BY KEERTANA R MENON, THIRD YEAR STUDENT AT NUALS, KOCHI
The concept of “systemic risk” has traditionally been synonymous with the banking sector, the giant lenders and financial intermediaries whose collapse could send shockwaves across the economy. The assumption here is that capital market infrastructure is mainly operational in nature. When we refer to infrastructure here, we make a special mention of depositories. In India, the Reserve Bank of India (‘RBI’) has stringent regulatory frameworks for these entities, formally labelling them as Domestic Systemically Important Banks (‘D-SIBs’).
In contrast, market infrastructure entities, including depositories like the National Securities Depository Limited (‘NSDL’) and the Central Depository Services Limited (‘CDSL’), have occupied a much humbler space in the regulatory system. They are perceived as operational backbones that act as passive service layers. They are considered dedicated to record-keeping, dematerialization, and settlement facilitation. They are concerned with Market Infrastructure (‘FMI’), but most importantly, they are not market drivers. They do not engage in lending or funding activities that traditionally trigger systemic crises.
This decades-old perception, however, has just been challenged by the SEBI (Depositories and Participants) 3rd Amendment Regulations, 2025 (‘Amendment’). This amendment is not merely about tightening internal governance or implementing standard operational updates. Instead, it suggests a strategic change by the Securities and Exchange Board of India (‘SEBI’). By dramatically increasing oversight and mandating specialized technical roles, SEBI is now subtly positioning depositories as entities whose collapse could destabilise the entire market. This suggests that this amendment is the first step toward treating depositories as systemic fault points. SEBI is starting to regulate these entities in a manner similar to how the RBI scrutinizes the larger banks, breaking down the old divide between banking oversight and market oversight.
The Rise of Digital Risk: Why the Old Paradigm Failed
For decades, SEBI’s regulation of depositories largely focused on fiduciary duties, investor safety, and compliance. All of these are concerns suitable for paper-based or human-error risks. The idea that a depository could pose a systemic threat, and that too one capable of taking down the entire market, was dismissed. This dismissal was because they do not carry financial risk in the way that banks or major brokerages do.
However, the nature of systemic risk has fundamentally changed. The capital market has taken a “cyber-first” shift. In a fully digitized ecosystem, the real point of failure is no longer human conduct or a default in capital, but system vulnerability. A technical failure or a cyberattack can halt settlements, shut down exchanges, and freeze the whole cycle in seconds. Financial losses usually give regulators some time to react. Technical failures don’t. They spread immediately and shake the entire market.
The infamous NSE trading halt in February 2021, caused by a technical glitch, became a stark, domestic reminder that trading stops if infrastructure goes down, irrespective of price movements or trader defaults.
Depositories are what keep the market alive. They hold the core ownership records for all demat securities. Prices can swing wildly, and the market will still cope, but if these records fail, everything comes to a standstill. A depository outage shuts the entire market. In this sense, depositories were already systemically important, just not officially acknowledged or regulated as such. SEBI seems to be preparing for a future where systemic risk comes from the server room, not the boardroom.
Anatomy of the Shift: SIFI Governance in the Depository Sector
The SEBI (Depositories and Participants) 3rd Amendment Regulations, 2025, gazetted in November 2025, has three primary aims: i) enhance corporate governance and strengthen risk management, ii) operational resilience and iii) introduce technology and cybersecurity leadership. The biggest changes that this amendment brings in involve the composition and responsibilities of the key management personnel. Through Regulations 24 and 26A, it raises the governance bar by adding Executive Directors (‘ED’) to the Board and reorganising leadership so that one ED oversees infrastructure and systems, while another handles risk management. The Managing Director is now directly responsible for compliance, day-to-day affairs, and stability of the depository’s core systems.
SEBI also provides for a tech-focused oversight through Regulation 81B and 81C. Every depository must now appoint a Chief Technology Officer (‘CTO’) to manage all technology systems, IT risks, and respond to tech-audit findings. Similarly, they must also appoint a Chief Information Security Officer (‘CISO’) to handle cybersecurity threats. Senior executives are now barred from sitting on external boards without approval so that conflict-management norms are applied to highly sensitive financial entities.
This is the kind of structure that was historically only seen in the regulation of Domestic Systemically Important Banks (‘D-SIBs’). SEBI wants to avoid this label, but the aim is clear. The rules now treat depositories as core institutions, not just background service providers.
Are Depositories being Built to be too Resilient to Fail?
Instead of going all the way and calling depositories “systemically important,” SEBI seems to be taking a slower, quieter route. A formal label would set off alarms immediately. It would pull depositories into the kind of scrutiny banks face, raise questions about capital rules that don’t really fit them, and force India to line up quickly with global standards. SEBI clearly doesn’t want that kind of regulatory shock.
So, it’s choosing to build strength from the ground up. By tightening governance, creating specific tech and cyber roles, and placing responsibility on senior management, SEBI is making depositories sturdier without suddenly demanding capital buffers or liquidity norms they were never designed for. It’s a gradual hardening of the system instead of a problematic shift.
This also nudges the market towards a more honest view of where its real risks lie. If everything is digital, then the infrastructure carrying that digital load becomes the sole point of vulnerability. SEBI is preparing for a world where the biggest threat to market stability isn’t a bad loan or a rogue trader but a server glitch, a cyber intrusion, or a system freeze.
There’s also a quieter international angle here. Regulators like European Securities and Markets Authority and the US Securities and Exchange Commission have already started treating market infrastructures as potential systemic risks. SEBI appears to be moving in that direction without announcing it as a policy shift. The idea guiding all of this is quite simple: SEBI doesn’t want to declare depositories “too critical to fail.” Instead, it’s trying to make them strong enough that the question never arises
Depositories don’t give out credit. They don’t lend. But they hold the backbone of the market, which is the record of who owns what.
The Bigger Question: What Comes Next?
If the 2025 amendment is really the first step towards regulating systemic risk in financial market infrastructure, the next steps will mostly focus on making depositories stronger and more resilient. We might see stress tests for systems and cyber defences, or even minimum resilience capital. The future may also witness coordinated contingency plans with SEBI, RBI, and exchanges, and regular independent cyber audits to check that the CTO and CISO roles are meeting their purpose.
As the market becomes more digital, depositories are moving from simple back-office utilities to the backbone of the system. The amendment may be quiet, but it sends a clear message: the next big threat to market stability will be a failure in the infrastructure itself. SEBI is acting early to make sure these institutions are strong enough to withstand it by bringing securities oversight closer to the kind of robust framework banks have long followed. By tightening the screws before anything breaks, SEBI is signalling that resilience has to be built into the plumbing, not patched in after a shock. It’s a quiet shift, but one that will shape how India thinks about market stability in a digital market for years to come.
The HNLU CCLS Blog 