Govt extends deadline to Sept 25 to comply with new cybersecurity rules
The Indian Computer Emergency Response Team (Cert In) on Tuesday extended to September 25 the deadline for compliance with the April 28 norms on cybersecurity, an official release from the Ministry of Electronics and Information Technology (MeitY) said.
The nearly 60-day relaxation to follow the deadline has been provided to micro, small and medium enterprises (MSME), data centres, virtual private server (VPS) and virtual private network (VPN) and cloud service providers, the release said. The earlier 60-day deadline to comply with the cybersecurity norms would have ended on Tuesday.
The extension, the ministry said, was being provided after MSMEs, data centres, VPS, VPN, and cloud service providers sought time to “build capacity” required for the implementation of the April 28 guidelines.
The requirement of registration and maintenance of validated names of subscribers and customers, their addresses and contact numbers by data centres, VPS, VPN and cloud service providers will stand as is, and become effective September 25, the ministry said.
Earlier this month on June 10, the IT ministry had met stakeholders, including MSMEs, VPS, VPN, and other cloud service providers to understand their position on the latest Cert In guidelines and to answer any queries they had on the subject.
ET had reported that in the meeting which saw attendance from about 25 executives from virtual private network (VPN) service providers, technology companies, policy groups and other experts, the IT ministry had made it clear that it would not relent on the six-hour deadline for reporting cybersecurity incidents.
The IT ministry, had, however, then told the stakeholders that for smaller companies and MSMEs, it would give some relaxation on a case-to-case basis after examining their application.
On April 28, Cert-In had come out with a set of guidelines for all companies, intermediaries, data centres and government organisations under which any data breach must be reported to the government within six hours of the organisation becoming aware of it.
These guidelines had also mandated that VPN service providers shall maintain all the information they had gathered as a part of know-your-customer rules and hand it over to the government as and when asked for it.
On May 18, the Ministry of Electronics and Information Technology came out with a set of frequently asked questions (FAQ) on the Cert-In guidelines during which it clarified certain aspects of how the six-hour norm would work, along with what details the VPN service providers would have to keep for five years.
The extension of the compliance deadline is likely to come as a breather for several companies, especially MSMEs which had said that they did not have the capacity or bandwidth to comply with the Cert In norms at such short notice.
While some MSMEs and other companies have told the ministry that they would comply with the norms but needed time, some VPN service providers such as ExpressVPN, Surfshark, and NordVPN have said that they would, by June 28, stop offering their services in India.
It is the first time the ministry has softened its stand on the issue. Earlier on May 18, during a press conference to explain the FAQ on Cert In guidelines, minister of state for information technology Rajeev Chandrasekhar said VPN service providers which did not want to adhere to the latest cybersecurity guidelines were “free to leave India”.