The deadline for the Indian Computer Emergency Response Team’s (CERT-In) recent ruling, which requires virtual private network (VPN) providers to register and maintain customer information, has been extended. September 25 has been designated as the new deadline by CERT-In for the application of the new rules.
Prior to this, the Ministry of Electronics and Information Technology (MeitY) had mandated that VPN providers gather and keep customer data in India for at least five years. To coordinate reaction efforts and urgent actions in response to cyber security issues, the order was issued. Additionally, it was mandatory that cloud service providers, data centres, and virtual private server (VPS) providers register and keep correct records of their offerings for at least five years “as required by the legislation following any cancellation or the registration as the case may be.” The information consists of the user’s IP address, home address, and use habits.
The government has now delayed the execution of its new rule after receiving requests for extra time from worried businesses. The CERT-in also announced that it is extending the deadline to give Micro, Small, and Medium-Sized Enterprises (MSMEs) an appropriate amount of time to develop the capacity needed for the execution of these directives.
Beginning on September 25, the new cyber security directives of April 28, 2022, issued according to subsection (6) of section 70B of the Information Technology Act, 2000, will take effect.
The CERT-In has also asked the concerned companies to provide more user information, such as “the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as the accurate time recorded during the registration, purpose of subscribing, validated address and contact numbers, and ownership pattern of the subscribers signing into the service.”
In addition to this, all government and private agencies, including internet service providers, social media platforms, data centres, etc., have to mandatorily report cybersecurity breach incidents to it within six hours of noticing them.
Many VPN service providers have taken down their servers in India, including NordVPN, Surfshark, and Express VPN. Businesses have criticised the new VPN policy, citing privacy issues. The newest service provider to remove its servers from India is PureVPN. Contrary to the Indian government’s established policy, the company claimed that it does not collect any user information.
