CERT-In Extends Deadline Of Cybersecurity Directives For MSMEs, VPNs & Data Centres

CERT-In Extends Deadline Of Cybersecurity Directives For MSMEs, VPNs & Data Centres

SUMMARY

The new deadline is September 25, 2022, as opposed to the previous deadline of June 28, 2022 (today)

The directives have been contended by data centres who will have to rebuild data infra from the bottom up and by VPNs as they go beyond the core ideology of keeping user data private

While the application of the other directive has been extended, the six-hour norm to report cyber incidents will still be applicable from June 28, 2022

The Indian Computer Emergency Response Team (CERT-In) has extended the deadline for reporting cyber incidents and treatment of private data of users for MSMEs, VPNs and data centres to September 25, 2022.

Since its announcement in late-April 2022, the Cybersecurity Directives outlining the cyber incidents reporting and treatment norms of VPNs have been a subject of debate. Previously, the deadline for the same was 60 days from April 28, 2022 [i.e June 28, 2022 (today)]. 

In a note shared on its website, CERT-In stated that the IT ministry and CERT-In received requests for the extension of timelines for implementation of these Cybersecurity Directions, especially from MSMEs. On the other hand, data centres, VPS, cloud service providers and VPNs also sought additional time to implement the mechanism for validation of subscribers and their customers.

Thus, to enable MSMEs to build the capacity required for the implementation of the cybersecurity directions and for data centres to build and implement validation mechanisms, CERT-In approved the extended deadline. Apart from these two categories, all other companies will have to start abiding by the directives.

What Are The Cybersecurity Directives?

The directives primarily state that due to cybersecurity incidents taking place from time to time, companies will have to report breaches within six hours of the incident first coming to their knowledge.

Secondly, it has asked all government bodies and service providers to maintain a log of all Information Communication Technology (ICT) systems within India for 180 days. The contesting part is that data centres and VPNs will also have to store data regarding their clients for a minimum period of five years. 

Besides, internet platforms will have to maintain data related to IP addresses, validated addresses, contact numbers and even ownership patterns of companies using these data and VPN services. The order also mandates crypto exchanges to maintain all information related to Know Your Customer (KYC) and financial transactions of its users for five years. 

Why This Debate?

The major debating point among VPNs is that asking VPNs to store data goes against the very definition of ‘private networks’. Many experts have raised questions about the legality of the new rules in the absence of a robust data protection law since a lot of journalists, activists and whistleblowers use VPNs for their work to remain anonymous and protect themselves.

In case the data centres keep the data, their privacy is violated. To this, IT minister Rajeev Chandrasekhar has asked VPN service providers either comply with the directions or terminate their businesses in India. 

Following the directives, a few VPN service providers said that they would exit India rather than following such a mandate that threatens the basic foundation of VPN – not storing data of users. NordVPN, Surfshark and ExpressVPN have already logged out of India.

While the application of the other directive has been extended, the six-hour norm to report cyber incidents will still be applicable from June 28. 

Step up your startup journey with BHASKAR! From resources to networking, BHASKAR connects Indian innovators with everything they need to succeed. Join today to access a platform built for innovation, growth, and community.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

CERT-In Extends Deadline Of Cybersecurity Directives For MSMEs, VPNs & Data Centres-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

CERT-In Extends Deadline Of Cybersecurity Directives For MSMEs, VPNs & Data Centres-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

CERT-In Extends Deadline Of Cybersecurity Directives For MSMEs, VPNs & Data Centres-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

CERT-In Extends Deadline Of Cybersecurity Directives For MSMEs, VPNs & Data Centres-Inc42 Media
CERT-In Extends Deadline Of Cybersecurity Directives For MSMEs, VPNs & Data Centres-Inc42 Media
You’re in Good company