CERT-In extends deadline for VPN, security rules, industry relieved
The Computer Emergency Response Team (CERT-In) has extended the deadline for compliance with its controversial rules for enterprises and virtual private network (VPN) services in the country. The move comes after several VPN providers removed their servers from the country following the April 28th notice under section 70B of the Information Technology Act (IT Act), and a consultation with the industry where many asked for more time to comply. The rules were supposed to be enforced from June 28, but the new deadline for compliance is September 25 now.
“The Ministry of Electronics and Information Technology (MeitY) and CERT-In are in receipt of requests for the extension of timelines for implementation of these Cyber Security Directions of 28th April, 2022 in respect of Micro, Small and Medium Enterprises (MSMEs),” the ministry said in a notice, on June 28. “Further, additional time has been sought for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers,” it added.
Though during consultations with the Ministry of Electronics & IT (MeitY), SME representatives had asked for an extension of 300 days from June 28 for compliance, industry experts said that the decision is good news for incumbents.
Raj Sivaraju, president of Asia-Pacific at Arete, a cyber incident response company, said the extension provides businesses with “reasonable time” for capacity building. “We believe it is a welcome move towards better preparation for faster recovery, easier reporting, post-incident investigations, and a continuous approach to managing risks,” he said.
Further, Amit Jaju, senior managing director at Ankura Consulting Group, said the extension will provide companies time to implement the required processes and technologies. “The time to reconfigure time servers should not take beyond a week across all machines that are centrally connected. To appoint a point-of-contact (POC) they will have to augment the role of an internal person which can be done swiftly,” said Jaju.
According to Jaju, most of the work is required in preparation to report incidents within six hours and to maintain logs worth 180 days. For medium-to-large companies, it would take four to 10 weeks to reconfigure systems, implement automation and conduct an internal audit, he said.
However, not everyone is fully convinced by the extension. Rama Vedashree, chief executive at the Data Security Council of India (DSCI), a non-profit industry body on data protection, called the extension a “welcome short-term relief” for MSMEs, VPN, and cloud service providers (CSPs). But, she also added that the DSCI is “looking forward to a revised set of directions based on suggestions we and our Industry members have made to CERT-In in our interactions.”
“While many clarifications have been offered in the FAQs, it is important they are reflected in the directions,” she added.
Digital rights advocacy group, the Internet Freedom Foundation (IFF), also said that the extension only provides “limited relief in timelines” for compliance with MSMEs. “The directions still undermine online privacy and security that impacts Indian users. We urge for a complete recall and real chance for public consultation,“ the IFF said.
The new rules, which were widely criticized, required VPN service providers to store user data and maintain logs of their usage. They were asked to record and maintain validated names, emails, usage patterns, and IP addresses of subscribers for five years. VPN companies argued that this was a breach of privacy as the data they were being asked to keep had personally identifiable information, which was against their policy.
Companies such as Surfshark, ExpressVPN and NordVPN removed their servers due to this ruling, choosing instead to continue providing “no logging” services, where no user-data is maintained by the firms.
Exchanges and other firms dealing with virtual assets, and wallet providers, were also required to keep know-your-customer (KYC) record and financial transactions for five years under the new rules.