Advertisment

Government delays deadline to abide by new cyber-security regulations until September 25

The deadline for abidance with the April 28 cyber-security standards was extended by the (Cert-In) to September 25.

author-image
Ayushi Singh
New Update
Govt extends deadline for new cybersecurity rules

A set of guidelines for all businesses, intermediaries, data centres, and government organisations was released by Cert-In on April 28. Under these, guidelines, any data breach must be reported to the government within six hours of the violation coming in knowledge of the organisation.

Advertisment

The deadline for abidance with the April 28 cyber-security standards was extended by the Indian Computer Emergency Response Team (Cert-In) to September 25,on Tuesday, according to a statement from the Ministry of Electronics and Information Technology (MeitY).

According to the announcement, micro, small and medium-sized businesses (MSME), data centres, virtual private server (VPS), virtual private network (VPN), and cloud service providers have all been given the roughly 60-day extension to the deadline. Tuesday would have been the conclusion of the prior 60-day time-frame for enforcing the cyber-security standards.

According to the government, the need that data centres, VPS, VPN, and cloud service providers register and maintain valid names of subscribers and customers, along with their address proof and contact numbers will remain in place and will commence on September 25.

Advertisment

The ministry claimed that the relief was given in response to requests for more time from MSMEs, data centres, VPS, VPN, and cloud service providers to "create capacity" necessary for the execution of the April 28 rules. The IT ministry met with stakeholders, including MSMEs, VPS, VPN, and other cloud service providers at the beginning of the month to learn their opinions on the most recent Cert-In standards and to address any questions on the matter.

A set of guidelines for all businesses, intermediaries, data centres, and government organisations was released by Cert-In on April 28. Under these, guidelines, any data breach must be reported to the government within six hours of the violation coming in knowledge of the organisation.

These standards also required VPN service providers to keep all the data they had obtained as part of the "know your customer"(KYC) regulations and to deliver it to the government upon request.

Advertisment

MeitY released a set of frequently asked questions (FAQs) on the Cert-In guidelines on May 18 that addressed a number of issues, including how the six-hour norm would operate and what information the VPN service providers would need to retain for five years.

Some VPN service providers, including ExpressVPN, Surfshark, and NordVPN have stated that they will cease offering services in India by June 28. This is in contrast to the MSMEs and other businesses who have told the ministry that they would act in accordance with the regulations but needed more time.

Many businesses, specifically MSMEs who had claimed they lacked the capacity to act in accordance with the Cert-In rules at such short notice, are likely to welcome the extension of the abidance time-limit.

cybersecurity vpn msmes cert-in vps
Advertisment