Digital Governance Without Legal Accountability: Re-examining SEBI’s Fourth Amendment Regulations 2025

[Inika is a student at Rajiv Gandhi National University of Law.]

The Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) (Fourth Amendment) Regulations 2025 (Amendment Regulations) marked a great shift in the regulatory imagination of Indian securities law. By the appointment of Chief Technology Officers (CTOs) and Chief Information Security Officers (CISOs) in recognized stock exchanges (SEs) and clearing corporations (CCs), the Securities and Exchange Board of India (SEBI) acknowledges that the regulation has long been overtaken by the reality that technology is the backbone of modern securities markets. Trading engines, clearing systems, surveillance tools, margining instruments, and data repositories are no longer the peripheral players in market activity. They are the market itself.

However, this acknowledgement is merely a beginning. The 2025 amendments pose a more profound question to the law: how should the power over technology of market infrastructure institutions be governed? While the amendments increase the formal governance framework, they do so by embedding technological authority within the private institutional hierarchies, without subjecting it to corresponding public law disciplines of accountability, transparency, and enforceability. The Amendment Regulations internalize digital power but do not create enforceable, external accountability. This piece contends that the amendment signifies a regulatory struggle to grasp completely the public character of digital power exercised by SEs and CCs; therefore, the framework grows internal compliance but leaves structural accountability largely untouched.

Digitized Markets’ Risk Shift

Historically, securities regulation has been concentrated on the risks stemming from conduct: fraud, manipulation, insider dealing, and failures in disclosure. All these risks were occasional, human-related, and mostly recognizable afterwards. The digital revolution has changed this scenario drastically. Today, the market risk is more infrastructural than transactional. In this regard, the algorithmic trading systems play a significant role in the price formation. Moreover, CCs depend on automated risk management and default waterfalls for their operations. Data analytics instead of human monitoring is used for surveillance. In addition, cybersecurity incidents can cause a sudden disruption of the entire market, compromise large-scale sensitive financial data, and lead to a loss of confidence among the public.

This change drastically affects the regulation landscape. When risk becomes inherent in the systems instead of in the actors, governance has to take care not only of the results but also of the design, supervision, and fortification of the systems. A lot of technical issues that come up in the arena of system architecture, access controls, latency, redundancy, incident response protocols, etc., are not neutral technical choices. The aforementioned issues determine the market access, informational symmetry, and systemic stability. Therefore, technology governance and market governance are essentially intertwined.

The Amendment Regulations still regard technology mainly as an internal operational domain, which does not require external legal oversight, rather than as a locus of public power that necessitates external legal oversight.

Existing Gaps

Regulations 30B and 30C entail the compulsory appointments of CTOs and CISOs in the financial sector, and a comprehensive list of their duties. The prescriptiveness and exhaustiveness of the language signal an intention to rule out any possibility of discretionary interpretation. However, the clarification of prescriptions in terms of their scope and nature disguises a key regulatory decision. The alterations in the rules are not aimed at the introduction of accountability structures but rather at the specification of roles. The regulators assume that simply enumerating the tasks will bring about good governance without considering the internal circumstances under which the tasks will be performed.  

Notably, the regulations make no mention of the eligibility criteria, independence requirements, tenure protections, or reporting outside the internal governance structures as being mandatory. The CTOs and CISOs are not required to submit independent reports to the SEBI; there is no obligation to inform the public about major technological incidents, and lastly, there is no requirement for the technological risk assessments to be verified by an external party. The role of the regulator is still indirect and reactive, relying on the internal compliance processes rather than on proactive supervision. 

This structure is reflective of a large pattern in the Indian financial regulatory framework: the control of the risks that are systemic in nature through the use of internal governance structures. 

Tech Power's Internalization Trap

The internalization of digital governance under the Amendment Regulations raises important concerns. The CTOs and CISOs, as defined in the regulations, are influential actors. Their decisions not only impact the effectiveness of the internal operations but also influence the whole market. Nevertheless, their power is limited to a closed circle of institutions: they are the institution’s appointees, their accountability is to the board of the institution, and they are mostly free from regulatory scrutiny.

This internalization exposes the organization to a number of legal and regulatory risks. To begin with, it restricts visibility. Until now, regulators and market players have been unaware of systemic risks that have not yet turned into crises due to the lack of mandatory disclosure or reporting. Next, it disperses accountability. The lack of well-defined personal responsibility makes it easier for the institution to absorb digital governance mistakes, which in turn complicates and renders enforcement normatively ambiguous. Finally, it leads to the downfall of deterrence. The stricter compliance that comes with the working of technology failures is getting less and less, and the consequence personal or institutional is also very limited.

The learning from comparative regulation points to a clear agreement: digital governance of the internal organization is considered to be structurally insufficient for the case of systemically important financial institutions. The jurisdictions that dealt with the technological debacles have showcased that the risk posed by the ICT sector cannot be managed only through internal compliance. Hence, they have switched to models that unite internal monitoring with legally enforceable external control.

With the EU, the Digital Operational Resilience Act (DORA) very lucidly redefines ICT risk as a question of financial stability rather than that of operational efficiency. It requires that major ICT-related incidents be reported immediately within certain timelines, allows supervisory bodies to directly oversee critical digital functions, and makes the board and senior management accountable for digital resilience. This regulatory arrangement accepts that technology failures may not only affect one country but the entire region, thus demanding regulatory visibility and intervention.

The UK moves this reasoning further with the implementation of the individual accountability regimes, the most prominent being the Senior Managers and Certification Regime. By tagging the responsibility for technology and operational resilience to certain senior executives, the UK regime makes it less likely that the blame will be spread out, as it often happens with complicated system failures, and also makes it stronger through enforceable individual liability.

In the USA, the focus of regulations is on verification carried out by independent parties. The mandatory audits of external technology and cybersecurity have a corrective effect on the self-assessment of the institutions, and they make sure that the critical systems are tested by people who are not directly involved in their design and operation. The two models collectively present a common regulatory view: the digital governance that works effectively needs, among others, external scrutiny, personal accountability, and public law mechanisms that are enforceable.

In comparison, the Indian regime set up by the Amendment Regulations is limited to the designation of the CTOs and the CISOs and the definition of their internal roles without attaching similar obligations of incident reporting within a stipulated time, independent system verification, and board and individual liability. To align with these jurisdictions, SEBI must treat digital infrastructure as a locus of public power, linking technology roles to public disclosure obligations, mandatory independent audits, and enforceable accountability.

Potential Reforms and The Way Forward

When it comes to regulatory accountability purporting to demand not only the involvement of CTOs/CISOs but also the mechanisms for visibility (disclosure), answerability (justification), and enforceability (sanctions). SEBI's amendments lack these, which is a risk for symbolic regulation that produces an impression of control without actually changing power relations or external supervision. They are advances, but still don't meet the moral standards. 

The current framework has critical shortcomings that demand targeted reforms to instill genuine accountability. First, setting demanding conditions for the roles of CTO and CISO is of crucial importance due to the their significant impact on the economic stability of the country. Moreover, making the compliance registers public is required to keep the stakeholders can be involved, channeling the reports to a newly constituted Technology and Risk Committee under SEBI. Hiring at the discretion of the authority leads to partiality; hence, it is recommend to have predefined prerequisites, such as proven expertise and tenure, as safeguards that will guarantee the selections based on merit.

Further, SEBI should not just stop at defining the roles but should also introduce a DORA-type system where the incidents of cyber-attacks or technical failures at SEs and CCs are disclosed promptly. The common thresholds and timeframes would not only facilitate but also alert regulators, and the markets would be alerted earlier to the risks rather than receiving them through internal reports. Given that BSE’s market cap has crossed INR 47 lakh crore during this period of record highs, such transparency not only strengthens but also opens up India as a global investment hub for investors. 

Lastly, incorporating certain aspects from the US and UK models is of crucial significance. This includes enhanced personal accountability, ensuring completely separate annual audits of the technology and cybersecurity by independent external or internally structured teams etc. Further, an obligation on CTOs, CISOs, and the executives to provide clear Statements of Responsibility that link oversight failures to individuals according to the UK's SMCR—this will prevent the diffusion of blame and allow quick enforcement. Digital governance is not to be treated as mere cosmetics; non-partisan validations are required to make it strong and resilient.​