The Securities and Exchange Board of India (Sebi) has clarified the applicability of its cybersecurity and cyber resilience framework (CSCRF), stating it only affects systems used for regulated activities, with shared infrastructure also subject to audits. Entities must adopt zero-trust principles and ensure disaster recovery capabilities, including a two-hour recovery time for critical operations. The classification of regulated entities based on Assets Under Management has been revised, introducing categories for portfolio managers and merchant bankers. This proactive approach by Sebi reinforces the importance of cybersecurity in maintaining market integrity and resilience, emphasizing the need for robust compliance frameworks within the financial sector.