Amendments to DP Operating Instructions Annexure 11.1 by introducing new penalty heads for non-compliance related to System Audit, Cyber Security Audit, Incident Reporting and VAPT

Central Depository Services Limited, vide Circular No. CDSL/AUDIT/DP/POLCY/2026/241 dated April 08, 2026, has announced an important update regarding Amendments to DP Operating Instructions Annexure 11.1 by introducing new penalty heads for non-compliance related to System Audit, Cyber Security Audit, Incident Reporting and VAPT.

Key Details of the Update –
• The communiqué amends CDSL’s DP Operating Instructions Annexure 11.1 – Penalty Structure for DPs by adding a new penalty framework for non-submission of VAPT report and/or non-submission of compliance report within the stipulated timeline.
• For non-submission of annual VAPT report or compliance report on or before the due date, the penalty will be Rs. 1,500 per day from the due date up to the first 7 calendar days or till submission, whichever is earlier. In case of a repeated delay in the second consecutive year, the rate increases to Rs. 2,250 per day.
• If the delay continues from the 8th calendar day to the 21st calendar day after the due date, the penalty rises to Rs. 2,500 per day or till submission, whichever is earlier. In case of a repeated delay in the second consecutive year, the rate increases to Rs. 3,750 per day.
• If the report is still not submitted by 21 calendar days, the opening of new demat accounts by the participant shall be restrained until submission of the report, and the action taken will be shared with all Market Infrastructure Institutions for information.
• Where such delay in submission is observed for three consecutive years, the matter would be referred to the Member Committee, indicating escalation beyond monetary penalties to disciplinary review.
• The amendment also introduces penalties for non-closure of open vulnerabilities observed in the annual VAPT report within the stipulated timelines in the compliance report. The penalty is linked to risk categorisation: Rs. 50,000 per open High/Critical Risk vulnerability, Rs. 25,000 per open Medium Risk vulnerability, and Rs. 10,000 per open Low Risk vulnerability.
• In addition to the monetary penalty, if any High or Medium vulnerability remains unclosed within 21 days from the due date of submission of the compliance report, the participant’s new demat account opening shall be restrained until closure of the open vulnerabilities, and the action taken shall be shared with all Market Infrastructure Institutions. This indicates a strong supervisory emphasis on timely remediation of material cyber risks.

Actions if Any –
• Depository Participants should take note of the amendments to Operating Instructions Annexure 11.1 and ensure timely submission of VAPT reports and compliance reports within the prescribed timelines.
• Depository Participants must ensure timely closure of vulnerabilities identified in the annual VAPT report, especially those classified as High/Critical or Medium Risk, to avoid monetary penalties and restriction on opening new demat accounts.

Compliance Deadline –
The communiqué does not specify a fresh standalone submission date in this document, but it makes clear that the amended penalties will apply where the VAPT report and/or compliance report is not submitted by the stipulated due date, and where High or Medium vulnerabilities remain unclosed beyond 21 calendar days from the due date of submission of the compliance report. Accordingly, the relevant compliance obligation is to ensure submission by the applicable prescribed due date and closure of material vulnerabilities within the stated 21-day period thereafter.