India will give VPN providers and cloud service operators an additional three months to comply with new rules that require they maintain names and addresses of their customers and their IP addresses, delivering some relief to firms as many scramble to follow the new guidelines and others explore exiting the South Asian market.
The Indian Computer Emergency Response Team (CERT), the body appointed by the government to protect India’s information infrastructure, said Monday evening it is extending the enforcement of the new rules to September 25. The rules, unveiled in late April, were set to go into effect Monday.
CERT said it was extending the deadline because “additional time” had been sought by the industry players.
Its announcement follows sharp criticism from VPN providers, many of which, including Nord and ExpressVPN, have announced their intentions to remove local servers in the country.
Nearly two dozen cybersecurity experts and technologists from India and across the world sent a joint letter to CERT and Ministry of Electronics and IT on Monday, calling for the “dangerous CERT-In cybersecurity directions” to not be implemented.
“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy. We are cognisant of the need for a framework to govern cyber incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the Directions, will have negative implications in practice and impede effectiveness, while endangering online privacy and security,” they wrote.
CERT’s new directions require “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” to store customers’ names, email addresses, IP addresses, know-your-customer records and financial transactions for a period of five years.
Lawmakers in India have made it clear that they have no intention to relax the new rules.
Rajeev Chandrasekhar, the junior IT minister of India, said in a press conference last month that VPN providers who wish to conceal who uses their services “will have to pull out” of the country. The government, he said, will not be holding any public consultation on these rules.
The new rules also mandate firms to report incidents of security lapses such as data breaches within six hours of noticing such cases. Following pushback from advocacy groups, Chandrasekhar said last month that India was being “very generous” in giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore that he said had stricter requirements.