NSE circular on Revision in Terms of Reference (TOR) and Formats for submission of system audit report & submission of Vulnerability Assessment and Penetration Testing (VAPT) report for Vendors providing Co-Location as a Service (CaaS) facility

6 views
Skip to first unread message

secmarkupdates

unread,
Apr 20, 2026, 6:08:45 AM (2 days ago) Apr 20
to UPDATES from SecMark
Date of Issue: 20-04-2026

Highlights of  the NSE Circular :

Revision in Terms of Reference (TOR) and Formats for submission of system audit report & submission of Vulnerability Assessment and Penetration Testing (VAPT) report for Vendors providing Co-Location as a Service (CaaS) facility

As communicated in Exchange circular NSE/MSD/67650 dated April 23, 2025, CaaS vendors are required to submit Half yearly System Audit Report along with Vulnerability Assessment and Penetration Testing (VAPT) report to the Exchange as per Terms of Reference (TOR) communicated from time to time.

Both Reports are required to be submitted as per the timelines below attached in circular.

In partial modification to Exchange circulars NSE/MSD/71110 dated November 4, 2025 and NSE/MSD/73152 dated March 5, 2026, CaaS vendors shall now be required to submit the aforesaid reports in the standardised formats as below:

• CaaS vendors are requested to note that the Terms of Reference (TOR) have been revised and the same is provided as an Annexure A.

• The format for System Audit Preliminary report & ATR for CAAS vendor is enclosed as Annexure- 1.

• CaaS vendors shall be required to adhere to the prescribed Auditor Selection Norms for System Audit & VAPT reports enclosed as Annexure-2.

• The VAPT assessment scope and format for VAPT Summary report to be submitted has been enclosed as Annexure-3 & Annexure-4.

• CaaS Vendors are required to submit the system audit & VAPT report after approval by Managing Director/CTO or CISO or Standing Committee on Technology (SCOT) or equivalent Technology/Cyber Security Committee (TC).

CaaS vendors are requested to take note of above and are required to submit reports as per the enclosed formats for the Audit Period- October 1,2025 to March 31, 2026, and onwards.

Further, CAAS vendors are requested to submit the report to the Exchange on or before the due dates to avoid any penal/disciplinary action, as prescribed by the Exchange from time to time. The details of Penalties/disciplinary action(s)/charges for non/delayed submission and non-closure of vulnerabilities/observations have been provided in Annexure 5.

MSD73805.zip
Reply all
Reply to author
Forward
0 new messages