MeitY To Go Ahead With Six-Hour CERT-In Norm To Report Cybersecurity Incidents

MeitY To Go Ahead With Six-Hour CERT-In Norm To Report Cybersecurity Incidents

SUMMARY

MeitY met industry stakeholders including VPN service providers, tech companies, policy groups and experts on Friday

The ministry will not relax the deadline for large companies but will relax the deadline for small companies on a case-to-case basis

The meeting happened against the backdrop of two VPN companies, Surfshark and ExpressVPN, shutting shops in India amid uncertainty around VPNs

The ongoing debate on the recent Indian Computer Emergency Response Team (CERT-In) guidelines on cybersecurity has taken another turn as the Ministry of Electronics and Information Technology (MeitY) looks set to enforce the norm which mandates companies to report cybersecurity incidents within six hours of them being noticed.

However, MeitY will be relaxing the June 28 deadline for smaller companies, on a case-to-case basis.

This comes after the Friday (June 10) meeting between MeitY and industry stakeholders. The meeting was chaired by the Minister of State for Information Technology Rajeev Chandrasekhar.

The meeting lasted for three hours and saw about 25 representatives from virtual private network (VPN) companies, technology companies, policy groups and experts discuss the CERT-In guidelines, first introduced on April 28.

According to an industry executive present at the meeting cited by ET, the government will not relax that six-hour reporting rule. Further, bigger companies will not be given any relaxation in the June 28 deadline, which means that big companies have around a fortnight to implement the reporting regime.

MeitY will also provide a centralised system in the form of an app of sorts, where companies can report the cybersecurity breaches within their networks. Companies won’t be required to mail the details of the same to CERT-In, according to sources cited by ET.

A senior government official was quoted as saying that most companies have agreed to follow the guidelines, with only some chinks needing ironing out. For now, MeitY is working on a set of frequently asked questions (FAQs) to simplify the guidelines.

The government will be meeting the industry again within 90 days to review the progress on the directives.

The directives, issued by CERT-In on April 28, include norms related to information security practices, procedures, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000.

One of the most talked-about points within these directives is the treatment of VPNs. VPN companies are now required to maintain user activity logs and store sensitive personal information such as IP addresses and phone numbers for a duration of five years.

The government has excluded corporate VPNs from the CERT-In directives. However, individual users are still left vulnerable to surveillance from the government, as the directives do not make it clear under what circumstances can the government ask for a user’s activity log and personal information.

Rajeev Chandrasekhar has told the VPN companies that they are free to leave the country if they don’t want to maintain logs and adhere to the guidelines.

“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” he said.

Following this, Surfshark and ExpressVPN have shut down operations in India, with more to follow suit.

Step up your startup journey with BHASKAR! From resources to networking, BHASKAR connects Indian innovators with everything they need to succeed. Join today to access a platform built for innovation, growth, and community.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

MeitY To Go Ahead With Six-Hour CERT-In Norm To Report Cybersecurity Incidents-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

MeitY To Go Ahead With Six-Hour CERT-In Norm To Report Cybersecurity Incidents-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

MeitY To Go Ahead With Six-Hour CERT-In Norm To Report Cybersecurity Incidents-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

MeitY To Go Ahead With Six-Hour CERT-In Norm To Report Cybersecurity Incidents-Inc42 Media
MeitY To Go Ahead With Six-Hour CERT-In Norm To Report Cybersecurity Incidents-Inc42 Media
You’re in Good company