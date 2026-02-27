We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1. Labour Law

1.1. Government notifies Industrial Relations Code (Amendment) Act, 2026

The Government of India has notified the Industrial Relations Code (Amendment) Act, 2026, following Presidential assent on February 16, 2026. The amendment, deemed effective from November 21, 2025, revises provisions relating to repeal and transition under the Industrial Relations Code, 2020, clarifying that existing tribunals and statutory authorities constituted under the repealed labour laws will continue to function until corresponding bodies under the Code become operational, ensuring regulatory continuity during the transition.

1.2. Karnataka notifies welfare fee framework for platform based gig workers

The Government of Karnataka has issued a notification under the Karnataka Platform Based Gig Workers (Social Security and Welfare) Act, 2025 and the corresponding Rules, 2025, mandating the levy and collection of a welfare fee on payouts made to gig workers through digital platforms and aggregators. The notification prescribes a welfare fee of 1 per cent (one per cent) of transaction payouts, subject to category-wise caps across ride-hailing, delivery, logistics, e-marketplace and professional services, with immediate effect. Platforms are required to deposit the fee on a quarterly basis and report transaction details through the Payment and Welfare Fee Verification System, aimed at funding social security benefits and strengthening welfare measures for gig workers in the State.

1.3. Uttarakhand permits 24×7 operation of shops and establishments

The Government of Uttarakhand has issued a notification under the Uttarakhand Shops and Establishments Act, 2017, permitting shops and commercial establishments across the State to remain open on a 24×7 basis, subject to compliance with applicable labour law requirements. The notification clarifies that while establishments may operate round the clock based on business needs, working hours, weekly holidays and employee welfare conditions must continue to be governed in accordance with statutory provisions under the Act.

1.4. Ministry of Labour releases Compliance Handbook for Employers under the Four Labour Codes

The Ministry of Labour and Employment has released a Compliance Handbook for Employers under the Four Labour Codes to provide simplified guidance on compliance requirements under the Code on Wages, 2019, Industrial Relations Code, 2020, Occupational Safety, Health and Working Conditions Code, 2020 and the Code on Social Security, 2020. The handbook outlines key employer obligations, streamlined registration and licensing processes, reduced compliance filings and practical action points aimed at facilitating ease of doing business while ensuring labour welfare and regulatory clarity.

1.5. Rajasthan introduces Shops and Commercial Establishments (Amendment) Bill, 2026

The Rajasthan Government has introduced the Rajasthan Shops and Commercial Establishments (Amendment) Bill, 2026 to amend the Rajasthan Shops and Commercial Establishments Act, 1958, with effect from December 17, 2025. The Bill proposes revisions to working hour limits by increasing the daily working hours from nine to ten hours, enhancing quarterly overtime limits and modifying rest interval requirements. It also revises age related provisions, including increasing the minimum age for apprentices and strengthening safeguards relating to employment of young persons, with the objective of improving operational flexibility while aligning labour protections with updated regulatory standards.

2. Stock Exchanges

2.1. NSDL amends Business Rules to strengthen penalty framework for cybersecurity non-compliances

National Securities Depository Limited ("NSDL") has issued a circular amending Rule 18.1.1 of its Business Rules to introduce an enhanced penalty structure for cybersecurity and cyber resilience framework related non-compliances. The amendments prescribe monetary penalties and disciplinary actions for delays or deficiencies in cyber incident reporting, submission of mitigation and forensic reports, implementation of corrective measures and failure to comply with SEBI's cybersecurity framework, including restrictions on new client registrations in cases of continued non-compliance. Participants have been advised to take note of the revised framework and ensure timely compliance.

2.2. NSDL revises pay-in and pay-out timelines for NSE and BSE settlements

NSDL has issued a circular revising pay-in and pay-out timelines for select NSE and BSE settlements following intimations from NSE Clearing Limited and Indian Clearing Corporation Limited due to a settlement holiday. The revised schedule advances deadline timings for securities pay-in across normal market, institutional trading platform and SLB settlements, with corresponding updates reflected in the eDPM and Local DPM systems. Participants have been advised to execute and verify pay-in instructions within the revised timelines to ensure smooth settlement processing.

2.3. NSDL implements GS-FPI flag for FPIs investing exclusively in Government Securities

NSDL has issued a circular implementing a GS-FPI flag in the depository system for Foreign Portfolio Investors ("FPIs") investing exclusively in Government Securities, in line with SEBI's ease of compliance framework. The enhancement enables identification of eligible FPI demat accounts and permits transactions, corporate actions and pledge related activities limited to Government Securities, with corresponding updates introduced in back office file formats. The changes have been implemented in the NSDL depository system with effect from February 20, 2026.

2.4. CDSL introduces stamp duty payment indicator facility for depository participants

CDSL has introduced a Stamp Duty Payment Indicator within its depository system to provide flexibility in stamp duty debit arrangements during transaction processing. The enhancement enables Depository Participants ("DPs") to specify whether stamp duty should be debited from the client's virtual bank account or the DP's virtual bank account, replacing the existing default mechanism linked to the transaction initiator. DPs have been advised to update their back office systems to ensure smooth implementation of the new facility.

3. Information Technology

3.1. CERT-In flags high severity vulnerabilities in Google Chrome

CERT-In issued Vulnerability Note CIVN-2026-0090, rating as HIGH a critical vulnerability affecting Google Chrome for Desktop (versions prior to 145.0.7632.75/76 for Windows and Mac, and prior to 144.0.7559.75 for Linux). CERT-In stated that the vulnerability arises from a use-after-free condition in the CSS component of Chrome's rendering engine, which could allow a remote attacker to execute arbitrary code on a targeted system through a specially crafted webpage. Successful exploitation may result in system compromise, data exposure and service disruption. CERT-In has advised organisations and inpiduals using affected versions of Google Chrome to immediately apply the latest security updates and patches to mitigate associated risks.

3.2. CERT-In flags high severity vulnerabilities in GitLab

CERT-In issued Vulnerability Note CIVN-2026-0091, rating as HIGH, multiple vulnerabilities affecting GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 18.8.4, 18.7.4 and 18.6.6. CERT-In stated that the vulnerabilities arise from improper input validation, authorisation weaknesses and request handling flaws, which could allow attackers to steal sensitive information, bypass access controls, execute cross-site scripting and HTML injection attacks, manipulate application data or cause denial of service (DoS) conditions. CERT-In has advised organisations and inpiduals operating self-managed GitLab instances to immediately update to the latest patched versions to mitigate potential risks.

3.3. CERT-In flags high severity remote code execution vulnerability in Microsoft Edge

CERT-In issued Vulnerability Note CIVN-2026-0092, rating as HIGH a remote code execution vulnerability affecting Microsoft Edge (Chromium-based) versions prior to 144.0.3719.115. CERT-In stated that the vulnerability arises from a heap buffer overflow condition in the libvpx component, which could allow a remote attacker to execute arbitrary code by persuading a user to visit a specially crafted webpage. Successful exploitation may result in unauthorized access, system compromise and exposure of sensitive data. CERT-In has advised organisations and inpiduals using affected Microsoft Edge versions to immediately apply the latest security updates to mitigate associated risks.

3.4. CERT-In flags critical remote code execution vulnerability in Unstructured.io

CERT-In issued Vulnerability Note CIVN-2026-0093, rating as CRITICAL a remote code execution vulnerability affecting Unstructured-IO versions prior to 0.18.18. CERT-In stated that the vulnerability arises from improper sanitization of attachment filenames, leading to a path traversal issue that could allow an unauthenticated remote attacker to execute arbitrary code through specially crafted files. Successful exploitation may result in unauthorized access, data tampering and full system compromise. CERT-In has advised organisations and inpiduals using affected versions of Unstructured-IO to immediately update to the latest patched release to mitigate associated risks.

3.5. CERT-In flags critical authentication bypass vulnerability in Dell RecoverPoint for Virtual Machines

CERT-In issued Vulnerability Note CIVN-2026-0094, rating as CRITICAL an authentication bypass vulnerability affecting Dell RecoverPoint for Virtual Machines (RP4VM) versions prior to 6.0.3.1 HF1. CERT-In stated that the vulnerability arises due to the presence of a hardcoded credential, which could allow an unauthenticated remote attacker to gain unauthorized access and potentially achieve root level control over affected systems. Successful exploitation may result in complete system compromise and persistent unauthorized access. CERT-In has advised organisations using affected versions to immediately apply security updates and patches to mitigate associated risks.

3.6. CERT-In flags high severity vulnerabilities in Mozilla products

CERT-In issued Vulnerability Note CIVN-2026-0095, rating as HIGH multiple vulnerabilities affecting Mozilla Firefox, Firefox ESR, Thunderbird and Firefox for iOS versions prior to specified patched releases. CERT-In stated that the vulnerabilities arise from issues including heap buffer overflow and improper handling of web content, which could allow a remote attacker to execute arbitrary code or gain unauthorized access to sensitive information by luring users to malicious webpages. Successful exploitation may result in data theft, information disclosure and system compromise. CERT-In has advised organisations and inpiduals using affected Mozilla products to immediately update to the latest secure versions to mitigate associated risks.

3.7. CERT-In flags high severity vulnerabilities in Google Chrome for Desktop

CERT-In issued Vulnerability Note CIVN-2026-0096, rating as HIGH multiple vulnerabilities affecting Google Chrome for Desktop versions prior to 145.0.7632.109/110 for Windows and Mac, and prior to 144.0.7559.109 for Linux. CERT-In stated that the vulnerabilities arise from heap buffer overflows and integer overflow issues in components such as PDFium and V8, which could allow a remote attacker to execute arbitrary code, cause memory corruption or trigger denial of service (DoS) conditions through specially crafted webpages. CERT-In has advised organisations and inpiduals using affected versions of Google Chrome to immediately apply the latest security updates to mitigate associated risks.

3.8. CERT-In flags high severity vulnerabilities in Jenkins

CERT-In issued Vulnerability Note CIVN-2026-0097, rating as HIGH multiple vulnerabilities affecting Jenkins weekly versions 2.550 and prior, and Jenkins LTS versions 2.541.1 and prior. CERT-In stated that the vulnerabilities arise from improper input validation and insufficient access controls, which could allow authenticated attackers to perform stored cross-site scripting (XSS) attacks and gain unauthorized access to restricted build information. Successful exploitation may lead to administrative session compromise and exposure of sensitive CI/CD data. CERT-In has advised organisations and inpiduals using affected Jenkins versions to immediately upgrade to the latest patched releases to mitigate associated risks.

