SEBI’s TIA-942 Push: What Regulated Entities Must Do About Data Center Resilience

SEBI has raised the bar for hosting critical infrastructure. Under its Cybersecurity and Cyber Resilience Framework (CSCRF), production workloads hosted with third parties or cloud providers must be located in ANSI/TIA-942 Rated-4 or equivalent Tier-4 data centers. This directive puts data-center resilience firmly on the board’s agenda.

For CXOs, this raises three immediate questions: What exactly does SEBI require? How does the TIA-942 standard affect your hosting strategy? And what board-level decisions should be prioritized in the next 12-18 months?

Who Does This Apply To?

The CSCRF applies broadly to all SEBI Regulated Entities (REs). This includes, but is not limited to:

· Market Infrastructure Institutions (such as stock exchanges and clearing corporations)

· Qualified Regulated Entities (including large brokers and asset managers)

· Mid-size and small SEBI regulated players (brokers, investment advisors, mutual funds)

· Alternative Investment Funds (AIFs), Bankers to an Issue (BTI), Self-Certified Syndicate Banks (SCSBs)

While cybersecurity controls vary by scale and risk profile, the ANSI/TIA-942 Rated-4 hosting requirement specifically targets production workloads hosted by third-party IT, SaaS, or cloud providers that carry sensitive or regulated functions. Ancillary and connected systems used by these entities also fall under audit and compliance scope when they interact with SEBI-controlled systems.

Why This Matters Now

Capital markets increasingly rely on external data centers and cloud environments to run trade processing, clearing, advisory services, and investor platforms. The risks of failure or cyber disruption at these third-party facilities have grown accordingly. SEBI’s CSCRF responds to these systemic vulnerabilities by enforcing a uniform standard for cyber and operational resilience across regulated entities.

The core risks are: reliance on external infrastructure, the concentration of operational risk in third-party facilities, and SEBI’s establishment of a baseline resilience standard to safeguard market integrity.

A Brief Overview of TIA-942

ANSI/TIA-942 is the international benchmark for data-center infrastructure covering site location, power, cooling, cabling, fire safety, physical security, and system redundancy. It specifies four ratings from Rated-1, representing basic setups, to Rated-4, which denotes fault-tolerant design allowing continued operation despite a single failure.

Rated-4 data centers are engineered for mission-critical workloads, ensuring that failures in any component do not interrupt production services. This makes the standard particularly suitable for the high availability demands of capital-market systems.

SEBI’s Expectation: The Rules at a Glance

SEBI’s CSCRF targets production workloads hosted outside the entity’s own infrastructure. The regulator’s mandate is clear:

· Production environments hosted by third-party IT, SaaS, or cloud providers must reside in data centers certified to ANSI/TIA-942 Rated-4 or an equivalent Tier-4 level.

· Lower-tier facilities like Tier-3 are permitted only for non-production use such as development or testing.

· These non-production environments must be strictly segregated and must not house customer or sensitive production data.

What This Means for CXOs

Governance: Boards and risk committees need clear oversight of where critical workloads reside, along with documented evidence of data-center resilience and certifications. Reliance on unverified provider claims is no longer sufficient.

Architecture: IT leadership must ensure strict alignment between application environment tiers and data-center ratings—production workloads require Rated-4 or equivalent, while non-production can reside in lower tiers with appropriate safeguards.

Vendor and Cloud Strategy: Provider evaluation criteria must now include verifiable data-center certifications. Investments in migrations or contract amendments may be necessary to address gaps.

Compliance and Audit: Evidence documenting workload locations, certifications, and date of audits must be maintained and regularly updated to ensure regulatory

A Practical 1-2 Quarter Action Plan for CXOs

1. Conduct a comprehensive inventory of all externally hosted workloads, classifying them as production, pre-production, or non-production.

2. For each production workload, verify and document the specific data-center locations, their ANSI/TIA-942 certification status, and dates of the latest validation.

3. Identify workloads not hosted in Rated-4 or equivalent facilities; develop remediation plans including migration, redesign, or documented risk acceptance with controls.

4. Revise and negotiate contracts with hosting providers to mandate minimum data-center ratings, certification proof rights, and change notification obligations.

5. Integrate data-center resilience status into ongoing board risk and audit reporting frameworks to maintain continuous compliance visibility.

From Compliance Mandate to Strategic Opportunity

SEBI’s linkage of CSCRF to TIA-942 sets a concrete resilience baseline for all regulated entities. How organisations respond will shape their operational reliability and market trust.

Those who view this requirement as a simple compliance hurdle may face unforeseen migration costs and risks. Conversely, organisations that leverage this moment to rationalize providers, strengthen architecture, and sharpen governance will realize greater uptime, enhanced regulatory confidence, and be well positioned for the future demands of AI-driven, high-density workloads.