December 2023. A compliance officer at a mid-cap listed company opens an email. SEBI's inspection team has sent its preliminary observations. Item 7 reads: "The company's investor relations website is not accessible to differently-abled persons in accordance with IS 17802 and applicable WCAG standards. Non-compliant." The compliance officer had never heard of IS 17802. The website team, when asked, says the site "passes Google Lighthouse." Neither of those statements was wrong. Neither of them answered the SEBI observation. This article explains the gap.
The gap is not technical ignorance. It is the difference between a performance metric and a conformance standard. Lighthouse measures speed, basic markup quality, and a subset of automated accessibility rules. IS 17802 is a legal standard. The SEBI circular that cites it is a regulatory mandate with inspection teeth. A 95 Lighthouse score does not produce an evidence file. It does not record screen-reader testing. It does not carry the signature of a competent authority. Those are the things an inspector is asking for.
Below is a section-by-section breakdown of what the circular requires, who it covers, what the standard actually says, and what the evidence file must contain. If you are a compliance officer, a company secretary, or an IT head at a SEBI-regulated entity, this is the document to bookmark before the next inspection cycle.
What's in this piece
01 · What the circular actually says
The circular number is SEBI/HO/OIAE/OIAE_IAD-1/P/CIR/2023/147. It was issued on August 24, 2023, by SEBI's Office of Investor Assistance and Education. That office sits within the Human Rights and Grievance redressal function at SEBI headquarters, Mumbai. The circular is addressed to all recognised stock exchanges, depositories, and SEBI-registered intermediaries.
The core requirement, stripped of regulatory prose: every SEBI-regulated entity must ensure its websites and mobile applications are accessible to persons with disabilities, tested against IS 17802 — the Bureau of Indian Standards standard for ICT accessibility. Entities were given six months from the date of the circular to achieve compliance, placing the implementation deadline at approximately February 24, 2024.
What that deadline actually required, in operational terms:
- Conduct an accessibility audit by a competent authority — a qualified testing organisation with demonstrated IS 17802 and WCAG expertise
- Publish an accessibility statement on the entity's website declaring conformance level, standard tested to, date of the last audit, and a contact mechanism for accessibility feedback
- Identify and begin remediation of material barriers found during the audit — the circular does not accept "audit scheduled" as compliance
- Maintain evidence of compliance available for SEBI inspection — a report, a statement, and a remediation log
The mandate has teeth
The six-month deadline is not aspirational. SEBI's subsequent inspection cycles — Comprehensive and Thematic Inspections for brokers, examination letters for listed companies — began citing IS 17802 non-compliance as an observation from Q4 2023 onwards. Entities that have not yet completed an audit are not merely behind on a best-practice checklist. They are exposed to a formal observation in their next SEBI inspection, with a follow-up response obligation and potential escalation to adjudication proceedings.
02 · Who it applies to
The circular's addressee list is broad. If your entity files periodic compliance reports to SEBI and operates a public-facing digital interface, the starting assumption should be that it applies. The specific categories:
Investor relations portals, investor complaint mechanisms, annual report downloads, quarterly result disclosures, corporate governance filings, AGM notice portals.
The exchange portal itself — NSE and BSE have already undergone formal IS 17802 audits. Regional exchanges and commodity exchanges are in scope on the same basis.
CDSL and NSDL investor interfaces — account statements, nomination facilities, grievance portals, DIS request modules.
Member-facing and investor-facing portals operated by NSCCL, ICCL, and MCX-SX CC.
Stockbrokers, commodity brokers, merchant bankers, underwriters — every SEBI-registered intermediary with a client-facing web or mobile interface.
SEBI-registered IAs and RAs with websites through which clients access recommendations, disclaimers, or complaint portals.
AMFI-member AMC websites and investor portals — transaction platforms, NAV disclosures, SIP management, KYC onboarding flows.
SEBI-registered portfolio managers and alternative investment funds with investor-facing reporting or onboarding interfaces.
A word on scope limits: the circular does not explicitly cover entirely internal tools used only by employees of a regulated entity with no investor or client-facing function. But the investor-facing definition is wide. If a grievance contact page, a disclosure download, or an investor statement lives on your domain, that page is in scope.
03 · What IS 17802 is
IS 17802 is a Bureau of Indian Standards (BIS) standard for ICT accessibility. BIS published it in 2020, drawing on the International Telecommunication Union's ITU-T H.870 series and, more directly, the European harmonised standard EN 301 549. It exists in two parts. Part 1 covers ICT products and services — hardware, software, documentation, support services. Part 2 covers web content. For SEBI purposes, Part 2 is the operative document.
IS 17802 Part 2 is not a parallel standard to WCAG. It is functionally equivalent to EN 301 549, which adopts WCAG 2.1 by reference as its web content accessibility requirements. The inheritance chain is: IS 17802 Part 2 → EN 301 549 → WCAG 2.1. In testable terms, IS 17802 compliance for a website means WCAG 2.1 Level AA compliance. That is what an auditor tests, that is what the evidence file documents, and that is what an inspector is looking for when they read your audit report.
IS 17802 also functions as the technical standard underlying the RPWD Act 2016's private-sector accessibility obligations. The Rights of Persons with Disabilities Act requires entities providing goods and services to the public to ensure accessibility for persons with benchmark disabilities — the technical standard for digital accessibility in that context is IS 17802. SEBI's circular and the RPWD Act obligations are not competing frameworks. They converge on the same standard and the same evidence.
One comparison that compliance teams frequently ask about: IS 17802 versus GIGW 3.0. The answer is that they serve different purposes and different sectors. GIGW 3.0 (Guidelines for Indian Government Websites, 2024 edition) is an audit process and certificate applicable to Central and State government websites, issued through MeitY and assessed by STQC. IS 17802 is the technical standard. Both converge on WCAG 2.1 AA as the minimum; IS 17802 extends to non-web ICT that GIGW does not cover; GIGW adds government-specific requirements around bilingual support, performance baselines, and content-management transparency that IS 17802 does not prescribe.
| Dimension | IS 17802 (Part 2) | GIGW 3.0 | WCAG 2.1 |
|---|---|---|---|
| Standard type | BIS national standard — technical requirements | Government operational guidelines + audit certificate | W3C technical recommendation |
| Issued by | Bureau of Indian Standards (BIS) | MeitY / NIC; audit by STQC | W3C Web Accessibility Initiative (WAI) |
| Applies to | All ICT — web, software, hardware, documents; RPWD Act and SEBI mandate reference it | Central and State government websites and PSU portals | Web content globally; adopted by reference by most national standards |
| Audit mechanism | Third-party audit by competent authority; STQC empanelled lab recommended | STQC SAB SETL-1 empanelled lab; Certificate of Quality Website (CQW) issued | Self-declaration or third-party audit; no certification body defined by W3C |
04 · What IS 17802 actually requires, mapped to WCAG
IS 17802 Part 2 adopts more than 50 WCAG 2.1 success criteria in full. For entities coming to this standard through the SEBI mandate, five categories account for the bulk of audit findings and the bulk of inspection observations.
Perceivable — what investors can see and hear
Every non-text element on an investor portal must have a text alternative. That means every company logo, every fund performance chart, every infographic in an annual report section, every button rendered as an image. Colour alone cannot convey information — a portfolio performance graph that uses green versus red to distinguish positive and negative returns, without any text label or pattern distinction, fails here. Video investor presentations require captions; audio-only content requires transcripts. Contrast minimums apply to financial data displayed in tables — the 4.5:1 ratio for normal text and 3:1 for large text are the working floors.
Operable — what investors can use with a keyboard
Every function on an investor complaint portal, every link in an annual report download section, every pagination control on a disclosure library must be reachable and operable using only a keyboard. No CAPTCHA may be the sole mechanism protecting a login or complaint submission portal — an alternative without visual puzzle-solving must be available. This is where most Indian broker portals fail on first audit. The keyboard test is thirty minutes of tabbing and Shift+Tab and listening for what a screen reader announces. Most investor portals have not been subjected to it.
Understandable — what investors can interpret and complete
Error messages on complaint registration forms must say what went wrong and how to fix it — not just draw a red border around the failed field. Navigation must be consistent across the investor portal — the "Grievance" link must be in the same position and under the same label on every page that includes it. Language must be declared so that screen readers switch to the right voice for Hindi or regional language content.
Robust — what works across assistive technologies
Semantic HTML structure is the foundation. Every heading must be a real heading element, not bolded body text. Every data table must carry th elements with scope attributes, a caption, and a summary if its structure is complex. Custom widgets in trading platforms — dropdown menus built in JavaScript, accordion disclosures, tab panels — must expose correct ARIA roles, names, and state. A custom dropdown that looks like a select element but has no role="listbox" is invisible to a screen reader.
Documents — the piece most entities miss
IS 17802 Part 2 is not limited to web pages. It applies to any digital content made available through those web pages — including PDF documents. Annual reports, quarterly result statements, dividend notices, AGM materials, rights issue offer documents — every PDF served through an investor portal is in scope. The detailed implications are in Section 06 below.
A note on WCAG versioning
The SEBI circular cites WCAG without specifying a version number. IS 17802 Part 2 was published against WCAG 2.1. Auditors from STQC and other accredited bodies are testing against WCAG 2.2 in current audit cycles — the nine additional criteria in WCAG 2.2 (including accessible authentication and target size minimums) are appearing in audit reports. Plan for WCAG 2.2. Read the WCAG 2.2 checklist article for a full breakdown of what is new and what it means for investor portals specifically.
05 · The evidence file
This section is the one your compliance team needs to read carefully. SEBI inspection observations on IS 17802 non-compliance are not always triggered by discovering an inaccessible website. Sometimes they are triggered by the absence of an evidence file — no audit report on record, no accessibility statement on the site, no documentation that the entity has done anything at all. The evidence file is the compliance artefact. Four documents constitute it.
-
Accessibility audit report
From a competent authority — in practice, a STQC SAB SETL-1 empanelled testing laboratory or equivalent. The report must include: the scope of the audit (every URL audited, mobile app version if applicable), the methodology (automated tools used, assistive technologies used — NVDA version, JAWS version, TalkBack, VoiceOver), findings mapped explicitly to IS 17802 / WCAG criteria with evidence (screenshots, screen-reader recording clips, automated rule output), severity ratings, and remediation recommendations. A report that lists failures without evidencing them is not a valid audit report for inspection purposes.
-
Accessibility statement
Published on the website — not in a drawer. Must state: the conformance level claimed (WCAG 2.1 Level AA / IS 17802 Part 2), the date of the most recent audit, the name of the organisation that conducted the audit, the current known limitations and their expected remediation timeline, and a contact mechanism through which users can report accessibility barriers and receive a response. The statement is usually a single page accessible from the footer of every page on the investor portal.
-
Remediation log
A record, internal or external, documenting which findings from the audit were addressed, by whom, and when. Not always formally specified in the circular, but essential when SEBI's follow-up letter asks "what has the entity done since the initial audit?" A task-tracker export, a changelog, or a structured spreadsheet all qualify. The important thing is that it maps back to the audit report's finding IDs.
-
Re-audit confirmation
For material findings — keyboard trap in the investor complaint portal, unlabelled login button, inaccessible annual report PDF — a re-test result confirming the barrier was removed. Not a closed Jira ticket. Not a developer's sign-off. A retested finding with a new accessibility result and updated evidence. This is the document that converts a remediation claim into a defensible compliance position.
What the inspector is actually asking for
A Lighthouse score of 95 is not an accessibility audit. SEBI inspectors know the difference between an automated performance report and a conformance assessment. An automated scanner report without manual testing, without screen-reader evidence, without findings mapped to IS 17802 criteria, without a competent authority's signature — is not the document an inspection observation is asking for. It may demonstrate that a QA process exists. It does not demonstrate IS 17802 compliance.
06 · Annual reports and PDF disclosures
PDF accessibility is the most-cited compliance gap in SEBI-context audits. The frequency is not surprising once you understand the volume. A listed company on the NSE Mid Cap 150 publishes, in an average year: four quarterly result documents, one annual report (often 300 to 500 pages), one or more AGM notices and resolutions, board meeting outcome disclosures, investor presentations, credit rating communication letters. A mutual fund AMC publishes a scheme information document and key information memorandum for every scheme, monthly portfolio disclosures, factsheets, and annual reports for each fund. A broker-dealer publishes KYC documentation, client onboarding brochures, and risk disclosure documents.
Most of these PDFs are produced by exporting from InDesign, Word, or a design tool without accessibility settings enabled. A substantial number are scanned from paper originals — image-only PDFs with no underlying text at all. An image-only PDF is, by the IS 17802 standard, entirely inaccessible: a screen reader encounters it and announces "image" or nothing at all. There is no reading order, no alt text, no heading structure, no table semantics. The entire document is a single inaccessible graphic from the perspective of a person using a screen reader.
The SEBI circular's IS 17802 reference explicitly covers downloadable documents, not just web pages. An investor relations portal that passes every web accessibility test but serves an inaccessible 400-page annual report PDF is not IS 17802-compliant. The portal and the document are both in scope.
For a fund house or a large listed company publishing hundreds of PDF disclosures per year, manual remediation is not a practical answer. Manual tagging of a 300-page annual report by a trained accessibility specialist takes three to five business days and requires structural knowledge of the document's original source. For an entity doing this at scale — ten or twenty fund schemes, each with multiple disclosure documents per quarter — the resource requirement becomes prohibitive.
This is the problem AccessSure PDF is built for. A 13-script pipeline handles OCR extraction, reading-order reconstruction, heading detection, table recognition, alt text generation for charts and figures, and structural tagging — with veraPDF validation at the end of every run to confirm PDF/UA and WCAG conformance. A typical annual report is processed in under 60 seconds. The output is a tagged, accessible PDF with a veraPDF conformance report that constitutes an evidence artefact for the compliance file.
A clean veraPDF conformance score from an automated remediation run, produced by an accredited tool, is substantially stronger evidence in a compliance file than nothing. It documents: what was processed, when, against what standard, with what result. For the majority of routine disclosures — quarterly results, factsheets, investor communications — it is a proportionate and defensible compliance approach. For the annual report, the primary investor-facing document, we recommend supplementing the automated output with a manual review pass to confirm chart alt text accuracy and reading-order correctness on complex infographic pages.
What to include in the evidence file for PDFs
At minimum: an accessibility report for the most recent annual report. Ideally: veraPDF output for quarterly results and scheme documents published in the current financial year. The standard for what constitutes "accessible" is the same as for web content — the PDF must be readable by a screen reader, in the correct reading order, with meaningful headings, labelled tables, and text alternatives for every non-decorative image.
Build the evidence file before the inspection letter arrives.
ITQCR conducts IS 17802 audits for listed companies, mutual fund AMCs, stockbrokers and other SEBI-regulated entities. We produce audit reports that map every finding to the SEBI circular's requirements — the document your compliance file needs, not an automated export. AccessSure PDF handles accessible remediation for annual reports and quarterly disclosures at scale.
ITQCR audit lab → Talk to the team07 · Common failures SEBI inspectors cite
Based on audit work and inspection observation patterns from SEBI-regulated entities over the 2023–2026 period, these are the failures that appear most frequently. They are not ranked by technical severity — they are ranked by how often they appear in formal SEBI observations and follow-up letters.
-
1
Annual report PDF not tagged — the most common observation by far
The annual report is the flagship investor document. It is also, in most Indian listed companies, a design-first PDF produced by a design agency with no accessibility mandate in the brief. Untagged, no reading order, charts with no text alternatives. This appears in almost every SEBI IS 17802 inspection observation we have seen.
-
2
Investor complaint / grievance portal not keyboard-operable
SEBI's investor protection mandate makes the complaint portal the most scrutinised digital interface for listed companies. A portal that requires a mouse to submit a complaint — a dropdown that does not respond to keyboard, a submit button that is unreachable without a pointing device — fails both the accessibility requirement and the spirit of the investor protection framework.
-
3
CAPTCHA on login or complaint portals with no alternative
Visual CAPTCHA without an audio or alternative-input option blocks screen reader users entirely. SEBI's own Scores portal and several broker login pages have been flagged on this basis. The fix — adding an audio CAPTCHA alternative, or switching to a non-cognitive-test mechanism — is a one-sprint remediation task for most engineering teams.
-
4
Quarterly results PDFs are scanned image-only documents
Many listed companies scan their Board meeting financial statements from paper and upload the scan as a PDF. The resulting file has no text, no structure, no accessibility. A screen reader opens it and announces nothing. This affects the financial statement disclosures that are arguably the most important documents for investors, particularly for retail investors who depend on assistive technology.
-
5
Missing or inadequate accessibility statement
The circular requires entities to publish an accessibility statement. In a significant number of inspections, the entity has either no statement at all, or a statement that was added as a blank template from a government website without any entity-specific content — no audit date, no conformance level, no contact mechanism. A statement that does not reflect an actual audit is not a compliance artefact; it is a liability.
-
6
Charts and graphs in financial reports without text alternatives
Revenue trend charts, EBITDA waterfall diagrams, fund allocation pie charts — published in annual reports, factsheets, investor presentations. When embedded in PDFs or on web pages without alt text or a data table equivalent, they convey zero information to a person using a screen reader. For a mutual fund's monthly factsheet, the fund allocation chart is core investor information. Its inaccessibility is not a minor failing.
-
7
Colour-only data encoding in portfolio and fund performance displays
Interactive fund performance graphs that distinguish positive and negative returns by colour alone — green bars versus red bars with no numeric labels, no pattern distinction, no text fallback — fail WCAG 1.4.1 Use of Color. This is particularly common in AMC investor portals and broker trading dashboards where the design team has optimised for visual impact rather than accessibility.
-
8
Mobile app not audited separately
The SEBI circular explicitly covers mobile applications alongside websites. Many entities have conducted a web accessibility audit and submitted it as covering the mobile app, which it does not. Mobile-specific failures — touch target size, gesture-only interactions, dynamic type support, TalkBack compatibility — require a separate test pass on a real device. Remote mobile testing is an accepted alternative but device-based testing is preferred for IS 17802 evidence.
-
9
Remediation evidence submitted without re-audit confirmation
An entity responds to a SEBI observation by submitting screenshots showing that a developer "fixed" a finding. The screenshot shows the control on screen. It does not show a screen reader announcing its label correctly. It does not show keyboard reachability. For material findings — a labelling failure on the primary grievance portal, a keyboard trap on login — SEBI follow-up letters have explicitly requested re-test evidence. A screenshot of a UI change is not re-test evidence.
08 · Questions compliance teams ask
Does the SEBI circular apply to private companies that are not listed?
The circular's primary addressees are SEBI-regulated entities — listed companies, stock exchanges, depositories, registered stockbrokers, investment advisers, mutual fund AMCs, and other market intermediaries. A private company with no SEBI registration and no public-facing regulated service is outside its direct scope.
That said, the RPWD Act 2016 creates a parallel obligation for any private entity providing services to the public, and IS 17802 is the referenced technical standard for both frameworks. The safer question to ask: does your entity file periodic compliance reports to SEBI and operate a public-facing digital interface? If yes, treat the circular as applicable. If you are uncertain, ask your SEBI compliance counsel rather than assuming non-applicability.
What is the difference between IS 17802 and WCAG 2.1?
IS 17802 is a Bureau of Indian Standards standard for ICT accessibility. Part 2 of IS 17802, which covers web content, is functionally equivalent to EN 301 549, the European harmonised standard. EN 301 549 adopts WCAG 2.1 by reference. So IS 17802 Part 2 and WCAG 2.1 are not competing standards — IS 17802 is the Indian standard that, at its web content layer, leads you directly to WCAG 2.1 Level AA as the testable requirement.
The difference is jurisdiction and issuing authority: IS 17802 carries BIS authority and maps to the RPWD Act and the SEBI mandate; WCAG is a W3C technical recommendation without standalone domestic legal standing. For practical audit purposes, testing to WCAG 2.1 AA is testing to IS 17802 Part 2.
Do we need a STQC-empanelled lab to conduct the audit, or can we use any accessibility consultant?
The SEBI circular uses the phrase "competent authority" without formally defining it. STQC SAB SETL-1 empanelment is the closest equivalent to an official government accreditation for IS 17802 web testing in India, and an audit report from an empanelled lab carries the strongest evidentiary weight during a SEBI inspection.
An accessibility consultant without formal accreditation may produce a technically sound report. But it may not satisfy an inspector looking for a credentialed third-party confirmation — particularly in a post-observation follow-up situation where the entity is being asked to demonstrate compliance rather than merely describe its efforts.
ITQCR is one of the STQC SAB SETL-1 empanelled testing laboratories in India authorised to conduct IS 17802 audits and issue the accompanying conformance reports. We also hold GIGW 3.0 audit authority, which is a different certificate relevant to government portal clients.
What should our accessibility statement say?
At minimum, the accessibility statement must state: (1) which standard the site was tested to — IS 17802 Part 2 / WCAG 2.1 Level AA, (2) the date of the most recent audit, (3) the name of the organisation that conducted the audit, (4) the current conformance level or a qualified claim if full conformance has not been achieved, (5) known limitations — pages or functions that do not yet meet the standard, with an expected remediation timeline, and (6) a contact mechanism for users to report accessibility barriers and receive a response within a reasonable timeframe.
The statement should be published on a dedicated page accessible from the footer of every page on the investor portal, typically titled "Accessibility" or "Accessibility Statement." A statement copied from a government template with no entity-specific content is worse than no statement — it creates a false record that may be cited against you in an inspection observation.
Is SEBI checking annual reports and PDFs, or only the website?
Both. The circular's IS 17802 reference covers digital content broadly, which explicitly includes downloadable documents — annual reports, quarterly results, offer documents, merger scheme filings, investor presentations, AGM notices. In practice, PDF accessibility is the most-cited gap in SEBI-context audits because most Indian listed-company PDFs are scanned image exports or design-first exports with no tags, no reading order, and no text alternatives on charts.
The evidence file should include an accessibility report for the most recent annual report at minimum. For mutual fund AMCs and entities with high disclosure volumes, automated PDF remediation at scale — with veraPDF verification — is the practical approach. See AccessSure PDF for more on how this works at volume.
What happens if our entity fails the IS 17802 compliance check during an inspection?
A SEBI inspection observation citing IS 17802 non-compliance triggers a formal response obligation. The entity must submit a remediation plan with specific timelines and then provide confirmation of closure — typically within 30 to 60 days, depending on the inspection type and the severity classification of the observation.
In Comprehensive Inspection and Thematic Inspection cycles for brokers, unresolved observations can escalate to an adjudication proceeding with potential monetary penalties. For listed companies, an IS 17802 observation in an examination letter is shared with the board and can be referenced in subsequent inspection cycles if not resolved. The mandate has been in force since February 24, 2024. Inspectors are not treating it as a new requirement that deserves special leniency — they are treating it as an obligation that has had two years to be addressed.
Can we use an automated scanner report to satisfy the SEBI requirement?
No. Automated scanners — including Google Lighthouse, axe, WAVE, and similar tools — cover approximately 30 to 40 percent of WCAG success criteria. The criteria that SEBI inspection observations most commonly cite — keyboard operability of grievance portals, screen-reader experience on financial disclosures, meaningful alt text on charts, accessible authentication flows — are not reliably detectable by automation. They require manual testing by a qualified reviewer using actual screen readers on actual devices.
A report from an automated scanner, without manual testing, without screen-reader evidence, without findings mapped to IS 17802 criteria, without the signature of a competent authority, is not the document an inspection observation is asking for. It may demonstrate that a QA process exists. It does not demonstrate IS 17802 compliance.
The compliance clock on this mandate started on August 24, 2023. The inspection cycle that enforces it has been running since Q4 2023. The question is not whether to build the evidence file. The question is whether to build it before or after the letter arrives.