CERT-In gives 3 months for VPNs to comply with new norms

New Delhi: CERT-In has granted three more months for VPN providers to implement mechanisms related to validation aspects of customer details under the new cyber security directives amid concerns raised by industry players over the proposed norms.

Besides, the timeline for MSMEs has been extended till September 25 for enforcement of the new cyber security directions.

The move would bring relief to the companies as it gives them additional time to comply with the new directions, which had evoked sharp reactions from a section of the industry, some VPN providers and privacy advocates. In the aftermath of the announcement of the new directives in April, there have been reports that some VPN services have shut down their Indian servers. These directives issued on April 28 were to initially come into force after 60 days from the date of issuance.

"CERT-In extends timelines for enforcement of Cyber Security Directions till 25 September, 2022 for MSMEs and for the validation aspects of subscribers/customers details," an official release said on Tuesday. The extension has been granted after the industry requested for more time for implementation of the directions. The Indian Computer Emergency Response Team or CERT-In is the national agency for performing various functions in the area of cyber security in the country as per provisions of the IT Act. The relief will enable MSMEs (Micro, Small and Medium Enterprises) to build the capacity required to adhere to the cyber security directions of April 28. Data centres, cloud service providers and VPN service providers also have been granted more time for implementation of mechanisms relating to validation aspects of subscribers/customers details, the release said. Ministry of Electronics and IT had mandated cloud service providers, VPN (Virtual Private Network) firms, data centre companies and virtual private server providers to store users' data for at least five years. The circular, issued by CERT-In, mandates all service providers, intermediaries, data centres, corporate and government organisations to mandatorily enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days, and requires the same to be maintained within the Indian jurisdiction.