The Indian Computer Emergency Response Team (Cert-In) on Tuesday extended a deadline for complying with its cybersecurity guidelines, to September 25.
It provided the nearly three-month relaxation – from the earlier 60-day deadline of June 28 – to micro, small and medium enterprises (MSME), data centres, virtual private server (VPS) and virtual private network (VPN) and cloud service providers, according to an official statement from the Ministry of Electronics and Information Technology (MeitY).
The ministry said the extension was provided after MSMEs, data centres, VPS, VPN, and cloud service providers sought time to “build capacity” required to implement the guidelines, which Cert-In issued on April 28.
The requirement of registration and maintenance of validated names of subscribers and customers, their addresses and contact numbers by data centres, VPS, VPN and cloud service providers will be effective from September 25, the ministry said.
The extension is likely to come as a breather for several companies, especially MSMEs which had said that they did not have the capacity or bandwidth to comply with the Cert-In norms at such short notice.
While some MSMEs and other companies told the ministry that they would comply with the norms but needed more time, VPN service providers such as ExpressVPN, Surfshark, NordVPN and others said earlier that they would stop their services in India by June 28,.
Discover the stories of your interest
It is the first time that the ministry has softened its stand on the issue.
On May 18, during a press conference to explain the FAQs on the Cert-In guidelines, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said VPN service providers that did not want to adhere to the guidelines
were “free to leave India”.
Tech policy groups and cybersecurity experts also welcomed the extension of the deadline and said it was “a step in the right direction”.
“MSMEs would have to find added human resources to stay compliant with the Cert-In direction and the extension would aid in the human resource management of MSMEs, where additional time could save MSMEs from the daily operation disruption,” said Kazim Rizvi, founder of public policy group The Dialogue.
On June 10, the IT ministry had met stakeholders, including MSMEs, VPS, VPN, and other cloud service providers to understand their position on the guidelines and answer their queries.
In the meeting attended by about 25 executives from VPN service providers, technology companies, policy groups and other experts, the IT ministry had made it clear that it would
not relent on the six-hour deadline for reporting cybersecurity incidents, ET had reported.
The IT ministry had, however, told stakeholders that for smaller companies and MSMEs, it would give some relaxation on a case-to-case basis after examining their applications.
Cert-In’s April 28 guidelines required all companies, intermediaries, data centres and government organisations to report any data breach to the government within six hours of the organisation becoming aware of it.
The guidelines had also mandated VPN service providers to maintain all the information they had gathered as part of know-your-customer rules and hand it over to the government as and when required.
On May 18, the IT ministry came out with a set of FAQs on the Cert-In guidelines, during which it clarified certain aspects of how the six-hour norm would work, along with the details that the VPN service providers would have to keep for five years.
Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.
