AKP Corporate & Compliance Digest January 12, 2026

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.             Labour Law

1.1.        MoLE issues FAQs to clarify flexible, worker-centric compliance under the Social Security Rules

A frequently asked questions (FAQs) note on the Social Security Rules clarifies that processes are designed to be digital-first for transparency and ease of access, but physical submissions remain permitted in specified cases, including certain gratuity and maternity benefit claims, and that registration is only an entry point and does not by itself guarantee payment of benefits unless the relevant schemes are onboarded on the applicable portal and eligibility conditions are met. The note emphasises that the Rules are subordinate legislation and can be updated through government notifications, and that Social Security Funds must be maintained as separate accounts with reporting, audit by the Comptroller and Auditor General of India (CAG), and utilisation restricted to worker welfare. It reiterates worker protections across key entitlements, including that maternity claims cannot be rejected merely for not using prescribed forms, acceptable proof can extend beyond registered medical practitioners, nursing breaks are not confined to 2 (two) fixed intervals, and crèche arrangements may be shared or pooled (with a crèche allowance where facilities are not provided). It also outlines safeguards in gratuity administration (including advance applications, no forfeiture solely for delay, protection for minor nominees, and structured notices, timelines and appeal processes), practical compliance positions on Building and Other Construction Workers (BOCW) welfare cess (advance payment, instalments with disclosure, refunds, clear responsibility allocation, and inter-State portability), coverage of gig and platform workers even through indirect engagement structures, and an enforcement approach focused on risk-based inspections, corrective opportunities, reasoned orders, compounding options, and time-bound appeals, while clarifying that exempted establishments and related trusts remain subject to governance, audit and oversight requirements and that records may be maintained electronically or at notified locations accessible for inspection.

2.             Stamp Duty

2.1.      Uttar Pradesh approves Stamp Duty concession on intra-family gift deeds for immovable assets

An official note issued on the Invest Uttar Pradesh portal indicates that the Uttar Pradesh Cabinet has approved a stamp duty cut on gift deeds executed within family members for immovable assets, framed under the Indian Stamp Act, 1899, signalling a policy move to reduce transaction frictions in eligible intra-family transfers (with operationalisation expected through the State’s stamp and registration machinery).

3.             Stock Exchanges

3.1.        NSDL issues SOP guidance for cyber security incident handling by Depository Participants

National Securities Depository Limited (“NSDL”) has issued a circular setting out an indicative scope for Depository Participants to prepare a Standard Operating Procedure (SOP) for handling cyber security incidents under the cybersecurity and cyber resilience framework (CSCRF) for Securities and Exchange Board of India (SEBI) Regulated Entities (REs), referring to SEBI’s circular dated August 20, 2024 and NSDL’s earlier circulars dated August 27, 2024 and September 1, 2023. Participants must report all such cyber security incidents to NSDL through the dedicated email ID [dpincidents@nsdl.com] and may seek clarifications via [dpaudit@nsdl.com] or the contact number (022)-6944 8668. NSDL has also flagged forthcoming compliance filings and channels, including periodic submissions through e-PASS and specified email reporting for certain monthly items, alongside deadlines such as the monthly Investor Grievance Report by the 10 (ten)th of the following month and the half-yearly Compliance Certificate by January 31, 2026, and July 31, 2026.

3.2.         NSDL changes DP billing supporting TXT file format under ePASS

NSDL has changed the format of the additional supporting .TXT file provided to Depository Participants (“DPs”) for monthly and yearly billing under the NSDL ePASS system, implemented from the December 2025 billing cycle onwards. The supporting file will move from a fixed-length, space-separated format to a pipe (“|”) delimited format, with a specified naming convention (<DPID>_<BillMonth><BillYear>.txt, for example IN001234_NOV2025.txt) and a defined set of 20 (twenty) data fields including DP ID, transaction date/time, flag, amount, and conditional fields such as ISIN and client ID depending on the bill head. NSDL has clarified that the existing bill format will remain available up to bills for March 2026 and will be discontinued from the April 2026 monthly bill and has asked DPs to make necessary back-office system changes to consume the revised file.

4.             Information Technology

4.1.      CERT-In flags critical n8n vulnerability enabling unauthenticated remote code execution

Indian Computer Emergency Response Team (“CERT-In”) has issued Vulnerability Note CIVN-2026-0006 warning of a critical remote code execution vulnerability in the n8n Workflow Automation Platform affecting versions prior to 1.121.0. The vulnerability arises from improper handling of webhook requests and can be exploited by an unauthenticated attacker by triggering certain form-based workflows, potentially resulting in unauthorised access, disclosure of sensitive information, and further compromise of the targeted system. CERT-In rates the issue as CRITICAL with a high risk of unauthenticated arbitrary code execution and recommends applying vendor updates as per n8n’s security guidance; the issue is tracked as CVE-2026-21858.

4.2.         CERT-In flags multiple high-severity vulnerabilities in Tenda wireless routers

CERT-In has issued Vulnerability Note CIVN-2026-0004 dated January 8, 2026, reporting multiple high-severity vulnerabilities in Tenda 300Mbps Wireless Router F3 and Tenda N300 Easy Setup Router models (including specified F3 v3.0 and v4.0 firmware versions). The issues include cleartext transmission of login credentials, insecure credential transmission using reversible Base64 encoding, missing HTTPOnly flag on session cookies, and insecure session ID management where credentials are used as the session identifier, which could allow attackers (including those on the same network) to capture credentials or hijack sessions and obtain unauthorised access to router configuration and sensitive information. CERT-In advises applying vendor updates as provided by Tenda and treating this as a confidentiality and integrity risk for affected devices.

4.3.         CERT-In flags high-severity privilege escalation in TOTOLINK EX200 firmware

CERT-In has issued Vulnerability Note CIVN-2026-0005 warning of a high-severity privilege escalation issue in TOTOLINK EX200 Wi-Fi Range Extender firmware (an end-of-life model). The vulnerability is caused by improper handling of malformed firmware upload requests, and an authenticated attacker could exploit it by uploading a specially crafted firmware file to gain root-level Telnet access, potentially leading to complete device compromise, arbitrary command execution, configuration changes, and wider network compromise. CERT-In recommends restricting administrative access to trusted networks, preventing unauthorised access to the management interface, monitoring for suspicious activity, and replacing or upgrading the device with a supported model; the issue is tracked as CVE-2025-65606.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in