SEBI has clarified that its cybersecurity framework applies only to systems exclusively used for regulated activities, accepting RBI-equivalent compliance. Critical systems are defined broadly, encompassing core operations and client-facing applications. Zero-trust principles are encouraged, while mobile app guidelines are recommendatory. The regulator also revised thresholds for regulated entities, categorizing Portfolio Managers by AUM and Merchant Bankers based on activity.