CERT-In gives more time for VPNs to comply with new cyber security norms

PTI, Jun 28, 2022, 3:57 PM IST

Credit: iStock Photo

CERT-In has granted three more months for VPN providers to implement mechanisms related to validation aspects of customer details under the new cyber security directives amid concerns raised by industry players over the proposed norms.

Besides, the timeline for MSMEs has been extended till September 25 for enforcement of the new cyber security directions. The move would bring relief to the companies as it gives them additional time to comply with the new directions, which had evoked sharp reactions from a section of the industry, some VPN providers and privacy advocates.

In the aftermath of the announcement of the new directives in April, there have been reports that some VPN services have shut down their Indian servers. These directives issued on April 28 were to initially come into force after 60 days from the date of issuance.

”CERT-In extends timelines for enforcement of Cyber Security Directions till 25 September 2022 for MSMEs and for the validation aspects of subscribers/customers details,” an official release said on Tuesday.

The extension has been granted after the industry requested more time for the implementation of the directions.

The Indian Computer Emergency Response Team or CERT-In is the national agency for performing various functions in the area of cyber security in the country as per provisions of the IT Act.

The relief will enable MSMEs (Micro, Small and Medium Enterprises) to build the capacity required to adhere to the cyber security directions of April 28.

Data centres, cloud service providers and VPN service providers also have been granted more time for implementation of mechanisms relating to validation aspects of subscribers/customers’ details, the release said.

Ministry of Electronics and IT had mandated cloud service providers, VPN (Virtual Private Network) firms, data centre companies and virtual private server providers to store users’ data for at least five years.

The circular, issued by CERT-In, mandates all service providers, intermediaries, data centres, corporates and government organisations to mandatorily enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days, and requires the same to be maintained within the Indian jurisdiction.

Following the directive by CERT-In in April, there were reports that Express VPN has removed its servers from India, becoming the first major VPN player to do so after the cybersecurity rules were introduced.

According to the release, the IT Ministry and CERT-In had received requests for the extension of timelines for implementation of the cyber security directions in respect of MSMEs.

Further, more time was sought for the implementation of a mechanism for validation of subscribers/customers by data centres, Virtual Private Server (VPS) providers, cloud service providers and VPN Service providers.

”The matter has been considered by CERT-In and it has been decided to provide an extension till 25 September 2022 to MSMEs in order to enable them to build the capacity required for the implementation of the Cyber Security Directions,” the release said.

At the same time, data centres, VPS providers, cloud service providers and VPN companies too have been given additional time (till September 25) for the implementation of mechanisms relating to the validation aspects of the subscribers/customers’ details, it added.