Home / Technology / News /  Deadline extended for VPN, security rules
Listen to this article

NEW DELHI : The Computer Emergency Response Team (CERT-In) has extended by about three months the deadline for complying with its controversial rules for small enterprises and virtual private network (VPN) service providers in India.

This comes after several VPN providers removed their servers from the country following the 28 April notice under Section 70B of the Information Technology Act (IT Act), and consultations with the industry wherein many asked for more time to comply. The rules were originally slated to come into force from 28 June, which have now been extended to 25 September.

“The Ministry of Electronics and Information Technology (MeitY) and CERT-In are in receipt of requests for the extension of timelines for implementation of these Cyber Security Directions of 28th April, 2022 in respect of Micro, Small and Medium Enterprises (MSMEs)," the ministry said in a notice, on Tuesday. “Further, additional time has been sought for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers," it added.

The MSME sector had sought an extension of 300 days from 28 June for compliance during talks with the ministry. However, industry experts said the decision is good news for incumbents.

Raj Sivaraju, president, Asia-Pacific, at Arete, a cyber incident response company, said the extension provides businesses with “reasonable time" for capacity building. “We believe it is a welcome move towards better preparation for faster recovery, easier reporting, post-incident investigations, and a continuous approach to managing risks," he said.

Further, Amit Jaju, senior managing director at Ankura Consulting Group, said the extension will provide companies time to implement the required processes and technologies. “The time to reconfigure time servers should not take beyond a week across all machines that are centrally connected. To appoint a point-of-contact (POC), they will have to augment the role of an internal person which can be done swiftly," said Jaju.

The new rules, which were widely criticized, required VPN service providers to store user data and maintain logs of their usage. They were asked to record and maintain validated names, emails, usage patterns, and IP addresses of subscribers for five years. VPN companies argued that this was a breach of privacy as the data they were being asked to keep had personally identifiable information, which was against their policy.

Companies such as Surfshark, ExpressVPN and NordVPN removed their servers due to this ruling, choosing instead to continue providing “no logging" services, where no user data is maintained by the firms.

Exchanges and other firms dealing with virtual assets, and wallet providers, were also required to keep know-your-customer (KYC) records and financial transactions for five years under the new rules.

Not everyone is fully convinced by the extension. 

Rama Vedashree, chief executive at the Data Security Council of India (DSCI), a non-profit industry body on data protection, called the extension a “welcome short-term relief" for MSMEs, VPN, and cloud service providers (CSPs). But, she also said that the DSCI was “looking forward to a revised set of directions based on suggestions we and our industry members have made to CERT-in in our interactions."

“While many clarifications have been offered in the FAQs, it is important they are reflected in the directions," she added.

Digital rights advocacy group, the Internet Freedom Foundation (IFF), also said that the extension only provides “limited relief in timelines" for compliance with MSMEs. “The directions still undermine online privacy and security that impacts Indian users. We urge for a complete recall and real chance for public consultation," it said.

Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
More Less
Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.

Recommended For You

Edit Profile
Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout