India’s controversial new cybersecurity rules may still be going ahead, but there has been a slight change of plan. There’s been an extension of almost 60 days to the date on which the legal requirement to report security breaches and keep customer information comes into force.
This extension – from 28 June to 25 September – has been provided to a large number of affected players, including, according to India’s Economic Times, micro, small and medium enterprises (MSME) and data centres, along with providers of virtual private servers (VPS) and virtual private networks (VPN) and cloud service.
The guidelines, suggested by the Indian Computer Emergency Response Team (CERT-In) in April, will force all companies, intermediaries, data centres and government organisations to report any data breach to the government within six hours of the organisation becoming aware of it.
There’s also a requirement to register and maintain validated names of subscribers and customers, as well as their addresses and contact details. VPN service providers will be obliged not only to retain this information for at least five years but to hand it over to the government as and when asked for it.
The extension, the Ministry of Electronics and Information Technology (MeitY) said, was being provided after the various players involved asked for more time to build capacity required for the implementation of the guidelines.
After a meeting with VPN service providers, technology companies, policy groups and other experts, MeitY has also apparently suggested it might be able to extend the six-hour deadline for reporting cybersecurity incidents – at least for smaller companies and MSMEs and on a case-to-case basis.
That may not be enough for some players, however. As we have previously reported, citing security and privacy concerns, some VPN service providers such as ExpressVPN, Surfshark, and NordVPN have announced plans to stop offering their services in India.