SUMMARY
The possible extension comes after the government extended the original deadline of June 28 to September 25
The government does not want SMEs or MSMEs to bear the burden of additional compliance until they are ready to do so
On April 28, CERT-In issued new cyber security guidelines, mandating the reporting of a data breach within six hours of becoming aware of it
The government might extend the deadline for complying with the new cyber security directives issued by the Indian Computer Emergency Response Team (CERT-In) by another three months. The extension would apply to micro, small and medium enterprises (MSMEs) along with small and medium enterprises (SMEs).
The development comes after the government extended the original deadline of June 28 to September 25, after several companies, including MSMEs, requested more time to become compliant with the norms.
Further, data centres, virtual private servers (VPS), cloud service providers and virtual private networks (VPNs) had also sought more time to implement KYC norms such as the validation of subscribers and their customers.
The Minister of State for Electronics and IT Rajeev Chandrasekhar was cited in an ET report stating that the government does not want SMEs or MSMEs to bear the burden of additional compliance until they are ready to do so.
While the government has not been flexible with the needs of VPNs and VPS, it has done so with SMEs and MSMEs, given that this might be the second extension for them to comply with the new cybersecurity norms.
While larger companies have complied with the guidelines, SMEs and MSMEs have found it harder to do so because of a lack of human resources to comply.
The CERT-In Guidelines In A Nutshell
On April 28, CERT-In issued new cyber security guidelines for all companies, intermediaries, data centres and government organisations. The guidelines mandated, among other things, that organisations have to report any data breach to the government within six hours of becoming aware of the breach.
While there was initial apprehension regarding the small window of time in which cybersecurity incidents had to be reported, the government pressed on with it.
The guidelines also required VPN service providers to collect data from their customers as part of KYC norms and provide the same to the government when required. The data to be collected included sensitive data including IP addresses, verification addresses and contact details.
This was seen as counterproductive by several VPNs operating in India who subsequently exited the country. Most recently, Proton VPN exited the country, calling the CERT-In guidelines regressive.
However, the government does not appear too fazed by the exodus of VPN providers, with Chandrasekhar stating in a press conference in May that VPNs failing to adhere to the guidelines were free to leave.
The guidelines have attracted criticism from international forums as well.
In May, several international trade bodies, including the US Chamber of Commerce, the US-India Business Council, the US-India Strategic Partnership Forum and techUK, among others, wrote a letter to Sanjay Bahl, the director general of CERT-In, stating that the guidelines may have a ‘detrimental impact’ on cybersecurity.
