarterly | Cyber Resilience Framework 2018, updated 2024 |
| Cyber Capability Index | Half-yearly reporting | CSCRF effective 01-Jan-2025 |
| ISMS certification | ISO/IEC 27001 | Cyber Resilience Framework |
For investors, the read-through is straightforward. The framework is not aimed at improving short-term returns; it is aimed at minimising the tail risk of a settlement failure that would otherwise crystallise into uncompensated losses on margin or NAV.
What to Watch Today
The 2025-26 calendar is dominated by the tiered rollout of the Cybersecurity and Cyber Resilience Framework (CSCRF), which took effect on 01-Jan-2025. CSCRF widens the perimeter from the three MII categories to almost every regulated entity SEBI supervises — Research Analysts (RAs), Mutual Funds, Alternative Investment Funds (AIFs), stock brokers, Depository Participants, and KYC Registration Agencies (KRAs). Compliance dates are staggered by entity size: the largest go first, with smaller entities phased in across subsequent windows.
Three operational items belong on today's watchlist.
- Cyber Capability Index (CCI) submissions. MIIs file a structured CCI to SEBI on a half-yearly cycle. The CCI is a quantitative measure across the detect, protect, respond, and recover domains, and a slip in the score can attract a supervisory letter. Investors who are systematic about contributions through a step-up SIP should note that operational risk events of MIIs are now visible in public CCI summaries.
- Disaster Recovery Site geographies. The minimum 500-km distance between primary and DR sites prevents a single regional event — a cyclone, a grid collapse, a fibre-optic backbone cut — from disabling both. The rule pushes MIIs to host DR in geographies like Hyderabad or Bengaluru when the primary is in Mumbai, and vice versa.
- Quarterly VAPT cycle. The next quarterly VAPT round for MIIs falls due in mid-June 2026, with reports filed to SEBI within 30 days of test completion. Any finding classified as "critical" must be remediated within 90 days; "high" findings within 180 days, as set out in the 2018 framework and reinforced in the August 2024 update.
Macro markers complete the pre-open picture. The Reserve Bank of India's monetary policy minutes and SEBI's quarterly board meeting disclosures frequently surface enforcement actions against intermediaries, which feed back into how strictly cyber-resilience is being supervised on the ground.
Investors who want to map the macro link to fund flows should also keep an eye on the AMFI half-yearly stock classification cycle, since reclassification can trigger fund-house operational events that test the very BCP framework discussed here. And for the tax-aware investor, calendar items like the first advance tax instalment due 15-Jun-2026 sit alongside the MII compliance calendar. The pre-open is not just price action; it is the plumbing.
FAQ
What is a Market Infrastructure Institution (MII) under SEBI rules?
An MII is a SEBI-licensed entity that performs a market-critical function: a stock exchange, a clearing corporation, or a depository. The definition flows from SEBI Circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated 03-Dec-2018, updated 22-Aug-2024, and is reinforced in successor circulars. MIIs face higher capital, governance, and technology standards than ordinary brokers, asset managers, or research analysts.
What are SEBI's Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for MIIs?
SEBI's Business Continuity Plan and Disaster Recovery framework prescribes an RTO of 4 hours and an RPO of 30 minutes. Translated, this means a critical MII system must be back in operation within four hours after a disruptive event, and must not lose more than thirty minutes of transaction data. The targets apply to clearing, settlement, depository, and trading systems alike.
How far apart must the primary and disaster recovery sites be?
The minimum geographic separation is 500 kilometres, set by SEBI's BCP-DR framework. The rule is designed so that a regional natural disaster or grid-level outage cannot disable both sites simultaneously. Most large MIIs locate DR in cities like Hyderabad, Bengaluru, or Chennai when primary operations are in Mumbai, and vice versa.
What is the Cybersecurity and Cyber Resilience Framework (CSCRF) and when did it take effect?
CSCRF took effect on 01-Jan-2025. It extends cybersecurity obligations from MIIs to almost every other category of SEBI-regulated entity — mutual funds, AIFs, brokers, depository participants, KYC Registration Agencies, and Research Analysts. CSCRF compliance is tiered: the largest entities went first, with smaller entities phased in on a published calendar.
How often must MIIs conduct VAPT and report the results?
Vulnerability Assessment and Penetration Testing must be conducted quarterly under SEBI's framework. Results are filed with SEBI within 30 days of completion. "Critical" vulnerabilities must be remediated within 90 days; "high" within 180 days. Tabletop exercises simulating cyber events are required at least annually.
Does the MII framework apply to discount brokers or full-service brokers?
No. Brokers — discount or full-service — are intermediaries, not MIIs. However, brokers are subject to CSCRF obligations effective from 01-Jan-2025, on a tiered timetable. They are also required to maintain audit trails and cyber-incident reporting lines into SEBI's reporting portal.
How does MII resilience affect my SIP or mutual-fund NAV?
When an MII operates within the prescribed RTO/RPO, settlement and clearing remain on schedule, which means equity SIP units are allotted at the correct day's NAV and lumpsum subscriptions cross the AMFI cut-off cleanly. A multi-hour MII outage, by contrast, can shift trade dates and NAV allotments — a tail risk the framework is explicitly designed to suppress.
Sources & Citations
- SEBI Legal Framework - Regulations and Circulars — Securities and Exchange Board of India
- Securities and Exchange Board of India - Official Portal — SEBI
- Reserve Bank of India - Official Portal — RBI
Frequently Asked Questions
What is a Market Infrastructure Institution (MII) under SEBI rules?
An MII is a SEBI-licensed entity that performs a market-critical function: a stock exchange, a clearing corporation, or a depository. The definition flows from SEBI Circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated 03-Dec-2018, updated 22-Aug-2024, and is reinforced in successor circulars. MIIs face higher capital, governance, and technology standards than ordinary brokers, asset managers, or research analysts.
What are SEBI's Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for MIIs?
SEBI's Business Continuity Plan and Disaster Recovery framework prescribes an RTO of 4 hours and an RPO of 30 minutes. Translated, this means a critical MII system must be back in operation within four hours after a disruptive event, and must not lose more than thirty minutes of transaction data. The targets apply to clearing, settlement, depository, and trading systems alike.
How far apart must the primary and disaster recovery sites be?
The minimum geographic separation is 500 kilometres, set by SEBI's BCP-DR framework. The rule is designed so that a regional natural disaster or grid-level outage cannot disable both sites simultaneously. Most large MIIs locate DR in cities like Hyderabad, Bengaluru, or Chennai when primary operations are in Mumbai, and vice versa.
What is the Cybersecurity and Cyber Resilience Framework (CSCRF) and when did it take effect?
CSCRF took effect on 01-Jan-2025. It extends cybersecurity obligations from MIIs to almost every other category of SEBI-regulated entity - mutual funds, AIFs, brokers, depository participants, KYC Registration Agencies, and Research Analysts. CSCRF compliance is tiered: the largest entities went first, with smaller entities phased in on a published calendar.
How often must MIIs conduct VAPT and report the results?
Vulnerability Assessment and Penetration Testing must be conducted quarterly under SEBI's framework. Results are filed with SEBI within 30 days of completion. Critical vulnerabilities must be remediated within 90 days; high within 180 days. Tabletop exercises simulating cyber events are required at least annually.
Does the MII framework apply to discount brokers or full-service brokers?
No. Brokers - discount or full-service - are intermediaries, not MIIs. However, brokers are subject to CSCRF obligations effective from 01-Jan-2025, on a tiered timetable. They are also required to maintain audit trails and cyber-incident reporting lines into SEBI's reporting portal.
How does MII resilience affect my SIP or mutual-fund NAV?
When an MII operates within the prescribed RTO/RPO, settlement and clearing remain on schedule, which means equity SIP units are allotted at the correct day's NAV and lumpsum subscriptions cross the AMFI cut-off cleanly. A multi-hour MII outage, by contrast, can shift trade dates and NAV allotments - a tail risk the framework is explicitly designed to suppress.