IFSCA CSCRF Exemptions & Audit Requirements: What Every GIFT IFSC Entity Should Know
- GIFT CFO
- 1 day ago
- 4 min read
Cyber security has become a fundamental pillar of financial regulation across global financial centres. As financial institutions continue embracing digital transformation, regulators are placing greater emphasis on cyber resilience, operational continuity and information security. In line with this global trend, the International Financial Services Centres Authority (IFSCA) introduced the Cyber Security and Cyber Resilience Framework (CSCRF) to strengthen the cyber posture of regulated entities operating in GIFT IFSC.
While many businesses welcomed the introduction of the framework, there has also been considerable confusion surrounding the exemptions announced under the CSCRF Guidelines. A common misconception is that exempt entities are relieved from all compliance requirements. However, the latest amendment issued by IFSCA makes it clear that exemptions apply only to specific framework implementation requirements and not to overall compliance obligations.
Understanding the CSCRF Exemptions
The CSCRF applies to all regulated entities operating within GIFT IFSC. However, certain categories of entities have been granted a three-year relief from independently establishing a standalone cyber security framework.
These include:
Branches of regulated Indian and foreign financial institutions
Global In-House Centres (GICs)
Small regulated entities employing fewer than ten employees
Newly incorporated standalone entities
Credit Rating Agencies
Foreign Universities established within GIFT IFSC
The exemption does not eliminate compliance responsibilities. Instead, eligible entities may adopt their parent organisation's cyber security framework or implement cybersecurity measures proportionate to their operational risk, depending on the applicable exemption category.
What "Exempt" Actually Means
One of the most important clarifications under the amended framework is that exempt entities are not exempt from regulatory oversight.
Entities covered under Paragraph 21 must formally adopt their parent company's cyber security policies, appoint the parent CISO as the Designated Officer, submit annual Designated Officer certifications and continue filing annual cyber security audit reports with IFSCA.
Similarly, entities covered under Paragraph 23 are required to certify annually that proportionate cyber security measures have been implemented, even where a formal audit report is not explicitly required.
Compliance Requirements by Entity Type
Entity Type | Framework | Audit Report | DO Certification |
Standalone RE | Full CSCRF | Mandatory | Mandatory |
Branch Entity | Parent Framework | Mandatory | Mandatory |
GIC | Parent Framework | Mandatory | Mandatory |
Small Entity (<10 Employees) | Parent Framework | Mandatory | Mandatory |
New Standalone | Proportionate Controls | Not Explicit | Mandatory |
Credit Rating Agency | Proportionate Controls | Not Explicit | Mandatory |
Foreign University | Proportionate Controls | Not Explicit | Mandatory |
Areas Covered During the Cyber Security Audit
The annual cyber security audit extends beyond technology infrastructure. It evaluates governance, operational controls and incident preparedness.
Key assessment areas include:
Governance and oversight framework
Information Security Policy
Asset inventory and classification
Identity and access management
Vulnerability Assessment & Penetration Testing (VAPT)
Disaster Recovery and Business Continuity Planning
Third-party cyber risk management
Employee cyber awareness and phishing readiness
Incident detection and reporting mechanisms
Key CSCRF Compliance Timelines
Compliance Activity | Timeline |
Audit Frequency | Annual |
Submission to IFSCA | Within 90 days of FY end |
FY 2025-26 Deadline | 29 July 2026 |
Initial Incident Report | Within 6 Hours |
Interim Report | Within 3 Days |
Mitigation | Within 7 Days |
Root Cause Analysis | Within 30 Days |
Cyber Security Statistics
Statistic | Insight |
US$10.5 Trillion | Projected annual global cybercrime damages by 2025 |
US$4.88 Million | Average global cost of a data breach (IBM 2024) |
60%+ | Cyber incidents involve third-party vulnerabilities |
Top 3 | Financial services among most targeted sectors |
Preparing for Compliance
Organisations should not wait until the submission deadline to begin their compliance preparations. A proactive approach can help identify policy gaps, strengthen cyber governance and ensure timely regulatory reporting.
Recommended actions include:
Reviewing current cyber security policies
Assessing eligibility for available exemptions
Appointing the appropriate Designated Officer
Conducting readiness assessments and gap analyses
Completing annual cyber security audits
Establishing robust incident reporting procedures
How Gift CFO Can Help
Cyber security practices for compliance within GIFT IFSC requires a combination of regulatory understanding, governance expertise and operational readiness.
Gift CFO supports financial institutions, fintech companies, fund managers, family offices, broker-dealers and international businesses with GIFT IFSC advisory, regulatory compliance, governance support and strategic business consulting. By helping organisations understand evolving IFSCA requirements, businesses can remain compliant while strengthening operational resilience in an increasingly digital financial ecosystem.
Conclusion
Gift CFO helps regulated entities navigate IFSCA compliance, cyber governance, audit readiness and strategic advisory for GIFT IFSC. Preparing early enables organisations to meet regulatory expectations while strengthening operational resilience.
DISCLAIMER: This article is published for informational, educational, and analytical purposes only. It does not constitute legal advice, regulatory guidance, trade compliance advice, or a solicitation of any kind.
All information in this article is based on IFSCA Circular No. IFSCA-PMTS/10/2023-Precious Metals/2026/2 dated 15th June 2026, issued under Sections 12 and 13 of the International Financial Services Centres Authority Act, 2019, read with Regulation 78 of the IFSCA (Bullion Market) Regulations, 2025. This circular amends the original Circular dated 10th October 2025 on import of gold or silver by Qualified Jewellers and valid India-UAE CEPA TRQ holders through IIBX, as previously updated on 2nd January 2026.
References to DGFT Notifications 17/2026-27 (dated 16th May 2026) and 19/2026-27 (dated 2nd June 2026) are based on information contained within the IFSCA circular. Readers should independently verify the full text of these DGFT notifications for complete details.
A separate, updated Consolidated Circular incorporating these amendments is being issued by IFSCA. Readers should refer to the official, most current Consolidated Circular available at www.ifsca.gov.in under Legal Framework → Circulars for authoritative and up-to-date compliance requirements.
Eligibility for Qualified Jeweller notification, import authorisation requirements, and applicable policy conditions may vary based on entity type, SEZ status, ITC(HS) classification, and other factors specific to each applicant. Entities are strongly advised to consult qualified legal, customs, trade compliance, and tax professionals before undertaking any bullion import transaction through IIBX.
The publisher is not a law firm, customs broker, or IFSCA-regulated entity. Nothing in this article constitutes legal or regulatory advice.
Comments