- within Corporate/Commercial Law topic(s)
- with readers working within the Law Firm industries
- within Corporate/Commercial Law, Privacy and Employment and HR topic(s)
- with Inhouse Counsel
We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.
1. Labour Law
1.1. Centre tells Delhi High Court Industrial Relations Code rules will be finalised by February-end
Central Government informed the Delhi High Court that the rules under the Industrial Relations Code, 2020 would be finalised by the end of February, and said it had issued a notification to address gaps and ensure continuity of existing tribunals until new institutions are set up under the code; the court closed the proceedings while leaving scope for fresh challenge if implementation issues arise later.
1.2. MoLE issued the Industrial Relations Code (Removal of Difficulties) (Amendment) Order, 2026
Ministry of Labour and Employment issued the Industrial Relations Code (Removal of Difficulties) (Amendment) Order, 2026, under Section 103 (one hundred and three) of the Industrial Relations Code, 2020, partially modifying its earlier order dated December 8, 2025, and noting that all provisions of the Industrial Relations Code, 2020 had been brought into force with effect from November 21, 2025. The amendment inserts a clarification that all existing statutory authorities constituted under the Trade Unions Act, 1926, the Industrial Employment (Standing Orders) Act, 1946, and the Industrial Disputes Act, 1947 shall continue to function until corresponding statutory authorities are appointed under the Industrial Relations Code, 2020, to ensure continuity of functions, a smooth transition, and to avoid any legal or administrative vacuum.
2. Stamp Duty
2.1. Gujarat introduces processing fee for e-registration of documents
The Revenue Department, Government of Gujarat, issued a circular introducing a processing fee for e-registration of documents, stated as INR 100 (Indian Rupees One Hundred only) per document, as part of the State's e-registration workflow (alongside stamp duty and registration formalities). The circular is positioned as an administrative change for online registration processing rather than a rate change to stamp duty itself.
2.2. Punjab revises stamp duty relief for cooperative housing society registrations
Punjab issued a revised notification under Section 38 of the Punjab Co-operative Societies Act, 1961, making the stamp duty relief for cooperative housing society apartments prospective and tightening eligibility, including limiting the waiver to allotments up to November 20, 2025, while later allotments/transfers are required to pay stamp duty as applicable. The revised framework also keeps the registration fee at 1 per cent (one per cent), capped at INR 2,00,000 (Indian Rupees Two Lakhs only), and is intended to address disputes around delayed registrations and pending conveyance deeds.
3. Stock Exchanges
3.1. NSE to levy annual maintenance charge for all registered Authorised Persons from FY 2026–27
National Stock Exchange of India Limited ("NSE") informed trading members that an Annual Maintenance Charge ("AMC") of INR 5,000 (Indian Rupees Five Thousand only) per Authorised Person ("AP") will apply across segments for all APs recorded as registered as on March 31 each year, and the AMC for Financial Year 2026–2027 will be imposed in April 2026. NSE clarified that once charged, the AMC will not be refunded even if the AP registration is cancelled during the year, including due to disciplinary action. It also advised trading members to regularly review AP status and cancel registrations of APs showing prolonged inactivity of 6 (six) months or more before March 31, 2026, to avoid the AMC being levied.
3.2. NSDL extends deadline for Depository Participants to upload client KYC records to KRAs for validation
National Securities Depository Limited ("NSDL") extended the compliance timeline for Depository Participants to ensure Know Your Customer ("KYC") records of all non-closed clients are uploaded to KYC Registration Agencies ("KRAs") and that only clients with KRA status as "KYC Registered" or "KYC Validated" are permitted to transact, to support interoperability and avoid investor inconvenience. NSDL referenced earlier Securities and Exchange Board of India ("SEBI") circulars dated October 12, 2023 and August 11, 2023, which require intermediaries to upload client KYC details and dispatch KYC documents within 3 (three) working days of execution, allow clients to commence transactions upon completion of the KYC process, but restrict further transactions where KYC attributes are not verified by the KRAs until verification is completed. Based on representations from Depository Participants seeking additional time under NSDL circulars dated December 4, 2025, and December 31, 2025, NSDL extended the deadline up to April 3, 2026, and asked participants to accord the highest priority to uploading all pending KYC records within the extended timeline.
3.3. CDSL directs DPs not to levy AMC on "to be closed" demat accounts holding only illiquid, suspended or delisted securities
Central Depository Services (India) Limited
("CDSL") issued a communiqué to
Depository Participants ("DPs")
referring to its earlier communiqué dated September 30,
2025, on non-charging of AMC in demat accounts consisting of
illiquid, suspended, or delisted securities. CDSL stated that it is
sharing with DPs a list of Beneficial Owners
("BOs") whose demat accounts are in
"To be Closed" status and hold only such securities
(identified based on details received from stock exchanges), and
advised DPs to review the list and ensure AMC is not charged to
those BO IDs, subject to the circumstances in the September 30,
2025 communiqué. CDSL also specified that DP-wise lists have
been placed in each DP's billing folder with the naming
convention "BLNG<
3.4. CDSL amends DP Operating Instructions on demat statements and Consolidated Account Statement dispatch
CDSL issued a communiqué to DPs confirming amendments to its DP Operating Instructions (OI) Chapter 16 (Statement of Accounts) to align with a SEBI circular dated July 1, 2024 on dispatch of the Consolidated Account Statement ("CAS") for all securities assets. The revised process shifts certain low-activity account communications to email by requiring at least 1 (one) annual holding statement through email for demat accounts with no transactions and nil balance even after the account has remained in that state for 1 (one) year, while allowing investors who do not wish to receive the holding statement through email to opt for physical statements by providing written consent. It further provides that, for remaining accounts, 1 (one) annual holding statement should be sent through email unless the investor has specifically opted to receive it in physical form, and for demat accounts with credit balance but no transactions during the year, a half-yearly holding statement should be sent through email. The amendments also note that where the depository directly sends account statements (including transaction statements, CAS and holding statements) to the client, DPs are not required to separately send such statements in the specified circumstances.
3.5. NSE clarifies variable networth computation pending SEBI's revised specification
NSE issued a compliance circular clarifying that, until the SEBI specifies a revised variable networth requirement under the Securities and Exchange Board of India (Stock Brokers) Regulations, 2026, all members must continue to comply with the variable networth requirement under the Securities and Exchange Board of India (Stock Brokers) Regulations, 1992. NSE reiterated that the variable networth requirement is calculated as 10 per cent (ten per cent) of the average daily cash balance of clients retained with the stock broker across segments/exchanges in the previous 6 (six) months, as reflected in its earlier circulars and the referenced SEBI gazette notification.
4. Information Technology
4.1. CERT-In flags Microsoft Edge vulnerability enabling sensitive information exposure
Indian Computer Emergency Response Team ("CERT-In") issued Vulnerability Note CIVN-2026-0077 reporting a medium-severity vulnerability in Microsoft Edge (Chromium-based) affecting versions prior to 144.0.3719.104, arising from inappropriate implementation in the Background Fetch Application Programming Interface (API). CERT-In stated that a remote attacker could exploit the issue by persuading a user to visit a specially crafted website, potentially resulting in unauthorised access to sensitive data and exposure of sensitive information on the targeted system, and advised users and organisations to apply Microsoft's security updates, referencing CVE-2026-1504.
4.2. CERT-In issues high-severity alert on OpenSSL CMS parsing flaw with potential remote code execution
CERT-In issued Vulnerability Note CIVN-2026-0075, rating it high severity, on a flaw in OpenSSL affecting OpenSSL versions 3.0 prior to 3.0.19, 3.3 prior to 3.3.6, 3.4 prior to 3.4.4, 3.5 prior to 3.5.5, and 3.6 prior to 3.6.1. The issue arises from improper handling of CMS AuthEnvelopedData structures using authenticated encryption with associated data (AEAD) ciphers such as AES-GCM, where the Initialisation Vector encoded in ASN.1 parameters may be copied into a fixed-size stack buffer without validating length, creating a stack-based buffer overflow. CERT-In stated that exploitation could allow an attacker to cause denial of service or potentially execute arbitrary code where applications or services process untrusted CMS or PKCS#7 content using OpenSSL, and advised updating to the latest patched OpenSSL versions, referencing CVE-2025-15467.
4.3. CERT-In flags high-severity DoS vulnerability in F5 BIG-IP Advanced WAF and ASM
CERT-In issued Vulnerability Note CIVN-2026-0074, rating it high severity, on a denial-of-service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall and Application Security Manager versions 17.1.0 to 17.1.2. CERT-In noted that, under specific undisclosed request conditions and circumstances beyond an attacker's control, the "bd" process can unexpectedly terminate, which could allow an unauthenticated attacker to disrupt system availability and cause a denial-of-service condition on the BIG-IP system. CERT-In advised applying the vendor security updates referenced in F5's advisory and linked remediation guidance, and cited CVE-2026-22548.
4.4. CERT-In warns of critical remote code execution risk in React Native Metro Server on Windows
CERT-In issued Vulnerability Note CIVN-2026-0073 rating a vulnerability in the React Native Metro Server as critical, affecting @react-native-community/cli and @react-native-community/cli-server npm packages prior to versions 18.0.1, 19.1.2 and 20.0.0. CERT-In stated that insecure default binding to external network interfaces and insufficient input validation in the Metro Development Server could allow an unauthenticated attacker to exploit an exposed endpoint by sending a specially crafted POST request over the network, enabling arbitrary executable and shell command execution on the targeted system, with risks of full system compromise, privilege escalation, persistence, sensitive information disclosure, and malware deployment. CERT-In advised updating to the patched versions and referenced CVE-2025-11953 and the associated GitHub advisory for remediation details.
4.5. CERT-In flags high-severity remote code execution vulnerability in n8n workflow automation platform
CERT-In issued Vulnerability Note CIVN-2026-0072, rating it high severity, on a remote code execution vulnerability affecting n8n versions prior to 1.123.17 and 2.5.2. CERT-In stated that insufficient validation in n8n's JavaScript expression evaluation mechanism could allow an attacker to inject specially crafted expressions into workflow parameters, bypass security controls, escape the restricted execution environment, and execute arbitrary code, potentially leading to full compromise of the affected n8n instance, exposure of credentials and sensitive data, and system takeover. CERT-In advised applying the relevant vendor security updates and, as workarounds, restricting workflow creation and editing permissions to trusted users and deploying n8n in a hardened environment with restricted operating system privileges and network access, referencing CVE-2026-25049.
4.6. CERT-In flags open redirect vulnerability in Cisco EPNM and Prime Infrastructure web interfaces
CERT-In issued Vulnerability Note CIVN-2026-0071, rating it medium severity, on an open redirect vulnerability affecting the web-based management interfaces of Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure. CERT-In stated that improper input validation of parameters in HTTP requests could allow an unauthenticated remote attacker to exploit intercepted and modified user requests to redirect users to a malicious webpage, with potential impact on confidentiality, integrity, and availability. CERT-In advised applying the updates referenced in Cisco's security advisory and mapped the issue to CVE-2026-20123.
4.7. CERT-In flags high-severity vulnerabilities in Google Chrome for Desktop
CERT-In issued Vulnerability Note CIVN-2026-0066 on multiple vulnerabilities in Google Chrome for Desktop affecting Windows, macOS, and Linux versions prior to 144.0.7559.132/.133 (Windows/macOS) and 144.0.7559.132 (Linux). The issues include 2 (two) tracked flaws, namely a heap buffer overflow in libvpx and type confusion in the V8 JavaScript engine, which could be exploited if a victim is persuaded to visit a specially crafted web page. CERT-In assessed a high risk of system compromise and service unavailability, stating that successful exploitation could bypass security restrictions and enable arbitrary code execution on the targeted system. Users and organisations were advised to apply the vendor's security updates to remediate CVE-2026-1861 and CVE-2026-1862.
4.8. CERT-In flags high-severity QNAP NAS vulnerability and urges patching for affected QTS versions
CERT-In issued Vulnerability Note CIVN-2026-0076, rating it high severity, on a vulnerability affecting QNAP QTS 4.3.x used on QNAP network-attached storage (NAS) devices. CERT-In stated that a misconfiguration of Network File System (NFS) settings could allow a remote attacker to bypass security restrictions, potentially enabling unauthorised access or actions and exposing sensitive data on the targeted system, and it advised users and organisations to apply vendor updates referenced in QNAP's security advisory QSA-25-56 (CVE-2025-66276).
5. Tax
5.1. Social Welfare Surcharge and AIDC recalibrated for select imports from February
Notification No. 03/2026-Customs amends earlier notifications to revise Social Welfare Surcharge and Agricultural Infrastructure Development Cess on specified tariff items and states that (save as otherwise provided) it comes into force on February 2, 2026, with certain changes taking effect from April 1, 2026, and May 1, 2026. Importers will need to apply the revised levy structure (including rates such as 0.5 per cent (zero point five per cent) where applicable) for affected goods.
5.2. Finance Bill proposes GST compliance relaxations on post-sale discounts and refunds
The Union Budget FY 2026-27 changes note states that amendments are proposed to the Central Goods and Services Tax Act, 2017 to remove the requirement of linking post-sale discounts with an agreement and to align the credit note mechanism where input tax credit is reversed by the recipient. It also proposes extending provisional refund provisions to refunds arising from inverted duty structure, with amendments to take effect from the date they are notified (aligned, where possible, with State-level amendments).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
