The International Financial Services Centres Authority (IFSCA) has issued an amendment to its βππΆπͺπ₯π¦ππͺπ―π¦π΄ π°π― ππΊπ£π¦π³ ππ¦π€πΆπ³πͺπ΅πΊ π’π―π₯ ππΊπ£π¦π³ ππ¦π΄πͺππͺπ¦π―π€π¦ π§π°π³ ππ¦π¨πΆππ’π΅π¦π₯ ππ―π΅πͺπ΅πͺπ¦π΄ πͺπ― ππππβ dated March 10, 2025, reflecting a pragmatic shift in how cyber compliance expectations are applied across different types of regulated entities.
The amendment follows industry representations highlighting operational challenges in complying with certain provisions of the original 2025 Guidelines. In response, International Financial Services Centres Authority has provided a three-year exemption from certain requirements for specific categories of regulated entities operating in IFSCs. These include branch offices of regulated Indian or foreign entities, entities providing services only to group companies (such as Global In-House Centres), and entities with fewer than ten employees. The amendment also extends similar relief to foreign universities established in IFSCs, newly incorporated standalone entities without a parent organisation, and credit rating agencies.
However, the relief is carefully structured rather than absolute. Entities availing the exemption must continue to operate under the cybersecurity framework and information security policies of their parent organisation where applicable. The parent entityβs CISO may act as the designated officer, and annual certifications and cybersecurity audit reports must still be submitted to IFSCA confirming that adequate controls proportionate to the entityβs risk exposure are in place.
From a regulatory lens, this move reflects a risk-based supervisory approach. Rather than imposing uniform obligations across entities of vastly different scale and complexity, the amendment recognises group-level governance structures and operational realities while maintaining oversight through certification and audit mechanisms.
For regulated entities and compliance teams, it means that the exemption does not mean absence of responsibility. Even during the relief period, entities must show that cybersecurity governance, monitoring, and reporting structures are operational and defensible.
In short, the amendment reflects regulatory pragmatism but also reinforces that cyber resilience remains a core expectation in IFSC ecosystem.
Readers are welcome to share their views at info@regstreetlaw.com.
Copy of the IFSCA Circular dated March 10, 2026 is attached herewith.