NEW DELHI : The Computer Emergency Response Team (CERT-In) has extended by about three months the deadline for complying with its controversial rules for small enterprises and virtual private network (VPN) service providers in India.
This comes after several VPN providers removed their servers from the country following the 28 April notice under Section 70B of the Information Technology Act (IT Act), and consultations with the industry wherein many asked for more time to comply. The rules were originally slated to come into force from 28 June, which have now been extended to 25 September.
“The Ministry of Electronics and Information Technology (MeitY) and CERT-In are in receipt of requests for the extension of timelines for implementation of these Cyber Security Directions of 28th April, 2022 in respect of Micro, Small and Medium Enterprises (MSMEs),” the ministry said in a notice, on Tuesday. “Further, additional time has been sought for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers,” it added.
The MSME sector had sought an extension of 300 days from 28 June for compliance during talks with the ministry. However, industry experts said the decision is good news for incumbents.
Raj Sivaraju, president, Asia-Pacific, at Arete, a cyber incident response company, said the extension provides businesses with “reasonable time” for capacity building. “We believe it is a welcome move towards better preparation for faster recovery, easier reporting, post-incident investigations, and a continuous approach to managing risks,” he said.
Further, Amit Jaju, senior managing director at Ankura Consulting Group, said the extension will provide companies time to implement the required processes and technologies. “The time to reconfigure time servers should not take beyond a week across all machines that are centrally connected. To appoint a point-of-contact (POC), they will have to augment the role of an internal person which can be done swiftly,” said Jaju.
The new rules, which were widely criticized, required VPN service providers to store user data and maintain logs of their usage. They were asked to record and maintain validated names, emails, usage patterns, and IP addresses of subscribers for five years. VPN companies argued that this was a breach of privacy as the data they were being asked to keep had personally identifiable information, which was against their policy.
Companies such as Surfshark, ExpressVPN and NordVPN removed their servers due to this ruling, choosing instead to continue providing “no logging” services, where no user data is maintained by the firms.
Exchanges and other firms dealing with virtual assets, and wallet providers, were also required to keep know-your-customer (KYC) records and financial transactions for five years under the new rules.
