SEBI CSCRF for Stock Brokers: The Two-Parameter Rule, Thresholds & QSB → QRE Link
SEBI's April 2025 CSCRF amendment rewrote stock-broker classification: clients OR trading volume determines your tier, and the higher of the two wins. How the two-parameter rule works, what each tier requires, and the QSB auto-classification.
On this page (8)
Of the 22 entity types covered by the SEBI CSCRF, stock brokers are the most populous — and the most affected by the rule changes. The original Aug 2024 master classified brokers by active client count alone. The April 2025 amendment (CIR/2025/60) replaced that with a two-parameter rule that fundamentally reshapes broker classification across every tier.
If you are a stock broker and haven't re-run your tier classification since April 2025, your current tier may be wrong.
The two-parameter rule
Per CIR/2025/60 §2.1, stock broker tier classification uses two independent parameters: number of active clients per UCC AND annual clientele trading volume (INR crores). The parameter that produces the higher tier wins.
| Tier | Active clients (per UCC) | OR Annual trading volume (INR Cr) |
|---|---|---|
| Qualified RE | >10,00,000 (10L) | >₹10,00,000 Cr |
| Mid-size | >1,00,000 – 10,00,000 | >₹1,00,000 – 10,00,000 Cr |
| Small-size | >10,000 – 1,00,000 | >₹10,000 – 1,00,000 Cr |
| Self-cert | >1,000 – 10,000 | >₹1,000 – 10,000 Cr |
| Excluded entirely | <1,000 AND <₹1,000 Cr volume |
The AND in the Excluded row is important: both parameters must be below 1,000 for the entity to be exempt from CSCRF entirely. A broker with 900 clients but ₹5,000 Cr in annual trading volume is not excluded — the volume parameter puts them in Small-size.
How the higher-wins rule works
Take a broker with:
- 75,000 active clients → Small-size (10k–1L) by clients
- ₹1,50,000 Cr annual trading volume → Mid-size (₹1L–10L Cr) by volume
The broker is classified as Mid-size — because the volume parameter produces the higher tier. This is the most common edge case: a mid-market broker by client count that is a large-scale operator by volume.
Conversely, a broker with:
- 12,00,000 active clients → Qualified RE by clients
- ₹80,000 Cr annual trading volume → Mid-size by volume
The broker is classified as Qualified RE — because the client parameter wins.
QSB auto-classification
Per CSCRF footnote 14, Qualified Stock Brokers (QSBs) identified under SEBI circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/24 dated 6 February 2023 are auto-classified as Qualified REs.
This is an override: even if a QSB's clients or volume would place it in Mid-size, the QSB designation elevates it to QRE. The QSB circular defines QSBs based on size of operations, trading volumes, and amount of client funds handled.
What each tier requires of brokers
| Obligation | QRE | Mid-size | Small-size | Self-cert |
|---|---|---|---|---|
| VAPT (CERT-In auditor) | Annual (half-yearly if CII) | Annual | Annual | Annual |
| Cyber Audit | Half-yearly | Annual | Annual | Annual |
| Red Teaming | Half-yearly | — | — | — |
| Threat Hunting | Quarterly | — | — | — |
| Cyber Drill | Half-yearly | Annual | Annual | Annual |
| CCI Assessment | Self-assessment annually | — | — | — |
| ISO 27001 | Recommended | — | — | — |
| IT Committee | Quarterly + external expert | Quarterly + external expert | Optional | Optional |
| HSM | Mandatory | Risk-assessed alternative | Risk-assessed alternative | Risk-assessed alternative |
| M-SOC | Eligible | Eligible | Mandatory (own-SOC carve-out) | Mandatory (own-SOC carve-out) |
| RTO / RPO | 2 hr / 15 min | Per CCMP | Per CCMP | Per CCMP |
Incident reporting is uniform: 6 hours to SEBI Incident Reporting portal + mkt_incidents@sebi.gov.in AND CERT-In.
If the broker provides Internet-Based Trading (IBT) or Algorithmic Trading, the cyber audit cadence doubles from annual to half-yearly — even at Mid-size and Small-size tiers.
Depository Participants that are also brokers
If your entity is registered as both a Stock Broker and a Depository Participant, the broker two-parameter rule applies (per CIR/2025/60 §2.2). The DP registration does not create a separate tier — you are classified by your broker parameters.
If you are a DP that is NOT also a Stock Broker, you are always a Qualified RE (per CIR/2025/60 §2.2), with a sub-100-client exemption from SOC/M-SOC.
Practical next steps
Recalculate your tier. Run both parameters independently, take the higher. Our SEBI Compliance Wizard does this automatically — enter your client count and trading volume, and the two-parameter rule is applied.
Check QSB status. If you were designated a QSB under the Feb 2023 circular, you are a Qualified RE regardless of what the two-parameter calculation says.
If you crossed a tier boundary. Brokers that moved from Mid-size to QRE (or vice versa) after the April 2025 rule change may need to adjust cadences, IT committee composition, and reporting formats. QREs inherit half-yearly cyber audits and red-teaming obligations that Mid-size brokers do not.
If you are below both thresholds (<1,000 clients AND <₹1,000 Cr volume). You are exempt from CSCRF entirely. Document the exemption for your compliance records.
How Security Brigade helps
We have been CERT-In empanelled since 2008 and have delivered VAPT, cyber audits, and red-teaming engagements for stock brokers across every tier — from QREs operating at lakh-plus client scale to Self-cert brokers navigating their first CSCRF cycle. Use our free SEBI Compliance Wizard to see your current classification.
FAQ
Does AUM matter for stock brokers anymore?
No. The April 2025 amendment replaced the original AUM-based classification with the two-parameter rule (clients OR trading volume). AUM is no longer a broker-tier metric.
What if my client count and trading volume produce different tiers?
The higher of the two parameters determines the tier. A broker with Mid-size volume and Small-size clients is Mid-size.
Are QSBs automatically Qualified REs forever?
Yes, so long as the QSB designation is in effect. The QSB circular (Feb 2023) and CSCRF footnote 14 together create an auto-classification. If the QSB list is updated, re-check.
Do I need to run two separate VAPTs if I am both a broker and a DP?
No. The broker two-parameter rule applies, and your DP registration means you inherit a single unified tier — not two parallel obligations.
Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md. Verify any specific obligation against the latest SEBI circular before action.
About the authors
Founder & Chief Technology Officer
Founded Security Brigade in 2006 with the thesis that security assessment quality should be structural, not dependent on individual testers. 16+ years building platforms, teams, and methodologies that make enterprise security consistent.
Offensive Security Research · Security Brigade
A rotating byline for collaborative analysis pieces from Security Brigade's offensive security and threat-research practice.
Continue reading
All articles →SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
OWASP Mobile Top 10 (2024): The Definitive Guide for Indian Mobile App Teams
A reference walkthrough of every risk in the OWASP Mobile Top 10 (2024 release) — what each risk means in plain English, how attackers exploit it on Android and iOS, what your engineering team should fix, and how a CERT-In empanelled pentest validates the fix.
SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.