Home Latest News New VPN, Cybersecurity Rules Deadline Extended to 25 September by CERT-In

New VPN, Cybersecurity Rules Deadline Extended to 25 September by CERT-In

by CISOCONNECT Bureau

The Indian Computer Emergency Response Team (CERT-In) has given Virtual Private Network (VPN) providers and cloud service operators additional time to comply with new rules that require such companies to report cyber incidents under six hours and maintain personally identifiable data off users for five years.

The deadline now has been extended to 25 September, the Ministry of Electronics & IT (MeitY) said in a press statement.

Under the new rules, issued in April, VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”. In addition, Cert has also asked VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration. Most importantly, however, VPN providers will have to store all IP addresses that its customers generally use.

CERT-In said it had received requests for the extension of timeline for the implementation of the rules by micro, small and medium enterprises (MSMEs). It had also received requests from VPN, data centre and cloud service providers to be allowed more time for implementation of mechanisms for validation of subscribers/customers.

The agency believes that the additional time allowed will help MSMEs build capacity required for implementing the new rules which were announced on 28 April to bolster Indian cyber security posture and address gaps in incident analysis.

The rules were widely criticised by the industry, with provisions related to maintaining logs of user data by VPN providers receiving a lot of flak from privacy advocates, users and VPN companies. Some VPN providers such as SurfShark and ExpressVPN refused to comply with the rules and withdrew their India-based servers.

Introduced as part of the section 70B of the Information Technology (IT) Act, 2000, the new rules also asked companies to connect and synchronise their ICT systems clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL), to ensure an accurate timeline of events in case of a breach.

Virtual asset, exchange, and wallet providers will also have to keep records on KYC and financial transactions for a period of five years.

In response to queries and concerns raised by companies, MeitY in May released a frequently asked questions (FAQ) document to provide clarity on the new rules.

Recommended for You

Recommended for You

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Close Read More

See Ads