India’s Computer Emergency Response Team (CERT-In) has extended until September 25 the deadline to comply with its cyber security norms for Virtual Private Network (VPN) and cloud services, responding after foreign providers said they will remove their servers in the country.
VPN providers were asked to start storing user data by June 28.
September 25 is the new compliance date for micro, small and medium enterprises (MSMEs). Other businesses, which don’t provide VPN or cloud services, will have to comply with the earlier deadline of June 27.
The September 25 extension will “enable the industry to build the capacity required for the implementation of the cyber security directions,” said the Ministry of Electronics and Information Technology in a press release.
The CERT-In has now extended the deadline to September 25.
The Ministry of Electronics and Information Technology (MeitY) has previously ordered VPN companies to collect and store user data in India for at least five years. The Directive was issued to coordinate response activities and emergency measures related to cyber security incidents. Data centers, virtual private server (VPS) providers, and cloud service providers are also required to record and retain accurate information about their services for five years or more “as required by law after any cancellation or registration.” The data includes the user’s home address, IP address, and usage patterns.
Also, additional time has been sought as well for the implementation of a mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers,” CERT said in its notification.
NordVPN, Surfshark, and Express VPN have removed their servers in India.
It added that the “requirement relating to the aspects of registration and maintenance of validated names of subscribers/customers hiring the services and validated address and contact numbers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers…will become effective on 25th September 2022”.
Introduced as part of the section 70B of the Information Technology (IT) Act, 2000, the new rules also asked companies to connect and synchronize their ICT systems clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL).