India extends deadline until Sept. 2022 to comply with new cybersecurity rules



CERT-In extends deadline for compliance to September 2022.


Bowing to appeals and pressure from industry players, the Ministry of Electronics and Information Technology (MeitY) of the government of India has extended the date for compliance with its stringent cyber security law by three months.


Earlier, the Indian Computer Emergency Response Team (CERT-In), citing inconsistencies in response to cyber security incidents, had directed all VPN companies to store extensive user data for a period of five years. The cyber security guidelines also made it mandatory that all incidents of data breach will have to be reported to the government within six hours of occurrence by the concerned companies, intermediaries, data centers and government organizations.


Regarding the extension of compliance date, a statement issued by the ministry says that the MeitY and CERT-In have received requests from Micro, Small and Medium Enterprises (MSMEs) for the extension of timelines for implementation of these cyber security directions.


“Additional time has been sought for implementation of a mechanism for validation of subscribers by data centers, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers. It has been decided to provide an extension till September 25, to MSMEs in order to enable them to build capacity required for the implementation of the Cyber Security Directions,” the statement added.


Data Centres, VPS providers, Cloud Service providers and VPN service providers have also been provided with additional time till 25 September, 2022 for the implementation of mechanisms relating to the validation aspects of the of subscribers details.


This decision comes in the wake of sharp criticism of industry players against the Indian government’s directive. Following the CERT-In’s directive, which had been issued in May, VPN service providers like ExpressVPN, Surfshark, and NordVPN announced their plans to curtail their India operations by shifting their servers out of the country in June.


ExpressVPN in a blog post has stated: “With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers. Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK.”


In May, the CERT-In had directed all digital service providers to record and store users’ logs for a period of 180 days. It also directed VPN companies to store extensive user data for at least five years to enable better response to cyber security threats and incidents. The service providers operating in India were also directed to collect and submit user data that includes IP addresses assigned to users.


Taking a tough stance on the issue, the Minister of State for Electronics and Information Technology, Government of India, Rajeev Chandrasekhar had said that VPN service providers must follow the laws while operating in this country and that if they do not comply to the new norms, they are free to leave India.


CERT-In in its directive had stated: “All service providers, intermediaries, data centers, body corporate and government organizations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when directed by CERT-In. Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:

  1. Validated names of subscribers/customers hiring the services
  2. Period of hire including dates
  3. IPs allotted to / being used by the members
  4. Email address and IP address and time stamp used at the time of registration / on-boarding
  1. Purpose for hiring services
  2. Validated address and contact numbers
  3. Ownership pattern of the subscribers / customers hiring services”