304 North Cardinal St.
Dorchester Center, MA 02124
The Computer Emergency Response Team (CERT-In) has extended a three-month deadline to comply with its dispute laws for small businesses and virtual private network (VPN) service providers in India.
This comes after many VPN providers have deployed their servers in the country following a notice of 28 April under Section 70B of the Information Technology Act (IT Act), as well as industry consultations where many have requested additional compliance time. The rules were scheduled to take effect from June 28, which has now been extended to September 25th.
The Ministry of Electronics and Information Technology (MeitY) and CERT-In approved applications for the extension of the Cyber Security Guidelines dated April 28, 2022 for Small, Medium and Medium Enterprises (MSMEs), “The department said in a statement on Tuesday.” In addition, additional time has been required to implement the subscription / customer verification process by Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (Providers -VPN Service), ”he added.
The MSME sector sought a 300-day extension from 28 June to comply with the law during a departmental consultation process. However, industry experts say the decision is good news for those in power.
Raj Sivaraju, president of Asia-Pacific, Arete, a cyber-response company, said the expansion gives businesses “the right time” to build capacity. “Post-incident investigation, as well as ongoing risk management,” he said.
In addition, Amit Jaju, executive director of Ankura Consulting Group, said the expansion would give companies time to implement the required processes and technologies. “The time to reset time servers should not take more than a week for all devices connected to a central location. To appoint a contact person (POC), they will have to increase the role of the inner person which can be done immediately, ”said Jaju.
The new rules, which have been widely criticized, require VPN service providers to store user data and maintain logs for their use. They are required to record and maintain verified names, emails, usage patterns, and IP addresses of their subscribers for five years. VPN companies argued that this was a violation of privacy as the data they were asked to keep was personally identifiable, contrary to their policy.
Companies such as Surfshark, ExpressVPN and NordVPN removed their servers as a result of this decision, opting to continue providing “non-cutting” services, where no user data was stored by firms.
To trade with other real estate firms, as well as fund providers, it was also necessary to keep records of know-your-customer (KYC) and financial services for five years under the new rules.
Rama Vedashree, chief executive officer of the Data Security Council of India (DSCI), a non-profit organization for the data protection industry, called the extension “receiving temporary help” from MSME, VPN, and cloud service providers (CSPs). However, he added that DSCI “is looking forward to a revised set of indicators based on the recommendations we and our industry members have made to CERT in our collaboration.”
“Although many explanations are provided in the FAQs, it is important that they appear in the guidelines,” he added.
The digital rights group, the Internet Freedom Foundation (IFF), also said that the extension provided only “limited freedom of time” for MSME compliance. remember and a real opportunity to consult with the public, “he said.