AKP Corporate & Compliance Digest January 05, 2026

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.             Labour Law

1.1.         Centre notifies draft Industrial Relations (Central) Rules, 2025 for consultation

Ministry of Labour and Employment [“MoLE”] issued the draft Industrial Relations (Central) Rules, 2025 under the Industrial Relations Code, 2020 and the General Clauses Act, 1897, proposing to replace the Industrial Disputes (Central) Rules, 1957 and the Industrial Employment (Standing Orders) Central Rules, 1946. This follows the Gazette notification bringing all provisions of the Industrial Relations Code, 2020 into force on November 21, 2025. Stakeholders may submit objections and suggestions within 30 (thirty) days from the date the Official Gazette copies are made available to the public, including by email to the designated Ministry officer. The draft sets out procedures and forms (including for electronic submissions) and includes prescribed formats for employer actions such as lay-off, retrenchment and closure, with indicative minimum lead times of 15 (fifteen) days, 60 (sixty) days and 90 (ninety) days respectively. It also publishes model standing orders covering worker classifications (including fixed term employment) and internal governance such as grievance redressal (including a 1 (one) year window for individual grievance applications) and workplace sexual harassment processes aligned to the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013.

1.2.         Centre issues draft Code on Social Security (Central) Rules, 2025 for consultation

MoLE issued a Gazette notification publishing the draft Code on Social Security (Central) Rules, 2025 under the Code on Social Security, 2020 (Code), in supersession of multiple existing central rules (including the Employees’ State Insurance (Central) Rules, 1950 and Employee’s Compensation Rules, 1924), and invited objections and suggestions within 45 (forty-five) days from the day the relevant Official Gazette copies are made available to the public. The draft rules aim to consolidate operational and procedural requirements across key social security regimes, including governance and budgeting of the Employees’ State Insurance Corporation (“ESIC”), benefit eligibility and administration, tribunal procedure, gratuity and maternity benefit processes, and prescribed forms and reporting formats. For ESIC, the draft caps annual administrative expenses at 15 per cent (fifteen per cent) of total revenue income, prescribes a minimum funeral expense benefit of INR 15,000 (Indian Rupees Fifteen Thousand only), and provides that sickness benefit is payable at 70 per cent (seventy per cent) where contributions were payable for at least 78 (seventy-eight) days in the corresponding contribution period. For employee’s compensation, it proposes simple interest at 12 per cent (twelve per cent) per annum on delayed compensation beyond 30 (thirty) days, unless a different rate is notified by the Central Government.

1.3.         Centre issues draft Code on Wages (Central) Rules, 2025 for consultation

MoLE published a notification in the Gazette of India, Extraordinary, proposing the draft Code on Wages (Central) Rules, 2025 under the Code on Wages, 2019 (Code). The notification notes that an earlier draft (Code on Wages (Central) Rules, 2020) was published on July 7, 2020, and that all provisions of the Code were brought into force through notifications dated December 18, 2020, and November 21, 2025. Objections and suggestions may be submitted within 45 (forty-five) days from the date the Gazette is made available to the public, The draft rules consolidate the compliance framework by superseding multiple legacy rules issued under the Payment of Wages Act, 1936, the Minimum Wages Act, 1948, the Payment of Bonus Act, 1965, and the Equal Remuneration Act, 1976, among others. They also prescribe procedures and forms (including electronic filing), allow compounding of certain offences at 50 per cent (fifty per cent) of the maximum fine payable within 30 (thirty) days of the composition order, clarify wage and minimum bonus responsibility in contractor-based engagements, and require annual returns to be filed electronically in the relevant form under the Occupational Safety, Health and Working Conditions Code, 2020, with a copy forwarded to the Labour Bureau.

1.4.         Centre notifies draft Occupational Safety, Health and Working Conditions (Central) Rules, 2025 for consultation

MoLE notification dated December 30, 2025, has published the draft Occupational Safety, Health and Working Conditions (Central) Rules, 2025 under the Occupational Safety, Health and Working Conditions Code, 2020, and invited objections and suggestions within 45 (forty-five) days in the prescribed proforma. The draft framework shifts core compliance to the Shram Suvidha Portal (or a designated portal), including electronic registration for establishments, with registration certificates to be issued immediately where applications are complete (and in any case within 7 (seven) days), alongside a deemed registration and auto-generated certificate mechanism if timelines are missed. It also requires existing establishments already registered under other Central labour laws to update registration particulars within 6 (six) months, and to display the registration certificate at a conspicuous place (physically or electronically). For larger establishments, it mandates a Safety Committee for 500 (five hundred) or more workers with a 3 (three) year tenure, regular meetings (at least quarterly, and at least monthly for mines), and a 15 (fifteen) day window for employers to act on recommendations. The draft rules further prescribe conditions for employing women during night hours (including written consent, transport, lighting and Closed-circuit television surveillance, and compliance with the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013), and propose integrated reporting and record-keeping requirements, including a unified annual return and preservation of records for 5 (five) years.

2.             Stamp Duty

2.1.         Punjab proposes cap on stamp duty for loan and mortgage instruments

The Government of Punjab published the Indian Stamp (Punjab Second Amendment) Bill, 2025 in the Punjab Government Gazette (Extraordinary) on December 29, 2025, proposing amendments to the Indian Stamp Act, 1899 (as applicable to Punjab). The Bill proposes that stamp duty on specified loan-related instruments be charged at 0.25 per cent (zero point two five per cent) of the loan amount secured, subject to a cap of INR 5,00,000 (Indian Rupees Five Lakhs only), and also proposes that no additional stamp duty be charged on other instruments relating to the same loan where the relevant stamp duty has already been paid.

3.             Stock Exchanges

3.1.         NSE sets quarterly cyber incident reporting deadline and escalation matrix

National Stock Exchange of India Limited (“NSE”) directed trading members (as Securities and Exchange Board of India (“SEBI”) Regulated Entities (“REs”)) to submit the Quarterly Cyber Incident Report for the quarter ending December 31, 2025 through the member portal by January 15, 2026, under the Cyber Security and Cyber Resilience Framework for Regulated Entities (CSCRF), using the path ENIT > ENIT-NEW-TRADE > Trade > Incident Report > Quarterly Report Submission. The circular also flags that non-submission or delayed submission will attract disciplinary action, including charges of INR 1,500 (Indian Rupees One Thousand Five Hundred only) per day for the first 7 (seven) calendar days (or until submission, whichever is earlier) and INR 2,500 (Indian Rupees Two Thousand Five Hundred only) per day from the 8 (eight) day to the 21 (twenty-one) day (or until submission, whichever is earlier), followed by prohibition on new client registration and a 7 (seven) calendar day disablement notice if the report is not submitted by 21 (twenty-one) calendar days, and disablement in all segments if not submitted by 28 (twenty-eight) calendar days, with repeat violations attracting a 50 per cent (fifty per cent) escalation in monetary penalty.

3.2.      BSE mandates half-yearly SaaS compliance filing via BEFS and routes cyber incident reporting to NSE for common members

Bombay Stock Exchange Limited (“BSE”) by Notice No. 20251231-18 dated December 31, 2025, reminded trading members of the SEBI advisory on Software as a Service (“SaaS”) based solutions (SEBI/HO/MIRSD2/DOR/CIR/P/2020/221 dated November 3, 2020) and directed that the half-yearly SaaS compliance for the period July 2025 to December 2025 must be submitted only in electronic form through the BSE Electronic Filing System (“BEFS”) by January 31, 2026. BSE also stated that, under the technology-based sharing mechanism for common submissions among exchanges, members registered with both BSE and NSE should submit quarterly cyber incident reporting to NSE only, while exclusive BSE members should continue to submit such reports to BSE through BEFS as per the existing process, and provided contact details for process-related queries.

3.3.       BSE reiterates quarterly cyber incident reporting timeline and channels submissions via BEFS or NSE

BSE Limited, by Notice No. 20251231-28 dated December 31, 2025, reminded trading members to submit the quarterly cyber security incident report (cyber alerts/attacks) through the BEFS within 15 (fifteen) days from the end of the quarter, and stated that for the quarter October 2025 to December 2025, the due date is January 15, 2026, with the submission treated as complete only upon receipt of an acknowledgement email. BSE further stated that members who are also registered with NSE should submit their quarterly incident reporting to NSE only under the technology-based sharing mechanism for common submissions among exchanges, while exclusive BSE members must continue submitting via BEFS, and warned that non-submission or delayed submission will attract disciplinary action as per the applicable exchange notice, while also reiterating the requirement to follow the immediate incident reporting process when applicable.

3.4.     NSDL lists 2026 trading holidays when inter-depository transfer instructions will not be exchanged

National Securities Depository Limited (“NSDL”) reminded participants that inter-depository transfer instructions are discontinued on trading holidays and, based on the trading holiday list provided by Central Depository Services (India) Limited (CDSL) for calendar year 2026, stated that no inter-depository instructions will be exchanged between depositories on 17 (seventeen) days: January 26, 2026 (Republic Day), March 3, 2026 (Holi), March 21, 2026 (Id-Ul-Fitr (Ramadan Eid)), March 26, 2026 (Shri Ram Navami), March 31, 2026 (Shri Mahavir Jayanti), April 3, 2026 (Good Friday), April 14, 2026 (Dr. Baba Saheb Ambedkar Jayanti), May 1, 2026 (Maharashtra Day), May 28, 2026 (Bakri Eid), June 26, 2026 (Moharam), August 15, 2026 (Independence Day), September 14, 2026 (Ganesh Chaturthi), October 2, 2026 (Mahatma Gandhi Jayanti), October 20, 2026 (Dussehra), November 10, 2026 (Diwali-Balipratipada), November 24, 2026 (Guru Nanak Jayanti), and December 25, 2026 (Christmas).

3.5.         NSDL mandates T+1 uploads of DIS images on e-PASS DMS module

NSDL, through a circular directed participants to upload Delivery Instruction Slip(s) (“DIS”) received and annexures to DIS in the new DIS Management System (“DMS”) module on NSDL e-PASS on a T+1 basis with effect from January 1, 2026, and referred to earlier NSDL circulars dated August 5, 2014, August 28, 2014, and December 23, 2025 on DIS signing, uploading and tamper-proof storage. NSDL also required participants to upload legacy DIS data for the last 8 (eight) years, from January 1, 2018, to December 31, 2025, by February 28, 2026, with separate handling for participants maintaining DIS records in their own back-office systems versus those using NSDL’s DMS software (local data centre or NSDL private cloud) who may approach the NSDL helpdesk for facilitation. NSDL stated that menu rights in the new DMS module will be auto-assigned to existing maker and checker users on e-PASS, and additional user IDs may be created by submitting details in the prescribed format.

3.6.         NSDL issues 2026 Limited Purpose Holiday Master for DIS monitoring

NSDL issued a circular on December 29, 2025, enclosing the Limited Purpose Holiday Master for DIS monitoring for calendar year 2026, to determine what counts as a “working day” for the requirement to scan and upload images of duly executed DIS to the DMS module of NSDL e-PASS by the end of the next working day, as per SEBI guidelines and NSDL’s earlier instructions. The holiday master treats all Saturdays and Sundays as non-working days and additionally marks the following days as holidays for DIS monitoring in 2026: January 26, 2026; February 19, 2026; March 3, 2026; March 19, 2026; March 26, 2026; March 31, 2026; April 3, 2026; April 14, 2026; May 1, 2026; May 28, 2026; June 26, 2026; August 26, 2026; September 14, 2026; October 2, 2026; October 20, 2026; November 10, 2026; November 24, 2026; and December 25, 2026. NSDL also reiterated forthcoming compliance items, including monthly Investor Grievance Reports by the 10th (ten) of the following month through e-PASS and a monthly report on same mobile number and/or email address captured for multiple accounts before the 27th (twenty-seven) of the following month through email.

3.7.         NSDL extends deadline for DPs to upload client KYC records to KRAs

NSDL extended the compliance timeline for Depository Participants (“DPs”) to upload Know Your Customer (“KYC”) records of non-closed clients to KYC Registration Agencies (“KRAs”) for validation up to January 30, 2026, after receiving representations from DPs, and in continuation of its earlier circular on this subject dated December 4, 2025. NSDL reiterated the SEBI requirement to upload KYC details and dispatch KYC documents within 3 (three) working days of client execution, and the SEBI position that clients may commence transactions after KYC completion but cannot transact further if KYC attributes are not verified by KRAs. NSDL directed DPs to ensure all pending KYC records are uploaded within the extended timeline and to allow transactions only where the KRA status is “KYC Registered” or “KYC Validated”, to support interoperability and avoid investor inconvenience.

3.8.         NSE requires half-yearly SaaS compliance reporting via member portal

NSE has directed trading members using SaaS based solutions/applications to submit half-yearly compliance information under the SEBI advisory on SaaS dated November 3, 2020.  For the half-year July 1, 2025, to December 31, 2025, members must submit the report through the member portal by January 31, 2026 (Member Portal → Inspection → SaaS → Submit SaaS Report). If a member is not utilising any SaaS service, it must select “No” in the SaaS report menu and provide an appropriate remark, and the submission steps are set out in the user manual in Annexure A. NSE also stated that, for members registered with other exchanges, it will share the submitted SaaS reports (including data/documents) with those exchanges, as per its circular dated September 29, 2025.

4.             Information Technology

4.1.       CERT-In flags high-severity buffer overflow in Net-SNMP enabling remote code execution or DoS

Indian Computer Emergency Response Team (“CERT-In”) issued Vulnerability Note CIVN-2025-0389 on December 29, 2025, rating as “High” a buffer overflow vulnerability affecting Net-SNMP versions prior to 5.9.5 and Net-SNMP 5.10.pre2 and earlier pre-release builds. CERT-In stated that improper bounds checking during memory operations can trigger a buffer overflow when specially crafted network packets are processed, which could allow a remote attacker to execute arbitrary code or cause denial-of-service (DoS), posing a high risk of service disruption, system crashes, or remote compromise. CERT-In advised users and administrators to apply the appropriate vendor updates.

4.2.         CERT-In flags critical authentication bypass in IBM API Connect

CERT-In issued Vulnerability Note CIVN-2026-0001 on January 1, 2026, rating as “Critical” an authentication bypass vulnerability affecting IBM API Connect versions 10.0.8.0 through 10.0.8.5 and version 10.0.11.0.  CERT-In stated that a logic error in the authentication flow of the IBM API Connect management interface could be exploited by a remote attacker through a specially crafted request, enabling bypass of the authentication mechanism and unauthorised access, with a high risk of compromise of the affected system.  CERT-In advised applying IBM’s updates and referenced CVE-2025-13915.

4.3.         CERT-In flags critical sandbox bypass in n8n (npm) Python Code Node

CERT-In issued Vulnerability Note CIVN-2025-0390 on December 30, 2025, rating as “Critical” a remote code execution vulnerability affecting n8n Workflow Automation Platform (npm) versions prior to 2.0.0. CERT-In stated that the vulnerability arises from a sandbox bypass flaw in the n8n Python Code Node, which could be exploited by an authenticated user with permission to create or modify workflows to execute arbitrary commands, escape the sandbox, and gain unauthorised access on the target system, with potential for full system compromise, sensitive data exposure, workflow manipulation, service disruption, and lateral movement.  CERT-In suggested mitigations including disabling the Code Node using the NODES_EXCLUDE environment variable, disabling Python support in the Code Node by setting N8N_PYTHON_ENABLED as false, and using task-runner based Python sandbox options, and advised applying vendor updates as per n8n’s security guidance.

5.             Tax

5.1.         Centre notifies Health Security se National Security Cess Rules, 2026 laying down registration, declaration, payment and enforcement processes

The Central Government, through the Ministry of Finance (Department of Revenue), notified the Health Security se National Security Cess Rules, 2026 under Section 35 of the Health Security se National Security Cess Act, 2025, with effect from February 1, 2026, prescribing end-to-end procedures for levy and administration of the Health Security se National Security Cess (HSNS Cess) through the cbic-gst.gov.in portal (Portal). The rules provide for factory-wise registration through FORM HSNS REG-01 (with temporary registration pending approval) and issuance of FORM HSNS REG-02, with the proper officer generally required to grant registration within 7 (seven) working days and providing processes for cancellation and revocation.  Registered persons must file an initial declaration in FORM HSNS DEC-01 within 7 (seven) days of registration (and a fresh declaration within 15 (fifteen) days of relevant changes), which the proper officer may verify within 90 (ninety) days including physical inspection and technical verification, followed by confirmation orders impacting cess computation.  The monthly HSNS Cess is to be calculated as per Schedule II of the Act (including pro-rata for the first month in specified cases) and paid electronically in FORM HSNS PMT-01 by the 7 (seven) day of the same month, with monthly returns in FORM HSNS RET-01 due by the 20 (twenty) day of the succeeding month and interest for delayed payment as applicable.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in