AKP Corporate & Compliance Digest November 24, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.  Labour Law

1.1. Centre notifies core provisions of Code on Social Security, 2020

The Ministry of Labour and Employment has appointed November 21, 2025 as the commencement date for most of the Code on Social Security, 2020, bringing into force the primary framework of the Code on Social Security, 2020 governing definitions, coverage, institutions, schemes, compliance, enforcement and transitional arrangements for social security benefits for employees and other workers now becomes operational, while only limited residual provisions remain to be notified.

1.2.  Centre brings entire Industrial Relations Code, 2020 into force

The Ministry of Labour and Employment has notified the Industrial Relations Code, 2020. The Central Government has appointed November 21, 2025, as the date on which all provisions of the IR Code come into force, making the entire statute simultaneously operative across India. The Code consolidates and replaces three earlier central labour laws, the Trade Unions Act, 1926, the Industrial Employment (Standing Orders) Act, 1946 and the Industrial Disputes Act, 1947, into a single framework governing trade union, standing orders, conditions of employment, and investigation and settlement of industrial disputes, so employers and workers must now align their industrial relations practices with this unified code.

1.3. Centre brings core wage, bonus and enforcement provisions of Code on Wages, 2019 into force

The Ministry of Labour and Employment has announced that the main provisions of the Code on Wages, 2019 came into effect on November 21, 2025. These include rules on scope, definitions, gender-based wage discrimination, minimum and floor wages, working hours, overtime, wage payment, deductions, and statutory bonus. The notification also covers State Advisory Boards, payment responsibilities, claims and disputes, audits, record-keeping, and inspector powers. Offences, penalties, compounding, legal protections, contracting out, overriding effect, delegation, and savings are included as well. It provides for rule-making powers, legislative oversight, and removal-of-difficulty orders for three years. Finally, it repeals the Payment of Wages Act, 1936; Minimum Wages Act, 1948; Payment of Bonus Act, 1965; and Equal Remuneration Act, 1976, with savings for prior actions. Parts already enforced under the December 18, 2020 notification remain unchanged.

1.4. Centre enforces Occupational Safety, Health and Working Conditions Code, 2020 on workplace safety and working conditions

The Ministry of Labour and Employment has notified that the provisions of the Occupational Safety, Health and Working Conditions Code, 2020 will come into force from November 21, 2025, bringing into operation a unified central framework on workplace safety, employee health and service conditions. The Code consolidates and replaces 13 (thirteen) central labour laws relating to factories, mines, docks, contract labour, building and construction and inter-State migrant workmen, including the Factories Act, 1948 and the Mines Act, 1952, and introduces common norms on registration of establishments, licensing of contractors, duties of employers, maximum working hours, leave, welfare facilities and occupational health services for workers across sectors.

1.5. Karnataka notifies public and bank holidays for businesses and citizens

Government of Karnataka has issued notifications listing State-wide public holidays and bank holidays for the year 2026, specifying that all Sundays, Second Saturdays and Fourth Saturdays will remain holidays in addition to key national and religious occasions such as Republic Day, Independence Day, Gandhi Jayanti, Ugadi, Eid-ul-Fitr, Deepavali and Christmas, which many private employers and commercial establishments commonly follow when settling their own leave calendars. Under the Negotiable Instruments Act, 1881, a matching schedule has been declared as public holidays for commercial banks and co-operative banks across the State, with clarifications that certain festivals falling on Sundays or Second Saturdays (including Maha Shivaratri, Kannada Rajyotsava and Naraka Chaturdashi) are excluded as separate bank holidays. The notifications also provide for three additional local holidays specifically for Kodagu District Kail Muhuruth on September 3, 2026, Tula Sankramana on October 18, 2026, and Huthri Festival on November 26, 2026, during which local businesses and bank branches in that district can expect closures.

1.6. Goa prohibits pharma strikes and reschedules Zilla Panchayat elections

Government of Goa has issued an order under the Goa Essential Services Maintenance Act, 1988 prohibiting strikes in any form in all establishments engaged in manufacturing, packaging, distribution and transportation of pharmaceutical products and components in the State, with immediate effect for 1 (one) month from the date of issue.

1.7. Lakshadweep amends the Industrial Disputes Act, 1947

Industrial Disputes (Lakshadweep) Amendment Regulation, 2025, amends the Industrial Disputes Act, 1947 in its application to the Union territory of Lakshadweep by defining “State Government” as the Administrator and tightening procedures around strikes and lockouts. The amendments extend the requirement to give prior notice now applies to any industrial establishment as well as public utility services and replace the previous six-week notice period with a sixty-day notice period for both workmen and employers, thereby lengthening the lead time before lawful industrial action or lockouts can occur. At the same time, the threshold for the application of Chapter V-B on layoff, retrenchment and closure is raised from 100 (one hundred) to 300 (three hundred) workmen, which will limit the number of establishments in Lakshadweep that are subject to these more stringent job protection provisions.

2. Stamp Duty

2.1. Goa adjusts stamp duty valuation for Housing Board allotments

The Government of Goa, Department of Revenue, has issued an addendum to its earlier orders on fixation of land rates clarifying that the notified minimum land values will not apply when calculating stamp duty for conveyance deeds of plots allotted by the Goa Housing Board under the Goa Housing Board Act, 1968. For such plots, the rate determined by the Goa Housing Board at the time of allotment will be taken as the value for stamp duty and registration purposes, while all other parts of the underlying land-rate orders remain unchanged, as per the order dated November 17, 2025.

2.2. Goa reduces valuation base for small Comunidade plots in urban zones

Through a separate addendum dated November 17, 2025, the Government of Goa has directed that, for Comunidade land parcels up to 400 (four hundred) square metres located within S1 to S4 zones, the base rate used to derive minimum land values will be reduced by 50 per cent (fifty per cent). This change effectively lowers the valuation benchmark used for stamp duty computation on such smaller Comunidade plots while leaving the rest of the earlier fixation-of-land-rates order intact.

3. Stock Exchanges

3.1. NSE directs trading members to file updated FATF declarations on call-for-action jurisdictions

National Stock Exchange of India Limited (“NSE”) has asked all its trading members to submit updated declarations in relation to the Financial Action Task Force (“FATF”) public statement on jurisdictions under call for action and increased monitoring following the October 2025 plenary, by recording the actions taken in the dedicated FATF module on the Exchange’s online compliance portal. Members must either upload the prescribed declaration and client data in the specified digital formats or, where only proprietary trading is carried out and no such exposure exists, submit a “not applicable” one-time declaration through the same module, with the overall due date set as December 5, 2025, for completion of all submissions. The circular reiterates that non-submission or delayed submission will attract penal charges or disciplinary action in line with the Exchange’s earlier inspection circulars and advises members to use the attached user manual and regional or central helpdesk contacts to ensure timely and accurate compliance.

3.2. BSE reminds active members to submit Risk Based Supervision data

Bombay Stock Exchange (“BSE”) has issued a reminder notice requiring all active members who have executed at least 1 (one) trade during the period from April 1, 2025, to September 30, 2025, to submit their information and data for Risk Based Supervision (RBS) to the Exchange on or before November 30, 2025. The submission is mandatory and must be made electronically through the BSE Electronic Filing System (BEFS), failing which members may face penal charges and disciplinary action in line with the Exchange’s earlier notice dated October 10, 2025.

3.3. NSDL introduces new freezing disclosure for joint demat holders and reiterates key compliance timelines

National Securities Depository Limited (“NSDL”) has issued a circular requiring participants to insert an additional clause in the ‘Rights and Obligations’ document under Annexure K, stating that if any statutory order freezes one joint holder, the entire joint dematerialised (demat) account will be frozen and the other joint holders must obtain a specific unfreezing order for their percentage of joint ownership from the same authority by submitting relevant documentary proof. Participants must incorporate this clause under the ‘Freezing/Defreezing of accounts’ section in the ‘Rights and Obligations of the Beneficial Owner’ and ensure that the revised document is executed for clients at the time of demat account opening, with formal amendments to Annexure K of the NSDL Business Rules to follow separately.

3.4. CDSL instructs DPs not to charge AMC on certain demat accounts

Central Depository Services (India) Limited (“CDSL”) has issued a communiqué reminding Depository Participants (“DPs”) of the earlier direction that Annual Maintenance Charge (“AMC”) must not be levied on dematerialised (demat) accounts that are in “To be Closed” status and hold only illiquid, suspended or delisted securities, based on security status information received from the stock exchanges. CDSL has shared DP-wise lists of such Beneficial Owners (“BOs”) through the billing folders of the respective DPs for review and implementation, and clarified that where no such BOs exist, no file will be available. DPs have been advised to ensure that AMC is not charged in these cases in line with the conditions set out in the September 2025 communiqué and to take due note of the instructions to remain fully compliant.

3.5. BSE issues reminder on half-yearly internal audit report submission

BSE has issued a reminder notice requiring all trading members to submit the Internal Audit Report for the half year ended September 30, 2025, on or before November 30, 2025, through the BSE Electronic Filing System (BEFS) in the prescribed format. The notice refers to earlier directions issued in October 2025 that mandated a complete internal audit for this period and warns that non-submission or late submission will attract penal charges and disciplinary action in line with the Exchange’s prior compliance framework. Members have been advised to note the regulatory requirement and to use the designated telephone numbers and e-mail contacts provided in the notice for any process-related or technical queries on the filing of the Internal Audit Report.

3.6. NSE reminder on half-yearly internal audit report submission

NSE has issued a reminder circular dated November 18, 2025, requiring all trading members to submit the Internal Audit Report for the half year ended September 30, 2025, through the Inspection module of the Member Portal by November 30, 2025. The reminder refers to the earlier circular dated October 3, 2025, mandating a complete internal audit for this period and reiterates that non-submission or late submission of the Internal Audit Report will attract penal charges and disciplinary action in line with the Exchange’s inspection framework. Trading members have been advised to treat the deadline as mandatory and to approach the designated regional offices or the central help desk for any operational or compliance-related clarifications.

3.7. NSE reminder on submission of Risk Based Supervision data

NSE has issued a reminder circular requiring all active trading members who have executed at least 1 (one) trade during the period from April 1, 2025, to September 30, 2025, to submit the required information and data for Risk Based Supervision (RBS) to the Exchange on or before November 30, 2025, through the Inspection module of the Member Portal. The submission is mandatory, and NSE has cautioned that non-submission or delayed submission of RBS data will attract penal charges and disciplinary action in line with its earlier inspection circular, while regional offices and a central help desk have been made available to assist members with any clarification or operational issues in completing the filing.

3.8. NCL reminds members to submit half-yearly net worth certificates

NSE Clearing Limited (“NCL”) has issued a reminder circular dated November 17, 2025, requiring all clearing members to submit their half-yearly Net worth Certificate as on September 30, 2025, by November 30, 2025, through the NCL Member Portal. The circular reiterates that members must comply with the applicable net worth requirement, namely the higher of the Base Net worth or Variable Net worth, as prescribed under the Securities and Exchange Board of India (SEBI) Gazette Notification No. SEBI/LAD-NRO/GN/2022/73 dated February 23, 2022, and clarifies that the computation should follow the methodology set out in NCL Circular NCL/CMPL/55460 dated February 1, 2023. NCL has warned that non-submission of the Net worth Certificate within the due date or any shortfall in net worth will invite action in accordance with the NCL master circular dated April 30, 2025 and administrative circulars dated May 8, 2025 and has urged members to ensure timely filing and adherence to the prescribed thresholds.

4. Information Technology

4.1. CERT-In flags critical path traversal flaw in Fortinet FortiWeb firewalls

Indian Computer Emergency Response Team (“CERT-In”) has issued Vulnerability Note CIVN-2025-0321 on a critical path traversal vulnerability (CVE 2025 64446) in Fortinet FortiWeb web application firewalls (WAF), warning that an unauthenticated attacker could execute administrative commands on affected systems and gain complete control over exposed devices. The flaw, disclosed on November 17, 2025, stems from an input validation error in processing directory traversal sequences in FortiWeb versions 7.0.0 to 7.0.11, 7.2.0 to 7.2.11, 7.4.0 to 7.4.9, 7.6.0 to 7.6.4 and 8.0.0 to 8.0.1, and may be exploited via crafted Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) requests to bypass authentication, create administrator accounts, and exfiltrate data. Organisations and individuals running the impacted FortiWeb versions face a high risk of system compromise and are strongly advised to apply vendor patches urgently, restrict Internet exposure of management interfaces, and closely monitor for signs of exploitation in the wild.

4.2. CERT-In warns of multiple high-severity flaws in Mozilla Thunderbird

CERT-In has issued Vulnerability Note CIVN-2025-0323 on November 18, 2025, highlighting multiple high-severity security flaws in the Mozilla Thunderbird email client, affecting versions prior to 145 (one hundred and forty-five) and 140.5 (one hundred and forty point five), which could allow remote attackers to execute arbitrary code on targeted systems. The vulnerabilities stem from race conditions and incorrect boundary checks in graphics and JavaScript components, same-origin policy and mitigation bypasses in the Document Object Model (DOM), use-after-free bugs in Web Real-Time Communication (WebRTC) and audio or video modules, spoofing issues, sandbox escape weaknesses and various memory safety errors, collectively creating a high risk of system compromise and service disruption. Successful exploitation generally involves luring a user into opening a specially crafted web request, potentially resulting in complete system takeover and service unavailability. All organisations and individuals using Mozilla Thunderbird are advised to prioritise this advisory and promptly apply the latest vendor security updates and configuration hardening measures to mitigate the risk.

4.3. CERT-In issues high-risk advisory on multiple vulnerabilities in Intel products

CERT-In has released Advisory CIAD-2025-0044 dated November 18, 2025, on multiple vulnerabilities affecting a wide range of Intel products, warning that flaws in server utilities, wireless and graphics software, firmware, developer tools and artificial intelligence or accelerator components could allow attackers to gain elevated privileges, exfiltrate sensitive information or cause denial-of-service conditions leading to full system compromise and instability. The advisory, which rates the risk as high for all individuals and organisations using the impacted Intel software and firmware, notes that exploitation may result in unauthorised access, service outages and compromise of confidentiality and integrity, and urges users to promptly review Intel’s security updates and apply the prescribed patches and mitigations from the Intel Security Centre to secure their environments.

4.4. CERT-In issues high-risk advisory on Windows kernel privilege escalation vulnerability

CERT-In has published Vulnerability Note CIVN-2025-0324 on a high-severity privilege escalation flaw in the Microsoft Windows kernel affecting multiple supported releases of Windows 10 (ten), Windows 11 (eleven) and Windows Server 2019 (two thousand and nineteen), 2022 (two thousand and twenty-two) and 2025 (two thousand and twenty-five), warning that a local attacker with low privileges could exploit a race condition in shared kernel resources to gain elevated permissions on the system. The advisory flags a high risk to confidentiality, integrity and availability, as successful exploitation may enable unauthorised data manipulation, installation of malicious software and disruption of services on compromised endpoints and servers. Organisations and individual users are advised to urgently verify affected build numbers against Microsoft’s security guidance for CVE-2025-62215 and apply the latest cumulative security updates across all impacted Windows deployments as the primary mitigation.

4.5. CERT-In warns of critical Zyxel device flaws allowing command execution and DoS

CERT-In has issued Vulnerability Note CIVN-2025-0325 on multiple high-risk vulnerabilities in a wide range of Zyxel devices, including 4G Long Term Evolution (4G LTE) and 5G New Radio (5G NR) customer premises equipment (CPE), digital subscriber line or Ethernet CPE, fibre optical network terminals (ONTs), security routers and wireless extenders, which collectively pose critical risks to the confidentiality, integrity and availability of affected systems. The advisory identifies home and small office or home office users, information technology and network administrators, and managed service providers or Internet service providers as key audiences and urges all entities using the listed Zyxel models to promptly apply the vendor’s security firmware and software updates from the Zyxel security advisory and to review their exposure of management interfaces to reduce the likelihood of successful exploitation.

4.6. CERT-In issues critical advisory on authentication bypass in ASUS DSL routers

CERT-In has released Vulnerability Note CIVN-2025-0322 on a critical authentication bypass flaw in ASUS Digital Subscriber Line (DSL) series routers, specifically models DSL-AC51, DSL-N16 and DSL-AC750, that could allow remote attackers to gain unauthorised access to affected systems. Issued on November 17, 2025, the advisory warns that successful exploitation enables attackers to bypass security controls, modify configuration settings and access sensitive information traversing the routers, leading to severe compromise of confidentiality, integrity and availability. CERT-In highlights that the issue affects home users, small office environments, enterprises and service providers relying on these devices for internet connectivity and urges organisations and individuals using ASUS DSL routers to promptly review their deployments, implement vendor-recommended security fixes and harden network configurations to reduce the risk of compromise. 

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in