India International Financial Services Centres Authority issues cyber security and resilience guidelines for GIFT IFSC market infrastructure institutions with 6-hour incident reporting and ISO 27001 certification

India International Financial Services Centres Authority has issued the Guidelines on Cyber Security and Cyber Resilience for Market Infrastructure Institutions (MIIs) in IFSC, setting a prescriptive cyber security framework for stock exchanges, clearing corporations, depositories and the bullion exchange in GIFT IFSC. The framework builds on IFSCA’s baseline cyber security guidelines for all regulated entities and is organised around seven functions: Govern, Identify, Protect, Detect, Respond, Recover and Resilience. Key requirements include a Board-approved cyber security and cyber resilience policy and a dedicated Chief Information Security Officer reporting to the MD/CEO. MIIs must run a 24x7 Cyber Security Operations Centre with contingent capabilities at disaster recovery sites and implement User and Entity Behaviour Analytics, while also notifying IFSCA and CERT-In within 6 hours of detecting any cyber incident, followed by an interim report within 3 days and a full root-cause analysis within 30 days. The guidelines mandate annual cryptographic risk assessments and roadmaps for adopting Post-Quantum Cryptography standards, a risk-based approach to third-party and supply chain risk including concentration risk management and contractual cyber security obligations for critical service providers, and ISO 27001 certification within two years; alignment is also set out with India’s IT Act 2000, the Digital Personal Data Protection Act 2023 and directives from CERT-In, NCIIPC, MeitY and NQM. The Guidelines took effect on April 1, 2026, with MIIs required to reach full compliance within the timelines specified across the individual provisions.