AKP Corporate & Compliance Digest December 08, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1. Labour Law

1.1. Centre outlines Welfare and Social Security push for Gig and Platform Workers

The Ministry of Labour and Employment has outlined an expanded welfare and social security framework for unorganised, gig and platform workers, anchored in the e-Shram (National Database of Unorganised Workers) portal and the rollout of the new Labour Codes. Since its launch, e-Shram has registered over 31 crore (thirty-one crore) unorganised workers and over 5 lakh (five lakh) gig and platform workers, and has been mapped to multiple flagship schemes, including One Nation One Ration Card, Ayushman Bharat – Pradhan Mantri Jan Arogya Yojana and the Mahatma Gandhi National Rural Employment Guarantee Scheme, to facilitate access to food security, health cover and income support. Recent Budget announcements provide for identity cards and Ayushman Bharat – Pradhan Mantri Jan Arogya Yojana health benefits for online platform workers, while complementary initiatives such as the Skill India Mission and the 'Future Skills PRIME' programme seek to re-skill and up-skill youth for emerging technology roles. To support formal job creation, the Government has also launched the Employment Linked Incentive Scheme, Pradhan Mantri Viksit Bharat Rozgar Yojana, with an outlay of INR 99,446 crore (Indian Rupees Ninety-Nine Thousand Four Hundred Forty-Six Crore only) to incentivise the creation of more than 3.5 crore (three point five crore) jobs over 2 (two) years.

1.2. EPFO ends Aadhaar–UAN seeding relaxations for North-East and select sectors

Employees' Provident Fund Organisation (EPFO) has announced that the extended timeline for mandatory Aadhaar seeding and verification with Universal Account Number ("UAN") for filing Electronic Challan-cum-Return ("ECR") in respect of establishments in the North East Region (NER) and specified industries will not be continued beyond October 31, 2025. The relaxations, which were first granted following the introduction of Aadhaar-linked ECR filing with effect from June 1, 2021 and most recently extended through Ministry of Labour and Employment (MoLE) communications dated January 7, 2025 and October 28, 2025, are being discontinued on the basis that employers have had adequate time to complete Aadhaar–UAN seeding and current pendency is now marginal. All Zonal Offices (ZOs) and Regional Offices (ROs) have been directed to undertake intensive sensitisation and awareness drives to inform employers that, for the wage month of November 2025 onwards, ECRs will be accepted only for members whose Aadhaar is duly seeded and verified with UAN, without any further exceptions, pursuant to the approval of the Central Provident Fund Commissioner.

2. Stock Exchanges

2.1. NSE prescribes Action Taken Report framework for internal audit non-compliances

National Stock Exchange of India Limited ("NSE") has issued a circular introducing an "ease of doing compliance" framework that requires Trading Members to close all non-compliances reported in their half-yearly internal audit reports and to submit an Action Taken Report ("ATR") within 2 (two) months from the due date for filing the internal audit, making the ATR due by July 31 and January 31 for audit periods ending March 31 and September 30 respectively. The ATR must be certified by the empanelled internal auditor, confirm the status of compliance, and cover at least 1 (one) month for sample verification, and is to be filed electronically through the Inspection module of the Member Portal under the Internal Audit tab. The framework, developed in consultation with the Securities and Exchange Board of India ("SEBI"), applies to all internal audit reports for the half-year ended September 30, 2025, and onwards, and is intended to ensure timely closure of internal audit observations while reducing compliance frictions. Where observations remain unresolved in the ATR or the ATR is not submitted within the prescribed timeline, NSE will initiate monetary penalty or disciplinary action in line with its penalty circulars.

2.2. BSE mandates ATR-based closure of internal audit non-compliances

Bombay Stock Exchange ("BSE") has introduced an "ease of doing compliance" framework under which all Trading Members must close non-compliances reported in their half-yearly internal audit reports and submit an ATR, certified by their empanelled internal auditor, within 2 (two) months from the due date for filing the internal audit report, making the ATR due by July 31 and January 31 for audit periods ended March 31 and September 30 respectively. The ATR, to be filed electronically through the BSE Electronic Filing System Internal Audit Report Module, must confirm the status of compliance and cover at least 1 (one) month for sample verification, with the framework, developed jointly with the SEBI, applicable to internal audit reports for the half year ended September 30, 2025, and onwards. Where observations remain unresolved in the ATR or the ATR is not filed within the prescribed timeline, and members have been advised to notify their internal auditors and use the designated helplines for process, technical and XBRL-related queries.

2.3. BSE issues reminder on system audit report submission by trading members

BSE has reminded all trading members to submit their System Audit Report for the period ended September 30, 2025, through the BSE Electronic Filing System (BEFS) portal on or before December 31, 2025, warning that any delay beyond the due date may attract penal or disciplinary action. The notice, which follows earlier communications on the same subject, re-attaches user manuals for members and auditors as Annexure A and Annexure B respectively to facilitate smooth use of the system audit module and provides dedicated contact details for resolving XBRL-related and process-related queries so that members can ensure timely and complete compliance with the system audit requirements.

2.4. CDSL tightens penalties for delayed RAT submissions by DPs

Central Depository Services (India) Limited ("CDSL") has amended Annexure 11.1 of its DP Operating Instructions to revise the penalty structure for Depository Participants ("DPs") that do not submit the Risk Assessment Template ("RAT") for risk-based supervision within the prescribed timelines for the half years ending March 31 and September 30. The base penalty for non-submission of RAT data by the due dates of April 30 and October 31 is now INR 2,000 (Indian Rupees Two Thousand only) per occasion, increasing to INR 4,000 (Indian Rupees Four Thousand only) per occasion for repeated delays in consecutive periods, with non-submission across 3 (three) consecutive periods being referred to the Member Committee. In addition, a graded daily penalty structure has been introduced that, depending on whether the delay is a first, second or third consecutive instance and on the length of delay, ranges from INR 500 (Indian Rupees Five Hundred only) per day to INR 2,000 (Indian Rupees Two Thousand only) per day, with all cases of non-submission beyond 60 (sixty) days in any instance being escalated to the Member Committee. DPs have been advised to take note of these amendments and ensure timely submission of RAT data to avoid higher financial and disciplinary consequences under the revised framework.

2.5. NSDL revises penalty structure for delayed risk-based supervision data

National Securities Depository Limited ("NSDL") has amended rule 18.1.1 (eighteen point one point one) of its Business Rules to tighten the penalty framework for non-submission and delayed submission of data for risk-based supervision in the Risk Assessment Template (RAT), introducing a graded structure of monetary penalties and disciplinary action for first, second and third consecutive instances of delay, including per-day charges after 7 (seven) and 15 (fifteen) calendar days from the due date and escalation to the Member Committee if the report is not submitted for 60 (sixty) days or if repeated delays occur over 3 (three) consecutive periods, with Participants requested to note the changes and ensure timely compliance.

2.6. NSDL demands timely KYC uploads from DPs to KRAs

NSDL has issued a Participant Services Circular reminding depository participants ("DPs") of their obligation under Securities and Exchange Board of India (SEBI) Know Your Client ("KYC") norms to upload client KYC records to KYC Registration Agencies ("KRAs") within 3 (three) working days of completing the KYC process, instead of the earlier 10 (ten) working day timeline. This follows a sample comparison of Permanent Account Numbers (PANs) in demat accounts with KRA databases, which showed that several DPs had failed to upload KYC details as required. NSDL has directed DPs to ensure that KYC records of all non-closed clients are uploaded to KRAs and that only clients whose KRA status is "KYC Registered" or "KYC Validated" are permitted to transact, and has asked them to prioritise this exercise so that all pending KYC records are uploaded by January 2, 2026, in order to maintain interoperability across intermediaries and prevent inconvenience to investors.

2.7. CDSL issues TRAI mandate of pre-tagging of variables in commercial SMS templates

Telecom Regulatory Authority of India (TRAI) has directed all telecom access providers to mandatorily pre-tag every variable field in commercial Short Message Service ("SMS") content templates, specifying the content type, purpose and validation criteria, as a measure to curb misuse of headers and templates under the Telecom Commercial Communications Customer Preference Regulations, 2018. The new regime, introduced through a direction dated November 18, 2025, requires that all new SMS templates registered after 10 (ten) days comply with the pre-tagging rules at the time of approval, that automated scrubbing and validation of tagged variables against pre-whitelisted website links, over-the-top links, application package links and call-back numbers commence within 30 (thirty) days, and that all existing templates be migrated to the new standards within 60 (sixty) days from the start of scrubbing, after which any message failing variable-tag validation will be rejected and not delivered. Central Depository Services (India) Limited has accordingly advised its depository participants to ensure strict adherence to the adoption timelines and operational conditions, noting that during an initial 60 (sixty) day logger period messages will still be delivered but fault messages will be generated, and that timely alignment of registered templates and systems is essential to avoid disruption to customer communications and to strengthen protections against spam, phishing and fraud.

3. Information Technology

3.1. CERT-In flags high-risk Android vulnerabilities across recent versions

Indian Computer Emergency Response Team ("CERT-In") has issued Vulnerability Note CIVN-2025-0347 highlighting multiple high-risk security flaws in Google Android versions 13, 14, 15 and 16, which could allow a remote attacker to gain elevated privileges, access sensitive information or trigger denial of service on affected devices. The vulnerabilities arise from weaknesses referenced in Android, Qualcomm, MediaTek, NVIDIA, Broadcom and UNISOC components and are assessed as posing a high risk of full system compromise, system instability and data exposure for all original equipment manufacturers and users. CERT-In has advised stakeholders to promptly apply the security updates referenced in Google's Android Security Bulletin dated December 1, 2025, and to follow vendor guidance to mitigate these risks.

3.2. CERT-In warns of high-risk OpenVPN flaws enabling denial-of-service and data leaks

CERT-In has issued Vulnerability Note CIVN-2025-0348 warning that multiple security flaws in OpenVPN versions 2.7_alpha1 through 2.7_rc1 and 2.6.0 through 2.6.15 could allow remote attackers to cause denial-of-service and information disclosure, creating a high risk of service disruption for organisations and individuals using the affected virtual private network software. The weaknesses stem from insufficient argument validation during Internet Protocol version 6 (IPv6) address parsing and an incorrect implementation of the memcmp() function call in Hash-based Message Authentication Code (HMAC) verification, and CERT-In has urged all end-user organisations to promptly apply the fixes detailed in the OpenVPN security advisories and vendor updates to mitigate exposure to these two (two) Common Vulnerabilities and Exposures (CVEs), CVE-2025-12106 and CVE-2025-13086.

3.3. CERT-In flags Apple mercenary spyware alerts and offers forensic support

CERT-In has issued an advisory noting that Apple has sent threat notifications worldwide, including in India, warning selected users that iPhones linked to their Apple identification (ID) may be targeted by mercenary spyware. The advisory, dated December 5, 2025, urges notified users to take additional safeguards such as updating their iPhone operating system (iOS) to version 26.1 (twenty-six point one) and updating all Apple devices, as well as keeping messaging and cloud applications current and enabling Lockdown Mode. Users who have received these notifications are encouraged to seek technical assistance by contacting CERT-In so that their devices can be examined, and are expressly warned not to reset, delete applications, update or otherwise alter the phone beforehand because such actions could tamper with potential evidence, with the note also providing links to relevant Apple-related vulnerability notes and CERT-In contact details.

3.4. CERT-In warns of multiple high-severity GitLab vulnerabilities

CERT-In has issued a HIGH-severity vulnerability note on multiple security flaws in GitLab Community Edition (CE) and Enterprise Edition (EE) prior to versions 18.6.1 (eighteen point six point one), 18.5.3 (eighteen point five point three) and 18.4.5 (eighteen point four point five), warning that attackers could exploit race conditions in continuous integration and continuous deployment (CI/CD) cache, improper authorisation in account registration and markdown rendering, information disclosure in the Terraform registry and denial of service issues in HTTP response processing and JSON input validation middleware to gain unauthorised access, steal data or destabilise systems. The note dated December 4, 2025, stresses that all organisations and individuals using GitLab face a risk of exposure to data theft and sensitive information disclosure and urges them to promptly apply the security fixes released by GitLab in its November 26, 2025, patch advisory, treating the update as a priority risk-mitigation step.

3.5. CERT-In issues HIGH-severity alert on multiple Splunk vulnerabilities

CERT-In has published a HIGH-severity Vulnerability Note warning that multiple security flaws in Splunk Enterprise, Splunk Cloud Platform, Splunk Secure Gateway and Splunk Model Context Protocol Server could allow remote attackers to trigger denial of service, execute arbitrary code, gain elevated privileges, bypass security restrictions or obtain sensitive information on affected systems. The issues, which arise from weaknesses such as unauthenticated log injection, improper access control in push notifications, incorrect permission assignments, improper validation of user inputs and blind server-side request forgery through distributed search peers, expose all organisations and individuals using Splunk to a heightened risk of system compromise, data breach, malware propagation and service disruption, and CERT-In strongly urges prompt application of the security fixes released by Splunk to mitigate these threats.

3.6. CERT-In flags remote code execution flaw in Microsoft Windows shortcut files

CERT-In has issued a HIGH-severity Vulnerability Note warning that a flaw in the way Microsoft Windows processes `.lnk` shortcut files could allow a remote attacker to trick users into opening a malicious shortcut, thereby executing arbitrary code, escalating privileges and maintaining persistence on the compromised system. The note, dated December 4, 2025, explains that the vulnerability arises from improper handling of hidden command-line arguments embedded in shortcut files, creating a risk of full system compromise, sensitive information disclosure and malware deployment for all organisations and individuals using affected Windows installations, and it urges prompt application of the security updates referenced in Microsoft's security advisory ADV25258226 as the primary mitigation measure.

3.7. CERT-In warns BFSI entities of surge in attacks on Palo Alto firewall devices

CERT-In has issued Critical Advisory CIAD-2025-0047 after observing a coordinated spike in cyberattacks on Palo Alto Networks (PAN) firewall devices, especially PA-3220 series appliances running PAN Operating System (PAN-OS) versions 8.x (eight point x) to 12.x (twelve point x), deployed across the Banking, Financial Services and Insurance (BFSI) sector. The attacks, seen since October 2025, involve large-scale scanning and exploitation of multiple known Common Vulnerabilities and Exposures (CVEs) and are assessed as capable of enabling full system compromise, data theft and denial of service within targeted networks. CERT-In and the Computer Security Incident Response Team for Financial Sector (CSIRT-Fin) have urged organisations to immediately apply vendor patches, lock down management interfaces behind Virtual Private Network (VPN) access and Internet Protocol allow-lists, enhance logging and alerting, conduct threat hunting using indicators of compromise, enforce Multi-Factor Authentication (MFA) for administrative and remote access, and review network segmentation so that firewall management consoles are isolated from public networks, while preserving logs and promptly reporting any suspicious Information and Communication Technology (ICT) activity to the authorities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.