SEBI CSCRF for AIFs & VCFs: Manager-Level Corpus Rule
CSCRF for Alternative Investment Funds and Venture Capital Funds: the April 2025 manager-level classification, corpus thresholds, sub-100-client exemptions, and what AIF/VCF managers must do.
On this page (7)
Alternative Investment Funds (AIFs) and Venture Capital Funds (VCFs) occupy a unique position in the CSCRF framework. The April 2025 amendment (CIR/2025/60 §2.7) rewrote their classification from per-fund to manager-level — a change that has significant implications for multi-fund managers.
Manager-level classification
Before April 2025, each individual AIF or VCF was classified independently based on its own corpus. The April 2025 amendment changed this: classification is now at the manager level — the sum of corpus across all AIFs, VCFs, and schemes managed by the same entity.
| Tier | Combined corpus (INR crores) |
|---|---|
| Mid-size | >₹10,000 Cr |
| Small-size | >₹3,000 – ₹10,000 Cr |
| Self-cert | ≤₹3,000 Cr |
There is no Qualified RE tier for AIF+VCF managers. No matter how large the combined corpus, the maximum tier is Mid-size. This means AIF+VCF managers never carry half-yearly cyber audits, red-teaming, or threat-hunting obligations — even at scale.
The sub-100-client M-SOC exemption
Per CIR/2025/60 §2.7, Self-cert AIF+VCF managers with fewer than 100 clients are exempt from mandatory Market SOC onboarding.
This is a meaningful carve-out for niche AIF managers (e.g., a single-fund Category II AIF with 40 limited partners and a ₹800 Cr corpus). The manager is Self-cert by corpus, and the sub-100-client exemption lifts the M-SOC obligation — leaving only annual VAPT and annual cyber audit as the binding obligations.
What each tier requires
| Obligation | Self-cert | Small-size | Mid-size |
|---|---|---|---|
| VAPT | Annual | Annual | Annual |
| Cyber Audit | Annual | Annual | Annual |
| Red Teaming | — | — | — |
| Threat Hunting | — | — | — |
| Cyber Drill | Annual | Annual | Annual |
| CCI | — | — | — |
| ISO 27001 | — | — | — |
| IT Committee | Optional | Optional | Mandatory (quarterly + expert) |
| HSM | Risk-assessed alternative | Risk-assessed alternative | Risk-assessed alternative |
| M-SOC | Mandatory (own-SOC carve-out; sub-100 exempt) | Mandatory (own-SOC carve-out) | Eligible |
| RTO / RPO | Per CCMP | Per CCMP | Per CCMP |
The key operational inflection point is crossing ₹3,000 Cr combined corpus — which activates mandatory M-SOC (sub-100-client exemption drops) and moves the entity from Self-cert to Small-size.
Multi-fund managers: the aggregation effect
A manager running:
- Category II AIF: ₹1,800 Cr corpus
- Category III AIF: ₹900 Cr corpus
- VCF: ₹500 Cr corpus
Previously (pre-April 2025), each fund was Self-cert independently. Under the manager-level rule, the combined corpus is ₹3,200 Cr — Small-size tier.
This is the most common reclassification scenario: a multi-fund manager that was comfortably Self-cert per-fund is now Small-size at the manager level, inheriting mandatory M-SOC and a Small-size audit cadence.
The AI Advisory: AIFs and VCFs are in scope
The May 2026 AI Advisory addresses all 19 RE categories, including AIFs and VCFs. If your manager evaluates or deploys AI/LLM tools, Annexure-A items 2 (AI-based VA tools), 7 (AI-aware risk scenarios), and 10 (long-term AI plan) apply.
Practical next steps
Sum your corpus across all AIFs, VCFs, and schemes managed. This is your classification basis. Do not classify per-fund.
Count your clients. If you are Self-cert and <100 clients, document the M-SOC exemption. If you are ≥100 clients and Self-cert, M-SOC becomes mandatory.
If approaching ₹3,000 Cr combined corpus. Prepare for Small-size — mandatory M-SOC, IT Committee consideration (optional but recommended), and Small-size audit cadences.
FAQ
Does the manager-level rule apply to classification for FY 2025-26 and FY 2026-27?
Yes. The April 2025 amendment (CIR/2025/60 §2.7) is effective from the circular's date (30 April 2025). Classification for both FY 2025-26 and FY 2026-27 uses the manager-level combined corpus — not per-fund.
Can an AIF manager ever be classified as Qualified RE?
No. CIR/2025/60 §2.7 defines three tiers (Self-cert, Small-size, Mid-size) with no QRE category for AIF+VCF managers.
What if my manager also operates as a Portfolio Manager?
The multi-category rule applies: the highest tier across all registrations governs. If your PM AUM places you in Mid-size and your AIF+VCF corpus places you in Small-size, you are classified as Mid-size.
Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md.
About the authors
Founder & Chief Technology Officer
Founded Security Brigade in 2006 with the thesis that security assessment quality should be structural, not dependent on individual testers. 16+ years building platforms, teams, and methodologies that make enterprise security consistent.
Offensive Security Research · Security Brigade
A rotating byline for collaborative analysis pieces from Security Brigade's offensive security and threat-research practice.
Continue reading
All articles →SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
OWASP Mobile Top 10 (2024): The Definitive Guide for Indian Mobile App Teams
A reference walkthrough of every risk in the OWASP Mobile Top 10 (2024 release) — what each risk means in plain English, how attackers exploit it on Android and iOS, what your engineering team should fix, and how a CERT-In empanelled pentest validates the fix.
SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.