Government extends deadline to comply with new cybersecurity rules

Government extends deadline to comply with new cybersecurity rules

It is a breather for several companies which lacked the capacity or bandwidth to comply with the norms at a short notice

The Indian Computer Emergency Response Team (ICERT) has extended the deadline to September 25 for compliance with the April 28 norms on cybersecurity. This was conveyed in an official release by the Ministry of Electronics and Information Technology (MeitY).

(ICERT is the nodal agency to deal with cyber security threats including hacking and phishing. It strengthens the security-related defence of the Indian Internet domain).

The nearly 60-day relaxation to follow the deadline has been provided to micro, small and medium enterprises (MSME), data centres, virtual private servers (VPS), virtual private networks (VPN), and cloud service providers.

As per the ministry, the extension was being provided after the stakeholders sought time to build the required capacity for the implementation of the earlier guidelines.

The requirement of registration and maintenance of validated names of subscribers and customers, their addresses and contact numbers by data centres, VPS, VPN and cloud service providers will stand as is, and become effective from September 25.

Earlier this month, the IT ministry had met the stakeholders to understand their position on the new guidelines and to answer any queries on the subject.

The ministry was clear on not relenting on the six-hour deadline for reporting the cybersecurity incidents. However, it said that for smaller companies and MSMEs, it would give some relaxation on a case-to-case basis after examining their application.

On April 28, ICERT had introduced a set of guidelines for all companies, intermediaries, data centres and government organizations under which any data breach was to be reported to the government within six hours of the organization becoming aware of it.

The guidelines mandated the VPN service providers to maintain all information gathered as a part of the know-your-customer rules and hand it over to the government as and when asked.

Last month, MeitY came out with a set of frequently asked questions (FAQ) on the guidelines. It clarified certain aspects of how the six-hour norm would work, along with what details the VPN service providers would have to keep for five years.

The extension of the compliance deadline is likely to come as a breather for several companies, especially MSMEs which said that they did not have the capacity or bandwidth to comply with the norms at such short notice.

It is the first time the ministry has softened its stand on the issue. Earlier, Rajeev Chandrasekhar the Minister of State for Information Technology had remarked that VPN service providers, which did not want to adhere to the cybersecurity guidelines, were 'free to leave India.'

While some MSMEs and other companies have informed the ministry that they would comply with the norms but needed time, some VPN service providers including ExpressVPN, Surfshark, and NordVPN have opted to stop offering their services in the country.