India will give VPN and cloud service providers another three months to comply with new rules requiring them to keep track of the names and addresses of their customers and their IP addresses, bringing some relief to companies as many try to comply with the new guidelines and others are exploring exiting the South Asian market.
The Indian Computer Emergency Response Team (CERT), the body appointed by the government to protect India’s information infrastructure, announced on Monday evening that it will extend the application of the new rules until September 25. The rules, which were unveiled in April, will come into force on Monday.
CERT announced that it would extend the deadline because “additional time” was sought by industry players.
The announcement follows sharp criticism from VPN providers, many including Nord and ExpressVPN have revealed their intentions to remove local servers in the US.
Nearly 26 cyber security experts and technologists from India and across the world on Monday sent a joint letter to the CERT and the Ministry of Electronics and IT, urging them to reject the “dangerous CERT In cybersecurity directions”.
“The guidelines as they stand may have the unintended effect of weakening cybersecurity and its key component online privacy. They recognized the need for a framework that can regulate reporting of cyber incidents. However, the guidelines’ reporting timelines and excessive data retention mandates will have negative consequences in practice, and may hinder the system’s efficiency at the same time as online privacy and security are threatened.
CERT’s new directions require that “virtual private servers (VPS), cloud service providers, VPN service providers, VPN service providers, virtual asset service providers, virtual exchange providers, custodial wallet providers, and government agencies” retain customer names, email addresses, IP addresses, and know your customer records for a period of not less than five years.
Indian lawmakers have made it clear they will not relax the existing rules.
Rajeev Chandrasekhar, India’s junior minister for IT, told a press conference last month that VPN providers who want to hide who is using their services “will be required to withdraw” from the country. The government, he said, will not hold any public hearing on this regulation.
New rules require firms to report security breaches, including data breaches, within six hours of becoming aware of them. Chandrasekhar declared last month that India was “very generous”, giving firms six hours to report security incidents. This was in response to advocacy groups. He also pointed to nations such as Singapore and Indonesia that have stricter requirements.