CERT-In pushes deadline for new VPN, cybersecurity rules to September 25

Indian Computer Emergency Response Team (CERT-In) has extended the deadline for the implementation of the controversial cybersecurity rules that require all companies to report cyber incidents under six hours and tech service providers including VPN companies to log and keep personally identifiable data for five years.

The deadline has been extended till September 25, Ministry of Electronics & IT (MeitY) said in a statement. 

CERT-In said that it received requests for the extension of timelines for the implementation of the rules by micro, small and medium enterprises (MSMEs). It also received requests from VPN, data centre and cloud service providers to give more time for implementation of mechanisms for validation of subscribers/customers.

CERT-In believes the extension will help MSMEs to build capacity required for the implementation of the new rules. 

The new rules were announced on April 28 to bolster Indian cyber security posture and address gaps in incident analysis, CERT-In said at the time. 

Though the rules were widely criticised by the industry, the provisions related to maintaining logs of user data by VPN providers received a lot of flak from privacy advocates, users and VPN companies. Some VPN companies such as SurfShark and ExpressVPN refused to comply with the rules and withdrew their India based servers. 

Introduced as part of the section 70B of the Information Technology (IT) Act, 2000, the new rules required all service providers, intermediaries, data center providers, corporates, and government organisations to report cyber incidents within 6 hours of detection. CERT-In also asked companies

connect and synchronise all their ICT systems clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL). This would ensure the timeline of the events in case of breach will be accurately reflected..

The new rules also required all virtual private networks (VPN) to record and maintain validated names, emails, usage patterns and IP addresses of subscribers for a period of five years. 

Virtual asset, exchange, and wallet providers will also have to keep records on KYC and financial transactions for a period of five years. 

In response to queries and concerns raised by companies, in May MeitY released a frequently asked questions (FAQ) document offering clarification on the new rules.