In an age where digital infrastructure underpins the financial markets, cybersecurity is no longer an optional safeguard—it is a critical necessity. To reinforce this, the National Stock Exchange of India Limited (NSE) has issued Circular Ref No: 56/2025 dated September 26, 2025, mandating the timely conduct and submission of Vulnerability Assessment and Penetration Testing (VAPT) reports by all trading members for the financial year 2025-26.
This initiative is aligned with SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF), as detailed in SEBI Circular dated August 20, 2024, and aims to ensure that all SEBI-regulated entities (REs) maintain strong cyber hygiene, protect critical assets, and respond swiftly to potential threats.
🔍 Why This Matters
The increasing digitization of trading platforms, reliance on cloud infrastructure, and remote access points have amplified cybersecurity risks. VAPT is a proactive approach that simulates real-world attacks to identify and fix security vulnerabilities before they can be exploited.
The NSE’s latest circular reaffirms that cybersecurity isn’t just the responsibility of IT teams—it is a strategic imperative for all trading members, large or small.
📅 Key Deadlines for FY 2025-26
The circular lays out specific compliance timelines based on the classification of REs:
For Self-certified, Small, Mid-size, and Qualified REs (Non-QSBs):
- Conduct VAPT through CERT-In Auditor: By June 30, 2026
- Submit Approved VAPT Report to NSE: By July 31, 2026
- Submit Action Taken Report (ATR)/Revalidation Report: By November 30, 2026
For QSBs and REs Categorized as Protected Systems/CII:
Half-Year 1 (Apr 2025 – Sep 2025):
- VAPT Report Submission: By December 31, 2025
- ATR/Revalidation Report Submission: By March 31, 2026
Half-Year 2 (Oct 2025 – Mar 2026):
- VAPT Report Submission: By June 30, 2026
- ATR/Revalidation Report Submission: By September 30, 2026
🧪 Comprehensive Scope of VAPT
The VAPT exercise must cover all critical assets and infrastructure such as:
- Internal & external servers and networks
- Security devices, databases, and applications
- Public-facing systems (websites, APIs, mobile apps)
- Cloud deployments, Wi-Fi networks, and endpoint devices
- Configuration audits (OS, middleware, firewalls)
Auditors must adhere to industry-standard testing frameworks including OWASP, NIST SP 800-115, CERT-In, ISO27001, and PCI-DSS. All VAPT must be performed using licensed tools and by CERT-In empaneled audit firms only.
📝 Reporting and Documentation
Trading members must:
- Submit only summary reports to NSE (unless explicitly asked for detailed findings)
- Retain full VAPT reports and Proof-of-Concepts (PoCs) for at least 3 years
- Ensure reports are approved by their IT Committees before submission
Auditors must provide a signed declaration confirming:
- Compliance with SEBI’s CSCRF scope
- Absence of conflicts of interest
- Use of certified tools and methodologies
🛡️ What You Need to Do Now
- Plan Your VAPT Schedule: Ensure timely engagement of CERT-In empaneled auditors.
- Review Internal Controls: Evaluate your IT environment’s readiness across infrastructure, applications, cloud, and network segments.
- Communicate with Auditors and IT Committees: Establish internal workflows to ensure smooth documentation, approvals, and timely submissions.
- Keep Detailed Records: Even if not submitted initially, detailed VAPT reports must be ready for review by SEBI/NSE upon request.
🚨 Stay Compliant, Stay Secure
The NSE’s latest directive reinforces its commitment to securing India’s capital markets through proactive cybersecurity enforcement. Trading members are strongly advised to implement robust systems and compliance mechanisms to meet the requirements without delays.